diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index a65cf7e..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-name: Publish Package
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'npm tag (latest or next)'
-        required: true
-        type: choice
-        options:
-          - latest
-          - next
-  repository_dispatch:
-    types: [publish-package]
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd
-        with:
-          install: true
-          cache: true
-          experimental: true
-
-      - name: Build
-        run: mise run build
-
-      - id: inputs
-        uses: simenandre/setup-inputs@v1
-
-      - name: Publish to npm with OIDC
-        run: |
-          TAG="${{ steps.inputs.outputs.tag }}"
-          if [ -z "$TAG" ]; then
-            TAG="latest"
-          fi
-
-          echo "Publishing with tag: $TAG"
-          mise run publish --tag "$TAG"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e3c2c90..6708145 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,20 +29,13 @@ jobs:
   dispatch-publish:
     needs: process
     runs-on: ubuntu-latest
-    if: needs.process.outputs.releases_created == 'true' || needs.process.outputs.prs_created == 'true'
+    # Only publish once a release is actually cut (release PR merged → tag + GitHub release).
+    if: needs.process.outputs.releases_created == 'true'
     steps:
+      # Routes to publish-as-is.yml, the workflow npm authorizes for OIDC trusted publishing.
+      # (publish.yml is not a configured trusted publisher and fails with ENEEDAUTH.)
       - name: Dispatch publish for releases
-        if: needs.process.outputs.releases_created == 'true'
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          event-type: publish-package
-          client-payload: '{"tag": "latest"}'
-
-      - name: Dispatch publish for prerelease
-        if: needs.process.outputs.prs_created == 'true'
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          event-type: publish-package
-          client-payload: '{"tag": "next"}'
+          event-type: publish-package-as-is