diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml
index d3fc842..bc58f61 100644
--- a/.github/workflows/release-branches.yml
+++ b/.github/workflows/release-branches.yml
@@ -31,4 +31,4 @@ jobs:
         run: |
           BRANCH="branch_${{ github.ref_name }}"
           GIT_ISH="$GITHUB_SHA"
-          ./upload_s3.sh "$BRANCH" "$GIT_ISH"
+          ./upload_s3.sh "$BRANCH" "$GIT_ISH" "https://install.determinate.systems/nix/rev/$GIT_ISH"
diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml
index 9c14fb8..88a75f1 100644
--- a/.github/workflows/release-prs.yml
+++ b/.github/workflows/release-prs.yml
@@ -34,4 +34,4 @@ jobs:
         run: |
           PR="pr_${{ github.event.pull_request.number }}"
           GIT_ISH="${{ github.event.pull_request.head.sha }}"
-          ./upload_s3.sh "$PR" "$GIT_ISH"
+          ./upload_s3.sh "$PR" "$GIT_ISH" "https://install.determinate.systems/nix/rev/$GIT_ISH"
diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml
index e55de53..9ea43cd 100644
--- a/.github/workflows/release-tags.yml
+++ b/.github/workflows/release-tags.yml
@@ -19,9 +19,6 @@ jobs:
         with:
           buildkite_token: ${{ secrets.BUILDKITE_TOKEN }}
           output_path: artifacts
-      - name: Fixup URL in nix-installer.sh
-        run: |
-          sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/tag/$GITHUB_REF_NAME@" nix-installer.sh
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -31,7 +28,7 @@ jobs:
         env:
           AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }}
         run: |
-          ./upload_s3.sh "$GITHUB_REF_NAME" "$GITHUB_SHA"
+          ./upload_s3.sh "$GITHUB_REF_NAME" "$GITHUB_SHA" "https://install.determinate.systems/nix/tag/$GITHUB_REF_NAME"
       - name: Publish Release to GitHub (Tag)
         uses: softprops/action-gh-release@v1
         with:
diff --git a/upload_s3.sh b/upload_s3.sh
index 21342c0..f7045b7 100755
--- a/upload_s3.sh
+++ b/upload_s3.sh
@@ -2,37 +2,70 @@ set -eu
 
 DEST="$1"
 GIT_ISH="$2"
+DEST_INSTALL_URL="$3"
+
+is_tag() {
+  if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
 
 # If the revision directory has already been created in S3 somehow, we don't want to reupload
 if aws s3 ls "$AWS_BUCKET"/"$GIT_ISH"/; then
-  echo "Revision $GIT_ISH was already uploaded; exiting"
-  exit 1
+  # Only exit if it's not a tag (since we're tagging a commit previously pushed to main)
+  if ! is_tag; then
+    echo "Revision $GIT_ISH was already uploaded; exiting"
+    exit 1
+  fi
 fi
 
 sudo chown $USER: -R artifacts/
 
+mkdir "$DEST"
 mkdir "$GIT_ISH"
 
-sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/rev/$GIT_ISH@" nix-installer.sh
+cp nix-installer.sh "$DEST"/
 cp nix-installer.sh "$GIT_ISH"/
 
 for artifact in $(find artifacts/ -type f); do
   chmod +x "$artifact"
+  cp "$artifact" "$DEST"/
   cp "$artifact" "$GIT_ISH"/
 done
 
+sed -i "s@https://install.determinate.systems/nix@$DEST_INSTALL_URL@" "$DEST/nix-installer.sh"
+sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/rev/$GIT_ISH@" "$GIT_ISH/nix-installer.sh"
+
+if is_tag; then
+  cp "$DEST/nix-installer.sh" ./nix-installer.sh
+fi
+
 # If any artifact already exists in S3 and the hash is the same, we don't want to reupload
-for file in $(find "$GIT_ISH" -type f); do
-  artifact_path="$DEST"/"$(basename "$artifact")"
-  md5="$(md5sum "$artifact" | cut -d' ' -f1)"
-  obj="$(aws s3api head-object --bucket "$AWS_BUCKET" --key "$artifact_path" || echo '{}')"
-  obj_md5="$(jq -r .ETag <<<"$obj" | jq -r)" # head-object call returns ETag quoted, so `jq -r` again to unquote it
+check_reupload() {
+  dest="$1"
 
-  if [[ "$md5" == "$obj_md5" ]]; then
-    echo "Artifact $artifact was already uploaded; exiting"
-    exit 0
-  fi
-done
+  for file in $(find "$dest" -type f); do
+    artifact_path="$dest"/"$(basename "$artifact")"
+    md5="$(md5sum "$artifact" | cut -d' ' -f1)"
+    obj="$(aws s3api head-object --bucket "$AWS_BUCKET" --key "$artifact_path" || echo '{}')"
+    obj_md5="$(jq -r .ETag <<<"$obj" | jq -r)" # head-object call returns ETag quoted, so `jq -r` again to unquote it
 
-aws s3 sync "$GIT_ISH"/ s3://"$AWS_BUCKET"/"$GIT_ISH"/ --acl public-read
-aws s3 sync s3://"$AWS_BUCKET"/"$GIT_ISH"/ s3://"$AWS_BUCKET"/"$DEST"/ --acl public-read
+    if [[ "$md5" == "$obj_md5" ]]; then
+      echo "Artifact $artifact was already uploaded; exiting"
+      # If we already uploaded to a tag, that's probably bad
+      is_tag && exit 1 || exit 0
+    fi
+  done
+}
+
+check_reupload "$DEST"
+if ! is_tag; then
+  check_reupload "$GIT_ISH"
+fi
+
+aws s3 sync "$DEST"/ s3://"$AWS_BUCKET"/"$DEST"/ --acl public-read
+if ! is_tag; then
+  aws s3 sync "$GIT_ISH"/ s3://"$AWS_BUCKET"/"$GIT_ISH"/ --acl public-read
+fi