diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 04af18a..f75bb87 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -13,6 +13,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+       # id-token: write required for get-vault-secrets
+      id-token: write
     outputs:
       new_version: ${{ steps.version_check.outputs.version }}
       version_changed: ${{ steps.version_check.outputs.changed }}
@@ -52,11 +54,18 @@ jobs:
         if: steps.version_check.outputs.changed == 'true'
         run: yarn build
 
+      - name: Get secrets from vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            NPM_TOKEN=npm-release.npm_token
+
       - name: Publish package to NPM
         if: steps.version_check.outputs.changed == 'true'
         run: npm publish --access public --scope grafana
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
 
       - name: Setup .npmrc file for GitHub Packages
         if: steps.version_check.outputs.changed == 'true'