diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b683bb4b..5d5fc0fa 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -79,7 +79,7 @@ jobs:
       minor: ${{ steps.release.outputs.minor }}
       patch: ${{ steps.release.outputs.patch }}
     permissions:
-      contents: read
+      contents: write
     steps:
       - name: Generate GitHub App Token
         id: app-token
@@ -96,6 +96,34 @@ jobs:
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
 
+      # Bridge: GitHub does not create git tags for draft releases, but
+      # release-please needs the tag to anchor version calculations for
+      # subsequent release PRs. Without it, release-please scans the full
+      # commit history, may find an old breaking change, and proposes a
+      # wrong major bump. The force-tag-creation config option (release-please
+      # v17.2.0+) would handle this natively, but v4.4.0 of the action
+      # bundles v17.1.3. Remove this step once the action upgrades past
+      # v17.2.0. See: https://github.com/googleapis/release-please/pull/2423
+      - name: Create git tag for draft release
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          TAG="${{ steps.release.outputs.tag_name }}"
+          echo "Creating tag $TAG at ${{ github.sha }}"
+          if ! OUTPUT=$(gh api "repos/${{ github.repository }}/git/refs" \
+            --method POST \
+            -f ref="refs/tags/$TAG" \
+            -f sha="${{ github.sha }}" 2>&1); then
+            if echo "$OUTPUT" | grep -qi "Reference already exists"; then
+              echo "::warning::Tag $TAG already exists, skipping"
+            else
+              echo "::error::Failed to create tag $TAG"
+              echo "$OUTPUT" >&2
+              exit 1
+            fi
+          fi
+
   extension-package-release:
     name: Package VS Code Extensions (Release)
     needs: [release-please]
diff --git a/package-lock.json b/package-lock.json
index 539ac7c9..a4cb1f24 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2142,9 +2142,9 @@
       }
     },
     "node_modules/markdown-it": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
-      "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
+      "version": "14.1.1",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz",
+      "integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index ab5d7f22..03090e55 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,7 @@
     "markdownlint-cli2": "^0.20.0"
   },
   "overrides": {
+    "markdown-it": "14.1.1",
     "undici": "7.18.2"
   },
   "repository": {
diff --git a/release-please-config.json b/release-please-config.json
index 7ccd1668..cf1d013c 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -1,5 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "draft": true,
   "release-search-depth": 800,
   "commit-search-depth": 1000,
   "force-tag-creation": true,