diff --git a/.github/workflows/pkg-release.yml b/.github/workflows/pkg-release.yml
new file mode 100644
index 0000000..7935ce2
--- /dev/null
+++ b/.github/workflows/pkg-release.yml
@@ -0,0 +1,34 @@
+# This filename is associated with the respective NPM package's trusted publish config.
+# If required, update both together.
+
+name: Package Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to publish (e.g. v1.2.3 or v1.2.3-rc.1)'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  id-token: write       # required for OIDC-based publishing
+
+jobs:
+  call-npm-release:
+    uses: postmanlabs/gh-security-scan-workflow/.github/workflows/security-npm-publish.yml@main
+
+    with:
+      tag: ${{ github.ref_type == 'tag' && github.ref_name || inputs.tag }}
+      node_version: '22'
+      package_path: 'dist'
+      skip_tests: true
+      dry_run: ${{ github.event_name == 'workflow_dispatch' }}
+
+    secrets:
+      POSTMAN_NPM_TOKEN: ${{ secrets.POSTMAN_NPM_TOKEN }} # read-only granular token
\ No newline at end of file
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index 0b0059f..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-name: Publish to npm
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Publish to npm
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}