Config with always-run workflow doesn't allow job to filter to tags

I have a config.yml with “setup: true” and an always-run workflow. While I am using path-filtering in the config, I’m also trying to run a job when a tag is pushed. I have what seems to be an appropriate filter on the job, but the job never runs when a tag is pushed. I’ll paste my config.yml below. The job I would like to run when a tag is pushed is publish-sdk.

version: 2.1
orbs:
  node: circleci/node@5.0.0
  aws-cli: circleci/aws-cli@2.0
  aws-s3: circleci/aws-s3@3.0
  cloudfront: topmonks/aws-cloudfront@1.0.0
  path-filtering: circleci/path-filtering@0.1.1

# this allows you to use CircleCI's dynamic configuration feature
setup: true

defaults: &defaults
  docker:
    - image: "cimg/node:17.5.0"

jobs:
  publish-sdk:
    <<: *defaults
    steps:
      - checkout
      - aws-cli/setup:
          aws-access-key-id: AWS_ACCESS_KEY_ID
          aws-region: AWS_DEFAULT_REGION
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
      - run:
          command: npm run co:login
      - node/install-packages
      - run:
          name: Set up npm authentication
          command: echo "//registry.npmjs.org/:_authToken=$NPM_ACCESS_TOKEN" > ~/.npmrc
      - run:
          name: Publish to npm
          command: npm publish -w packages/sdk
  playwright:
    docker:
      - image: mcr.microsoft.com/playwright:v1.23.1-focal
    environment:
      NODE_ENV: development
    steps:
      - checkout
      - run:
          name: Install unzip
          command: apt-get update && apt-get install -y zip
      - aws-cli/setup:
          aws-access-key-id: AWS_ACCESS_KEY_ID
          aws-region: AWS_DEFAULT_REGION
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
      - run:
          command: npm run co:login
      - node/install-packages
      - run:
          name: Run Playwright (E2E) Tests
          command: npm run test:all-browsers
      - store_artifacts:
          path: test-results

  vitest:
    <<: *defaults
    environment:
      NODE_ENV: development
    steps:
      - checkout
      - aws-cli/setup:
          aws-access-key-id: AWS_ACCESS_KEY_ID
          aws-region: AWS_DEFAULT_REGION
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
      - run:
          command: npm run co:login
      - node/install-packages
      - run:
          name: Run Unit Tests
          command: npm run test:unit
      - store_artifacts:
          path: test-results

workflows:
    # the always-run workflow is always triggered, regardless of the pipeline parameters.
  always-run:
    jobs:
      - playwright:
          name: Playwright tests
          context:
            - taxbit-private-packages
      - vitest:
          name: Unit tests
          context:
            - taxbit-private-packages
      - publish-sdk:
          name: Publish npm package
          context:
            - r2d2
            - taxbit-public-packages
            - taxbit-private-packages
          requires:
            - Playwright tests
            - Unit tests
          filters:
            branches:
              ignore: /.*/
            tags:
              only: /^v.*/
      # the path-filtering/filter job determines which pipeline
      # parameters to update.
      - path-filtering/filter:
          name: Check updated files
          requires:
            - Playwright tests
            - Unit tests
          # 3-column, whitespace-delimited mapping. One mapping per
          # line:
          # <regex path-to-test> <parameter-to-set> <value-of-pipeline-parameter>
          mapping: |
            packages/tax-documentation-ui/.* ui-files-changed true
            packages/demos/.* demos-files-changed true
            packages/sdk/.* sdk-files-changed true
          base-revision: master
          # this is the path of the configuration we should trigger once
          # path filtering and pipeline parameter value updates are
          # complete. In this case, we are using the parent dynamic
          # configuration itself.
          config-path: .circleci/continue_config.yml

