diff --git a/.github/workflows/changelogensets.yml b/.github/workflows/changelog.yml
similarity index 96%
rename from .github/workflows/changelogensets.yml
rename to .github/workflows/changelog.yml
index 92ad69109641..515b3735e95c 100644
--- a/.github/workflows/changelogensets.yml
+++ b/.github/workflows/changelog.yml
@@ -1,4 +1,4 @@
-name: Release
+name: changelog
 
 on:
   push:
@@ -15,7 +15,7 @@ concurrency:
   cancel-in-progress: ${{ github.event_name != 'push' }}
 
 jobs:
-  update-changelog:
+  update:
     if: github.repository_owner == 'nuxt' && !contains(github.event.head_commit.message, 'v3.')
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
index b2f95e5d719c..9d4d26a63ea5 100644
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -1,4 +1,4 @@
-name: release
+name: release-pr
 
 on:
   issue_comment:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000000..606a60aa6de9
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,39 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+# Remove default permissions of GITHUB_TOKEN for security
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions: {}
+
+jobs:
+  release:
+    if: github.repository == 'nuxt/nuxt' && startsWith(github.event.head_commit.message, 'v3.')
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - run: corepack enable
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Build (stub)
+        run: pnpm dev:prepare
+
+      - name: Release
+        run: ./scripts/release.sh
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.RELEASE_NODE_AUTH_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true
diff --git a/scripts/release.sh b/scripts/release.sh
index 96a1dddcc145..a7ff988da4b7 100755
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -24,6 +24,3 @@ for PKG in packages/* ; do
   pnpm publish --access public --no-git-checks --tag $TAG
   popd > /dev/null
 done
-
-# Restore environment to dev mode
-pnpm dev:prepare