diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4c69acc4..9db4deef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -126,29 +126,10 @@ jobs:
   deploy_npm:
     name: Deploy npm
     runs-on: ubuntu-latest
-    if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'sass/embedded-host-node'"
+    if: "github.ref_type == 'tag' && github.event.repository.fork == false"
     needs: [static_analysis, tests, sass_spec]
-
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 'lts/*'
-          check-latest: true
-          registry-url: 'https://registry.npmjs.org'
-      - run: npm install
-
-      - name: "Check we're not using a -dev version of the embedded protocol"
-        run: jq -r '.["protocol-version"]' package.json | grep -qv -- '-dev$'
-      - name: "Check we're not using a -dev version of the embedded compiler"
-        run: jq -r '.["compiler-version"]' package.json | grep -qv -- '-dev$'
-
-      - name: Publish optional dependencies
-        env:
-          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
-        run: |
-          find ./npm -mindepth 1 -maxdepth 1 -print0 | xargs -0 -n 1 -- sh -xc 'npx ts-node ./tool/prepare-optional-release.ts --package=$(basename $1) && npm publish $1' --
-
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+    uses: ./.github/workflows/release.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..8fb2d1cc
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,33 @@
+name: Release
+
+on:
+  workflow_call:
+
+jobs:
+  deploy_npm:
+    name: Deploy npm
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 'lts/*'
+          check-latest: true
+          registry-url: 'https://registry.npmjs.org'
+
+      # npm trusted publisher infrastructure requires npm >=11.5.1
+      - run: npm install -g npm@latest
+
+      - run: npm install
+
+      - name: "Check we're not using a -dev version of the embedded protocol"
+        run: jq -r '.["protocol-version"]' package.json | grep -qv -- '-dev$'
+      - name: "Check we're not using a -dev version of the embedded compiler"
+        run: jq -r '.["compiler-version"]' package.json | grep -qv -- '-dev$'
+
+      - name: Publish optional dependencies
+        run: |
+          find ./npm -mindepth 1 -maxdepth 1 -print0 | xargs -0 -n 1 -- sh -xc 'npx ts-node ./tool/prepare-optional-release.ts --package=$(basename $1) && npm publish $1' --
+
+      - run: npm publish