diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
index 42a38c3d6..c958d4f5a 100644
--- a/verifiers/internal/gha/builder.go
+++ b/verifiers/internal/gha/builder.go
@@ -157,6 +157,7 @@ func isTrustedDelegatorBuilder(certBuilder *utils.TrustedBuilderID, trustedBuild
 }
 
 // Only allow `@refs/heads/main` for the builder and the e2e tests that need to work at HEAD.
+// This includes the delegator workflows referenced by the TRWs.
 // This lets us use the pre-build builder binary generated during release (release happen at main).
 // For other projects, we only allow semantic versions that map to a release.
 func verifyTrustedBuilderRef(id *WorkflowIdentity, ref string) error {
diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
index 21797b6eb..35baacbd8 100644
--- a/verifiers/internal/gha/provenance.go
+++ b/verifiers/internal/gha/provenance.go
@@ -396,6 +396,10 @@ func VerifyTag(prov iface.Provenance, expectedTag string) error {
 	}
 
 	tag, err := utils.TagFromGitRef(ref)
+	if tag == "" {
+		return fmt.Errorf("verifying tag: %w: no tag found in provenance", serrors.ErrorMismatchTag)
+	}
+
 	if err != nil {
 		return fmt.Errorf("verifying tag: %w", err)
 	}
@@ -419,6 +423,10 @@ func VerifyVersionedTag(prov iface.Provenance, expectedTag string) error {
 		return err
 	}
 
+	if ref == "" {
+		return fmt.Errorf("verifying tag: %w: no tag found in provenance", serrors.ErrorMismatchVersionedTag)
+	}
+
 	tag, err := utils.TagFromGitRef(ref)
 	if err != nil {
 		return fmt.Errorf("verifying tag: %w", err)
diff --git a/verifiers/utils/builder.go b/verifiers/utils/builder.go
index 9978d0523..45f72acb7 100644
--- a/verifiers/utils/builder.go
+++ b/verifiers/utils/builder.go
@@ -132,7 +132,11 @@ func IsValidBuilderTag(ref string, testing bool) error {
 	if testing {
 		// Tags on trusted repositories should be a valid semver with version
 		// core including all three parts and no build identifier.
-		versionCore := strings.Split(pin, "-")[0]
+		parts := strings.Split(pin, "-")
+		if len(parts) == 0 {
+			return fmt.Errorf("%w: %s: version tag not valid", serrors.ErrorInvalidRef, pin)
+		}
+		versionCore := parts[0]
 		if !semver.IsValid(pin) ||
 			len(strings.Split(versionCore, ".")) != 3 ||
 			semver.Build(pin) != "" {