diff --git a/.semaphore/push_images.yml b/.semaphore/push_images.yml
index 7299c93cae..1585906e3a 100644
--- a/.semaphore/push_images.yml
+++ b/.semaphore/push_images.yml
@@ -54,14 +54,3 @@ blocks:
         - name: Build
           commands:
             - make cd CONFIRM=true;
-            - make maybe-build-release;
-
-promotions:
-  - name: Clean Up
-    pipeline_file: clean_up.yml
-    # Auto promote to clean up since this likely wasn't promoted from the CI pipeline (since we only promote to the
-    # clean up pipeline if we're not running on master or a release branch).
-    # We only auto promote if the cd has passed, because if it's failed we'll likely just want to run CD again, but if
-    # we've cleared the cache it will take a long time.
-    auto_promote:
-      when: "result = 'passed'"
diff --git a/.semaphore/release.yml b/.semaphore/release.yml
new file mode 100644
index 0000000000..2b95461e7e
--- /dev/null
+++ b/.semaphore/release.yml
@@ -0,0 +1,71 @@
+version: v1.0
+name: Operator CD
+agent:
+  machine:
+    type: f1-standard-2
+    os_image: ubuntu2004
+global_job_config:
+  secrets:
+    - name: docker-hub
+    - name: oss-release-secrets
+    # Mount the github SSH secret for pulling private repositories.
+    - name: private-repo
+  prologue:
+    commands:
+      - echo $DOCKERHUB_PASSWORD | docker login --username "$DOCKERHUB_USERNAME" --password-stdin
+      # Correct permissions since they are too open by default:
+      - chmod 0600 ~/.keys/*
+      # Add the key to the ssh agent:
+      - ssh-add ~/.keys/*
+      # Free up some space
+      - sudo rm -rf ~/.kiex ~/.phpbrew ~/.rbenv ~/.nvm ~/.kerl
+      # Semaphore mounts a copy-on-write FS as /var/lib/docker in order to provide a pre-loaded cache of
+      # some images. However, the cache is not useful to us and the copy-on-write FS is a big problem given
+      # how much we churn docker containers during testing.  Disable it.
+      - sudo systemctl stop docker
+      - sudo umount /var/lib/docker && sudo killall qemu-nbd || true
+      - sudo systemctl start docker
+      - checkout
+      # Restore all the build specific caches
+      - "cache restore bin-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-s390x-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-s390x-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-s390x-${SEMAPHORE_GIT_SHA}"
+
+blocks:
+  - name: Release
+    run:
+      when: "tag =~ '^v'"
+    task:
+      secrets:
+        - name: quay-robot-semaphore_v2
+        - name: operator-redhat-connect
+      prologue:
+        commands:
+          - docker login -u="$QUAY_USERNAME" -p="$QUAY_TOKEN" quay.io;
+          - export BRANCH_NAME=$SEMAPHORE_GIT_BRANCH
+      jobs:
+        - name: Publish Release
+          commands:
+            - make release-tag RELEASE_TAG=${SEMAPHORE_GIT_RELEASE_TAG}
+          env_vars:
+            - name: CONFIRM
+              value: "true"
+
+promotions:
+  - name: Clean Up
+    pipeline_file: clean_up.yml
+    # Auto promote to clean up since this likely wasn't promoted from the CI pipeline (since we only promote to the
+    # clean up pipeline if we're not running on master or a release branch).
+    # We only auto promote if the cd has passed, because if it's failed we'll likely just want to run CD again, but if
+    # we've cleared the cache it will take a long time.
+    auto_promote:
+      when: "result = 'passed'"
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index ecdda64dc4..e2999902d7 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -56,8 +56,17 @@ blocks:
             # reset so it looks like we haven't committed yet
             - git reset --soft $(git merge-base $SEMAPHORE_GIT_BRANCH HEAD)
             - make pre-commit
-  - name: 'Build amd64'
-    dependencies: ["Pre-commit verification"]
+  # Clear the cache before starting the build
+  # This is to ensure we clean up cache from previous runs.
+  - name: Clear Entire Cache
+    dependencies: []
+    task:
+      jobs:
+        - name: Clear Entire Cache
+          commands:
+            - "cache clear"
+  - name: "Build amd64"
+    dependencies: ["Pre-commit verification", "Clear Entire Cache"]
     task:
       jobs:
         - name: Build amd64
diff --git a/Makefile b/Makefile
index 6f1c3124fe..19e65d47a2 100644
--- a/Makefile
+++ b/Makefile
@@ -501,9 +501,15 @@ endif
 ###############################################################################
 # Release
 ###############################################################################
-## Determines if we are on a tag and if so builds a release.
-maybe-build-release:
-	./hack/maybe-build-release.sh
+VERSION_REGEX := ^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*)?(\+[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*)?$$
+release-tag: var-require-all-RELEASE_TAG-GITHUB_TOKEN
+	$(eval VALID_TAG := $(shell echo $(RELEASE_TAG) | grep -Eq "$(VERSION_REGEX)" && echo true))
+	$(if $(VALID_TAG),,$(error $(RELEASE_TAG) is not a valid version. Please use a version in the format vX.Y.Z))
+	$(MAKE) release release-publish-images VERSION=$(RELEASE_TAG)
+# Only create a release if the tag is vX.Y.Z
+	$(eval GITHUB_RELEASE := $(shell echo $(RELEASE_TAG) | grep -Eq '^v?[0-9]+\.[0-9]+\.[0-9]+$$' && echo true))
+	$(if $(GITHUB_RELEASE), $(MAKE) release-github VERSION=$(RELEASE_TAG))
+
 
 release-notes: var-require-all-VERSION-GITHUB_TOKEN clean
 	@docker build -t tigera/release-notes -f build/Dockerfile.release-notes .
diff --git a/hack/maybe-build-release.sh b/hack/maybe-build-release.sh
deleted file mode 100755
index 9568a995d1..0000000000
--- a/hack/maybe-build-release.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-set -e
-
-if ! tag=$(git describe --exact-match --tags HEAD); then
-	echo "Not on a tag - no need to release";
-	exit 0
-fi
-
-if [[ ! "${tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-	echo "tag ${tag} does not match the format vX.Y.Z"
-	exit 1
-fi
-
-if [[ ! "$(git rev-parse --abbrev-ref HEAD)" =~ (release-v*.*|master) ]]; then
-	echo "not on 'master' or 'release-vX.Y'"
-	exit 0
-fi
-
-# Skip releasing if the image already exists. No guarantee that a tagged build will only be run once. We want the build to
-# pass in the case where the image exists.
-if ! make release-check-image-exists VERSION=${tag}; then
-	echo "Image tag already exists, no need to release"
-	exit 0
-fi
-
-echo "On a git tag - building release: ${tag}"
-make release VERSION=${tag}
-
-echo "Publish release ${tag}"
-make release-publish-images VERSION=${tag}
-
-echo "Create ${tag} release on GitHub"
-make release-github VERSION=${tag}