Here’s my continue_config.yml, which doesn’t really have anything to do with the publish-sdk job, but may be helpful anyway:

version: 2.1
orbs:
  node: circleci/node@5.0.0
  aws-cli: circleci/aws-cli@2.0
  aws-s3: circleci/aws-s3@3.0
  cloudfront: topmonks/aws-cloudfront@1.0.0

parameters:
  ui-files-changed:
    type: boolean
    default: false
  demos-files-changed:
    type: boolean
    default: false
  sdk-files-changed:
    type: boolean
    default: false

defaults: &defaults
  docker:
    - image: "cimg/node:17.5.0"

jobs:
  build-ui:
    <<: *defaults
    steps:
      - checkout
      - aws-cli/setup:
          aws-access-key-id: AWS_ACCESS_KEY_ID
          aws-region: AWS_DEFAULT_REGION
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
      - run:
          command: npm run co:login
      - node/install-packages
      - run:
          command: npm run build -w packages/tax-documentation-ui
      - persist_to_workspace:
          root: .
          paths:
            - packages/tax-documentation-ui/dist
  publish-ui:
    <<: *defaults
    # To speed up the build process
    resource_class: large
    steps:
      - attach_workspace:
          at: .
      - aws-s3/sync:
          from: ./packages/tax-documentation-ui/dist
          to: "s3://${S3_BUCKET}/taxbit-browser/ui/forms/tax-documentation"
          aws-region: AWS_DEFAULT_REGION
      - cloudfront/invalidate:
          distribution_id: $DISTRIBUTION_ID
          paths: "/taxbit-browser/ui/forms/tax-documentation/index.html"
          aws-region: AWS_DEFAULT_REGION
  build-demos:
    <<: *defaults
    steps:
      - checkout
      - aws-cli/setup:
          aws-access-key-id: AWS_ACCESS_KEY_ID
          aws-region: AWS_DEFAULT_REGION
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
      - run:
          command: npm run co:login
      - node/install-packages
      - run:
          command: npm run build -w packages/demos
      - persist_to_workspace:
          root: .
          paths:
            - packages/demos/dist
  publish-demos:
    <<: *defaults
    # To speed up the build process
    resource_class: large
    steps:
      - attach_workspace:
          at: .
      - aws-s3/sync:
          from: ./packages/demos/dist
          to: "s3://${S3_BUCKET}/taxbit-browser/demos"
          aws-region: AWS_DEFAULT_REGION
      - cloudfront/invalidate:
          distribution_id: $DISTRIBUTION_ID
          paths: "/taxbit-browser/demos/index.html"
          aws-region: AWS_DEFAULT_REGION

workflows:
  release-ui-to-prod:
    when:
      condition:
        # Because the demos use the SDK (specifically, the SDK that's in the repo and not on npm),
        # we want to re-build and re-publish the demos any time the SDK changes.
        or: [ << pipeline.parameters.demos-files-changed >>, << pipeline.parameters.sdk-files-changed >> ]
    jobs:
      - build-ui:
          name: Build UI
          filters:
            branches:
              only: master
          context:
            - taxbit-private-packages
      - publish-ui:
          name: Publish UI files
          requires:
            - Build UI
          context:
            - aws-taxbit-prod
  release-demos-to-prod:
    when:
      condition:
        # Because the demos use the SDK (specifically, the SDK that's in the repo and not on npm),
        # we want to re-build and re-publish the demos any time the SDK changes.
        or: [ << pipeline.parameters.demos-files-changed >>, << pipeline.parameters.sdk-files-changed >> ]
    jobs:
      - build-demos:
          name: Build Demos
          filters:
            branches:
              only: master
          context:
            - taxbit-private-packages
      - publish-demos:
          name: Publish Demos files
          requires:
            - Build Demos
          context:
            - aws-taxbit-prod

When I push a new tag and a commit that changes a file in packages/sdk, here’s what I see:

Notice that CircleCI sees the new tax, but doesn’t run the publish-sdk job. Am I missing something or is this a bug? Thanks!