diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index f1b2f47..4d82b78 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -13,6 +13,15 @@ jobs:
       contents: read
 
     runs-on: ubuntu-latest
+    
+    ### Set variables for the given component.
+    ### See https://github.com/pulumi-pequod/pequod-policies/shared-github-actions/action.yml for the full list of supported inputs.
+    env:
+      # Need to manage the list of component types that this component repo provides.
+      # FUTURE HOPE: Deduce this by parsing the component code or, better yet, be able to get this
+      # via a Pulumi Cloud API after publishing.
+      COMPONENT_TYPES: '["cloudfront-s3-cdk:index:CloudFrontS3"]'
+      PULUMI_ORG: 'pequod' # The Pulumi organization to publish the component to.
 
     steps:
       - name: Checkout repository
@@ -20,22 +29,43 @@ jobs:
         with:
           ref: ${{ github.ref }} # Checkout the specific tag that triggered the workflow
           fetch-depth: 0 # Ensures the build matches the git tag.
-
+      
       - name: Authenticate to Pulumi
         uses: pulumi/auth-actions@v1
         with:
-          organization: pequod
+          organization: ${{ env.PULUMI_ORG }}
           requested-token-type: urn:pulumi:token-type:access_token:organization
+          scope: admin
+
+      # Determine the version to use - either the triggered tag or latest tag for manual runs
+      - name: Determine Component Version
+        id: version
+        run: |
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            # For tag pushes, use the tag that triggered the workflow
+            VERSION="${{ github.ref_name }}"
+            echo "Using triggered tag: $VERSION"
+          else
+            # For manual runs, get the latest tag
+            VERSION=$(git tag --sort=-version:refname | head -1)
+            echo "Manual run: Using latest tag: $VERSION"
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
 
+      # Publish if this is a tag push.
       - name: Publish Component to Pulumi Org
         if: github.event_name == 'push'
         run: |
-          echo "Publishing latest component version to the pequod Pulumi org."
-          pulumi package publish https://github.com/${{ github.repository }} --publisher pequod
+          echo "Publishing latest component version to the ${{ env.PULUMI_ORG }} Pulumi org."
+          pulumi package publish https://github.com/${{ github.repository }} --publisher ${{ env.PULUMI_ORG }}
+
+      # Update the policy config with the new component version regardless of if this is 
+      # a triggered or manual run.
+      # Uses composite action in the pequod-policies repository to update the policy config.
+      - name: Update Policy Config
+        uses: pulumi-pequod/pequod-policies/shared-github-actions/component-version-policy-config@main
+        with:
+          pulumi_org: ${{ env.PULUMI_ORG }}
+          component_types: ${{ env.COMPONENT_TYPES }}
+          component_version: ${{ steps.version.outputs.version }}
 
-      - name: Manual run - Skip publishing
-        if: github.event_name == 'workflow_dispatch'
-        run: |
-          echo "This is a manual workflow run."
-          echo "Skipping component publishing to prevent accidental releases."
-          echo "To publish, push a new tag instead of running manually."