diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7fecdc276..ddd796502 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,7 @@ jobs:
   release:
     permissions:
       id-token: 'write'
+      contents: 'write'
     runs-on: ubuntu-latest
     env:
       LD_RELEASE_VERSION: ${{ inputs.releaseVersion }}
@@ -31,8 +32,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
-        name: Get secrets
+      - name: get secrets
+        uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         with:
           aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
           ssm_parameter_pairs: '/global/services/docker/public/username = DOCKER_USERNAME, /global/services/docker/public/token = DOCKER_TOKEN, /production/common/releasing/circleci/orb-token= CIRCLECI_CLI_TOKEN, /production/common/releasing/bitbucket/username = BITBUCKET_USERNAME, /production/common/releasing/bitbucket/token = BITBUCKET_TOKEN'
@@ -60,13 +61,14 @@ jobs:
           else
             ./scripts/release/publish.sh
           fi
-      - name: Commit changes and tag
-        run: |
-          ./scripts/release/commit-and-tag.sh
-      - name: Create Github release
+          ls -1a "$ARTIFACT_DIRECTORY"
+      - name: commit changes and tag
+        run: ./scripts/release/commit-and-tag.sh
+      - name: create Github release
         uses: ncipollo/release-action@v1.14.0
-        if: ${{ inputs.dryRun != 'true' }}
+        if: ${{ !inputs.dryRun }}
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           tag: v${{ inputs.releaseVersion }}
           body: ${{ inputs.changeLog }}
+          artifacts: ${{ env.ARTIFACT_DIRECTORY }}/*
diff --git a/scripts/release/publish-dry-run.sh b/scripts/release/publish-dry-run.sh
index 8704dce53..efd0a1421 100755
--- a/scripts/release/publish-dry-run.sh
+++ b/scripts/release/publish-dry-run.sh
@@ -2,11 +2,8 @@
 
 set -euo pipefail
 
-echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin
-
-sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make products-for-release
-
-mkdir -p ${ARTIFACT_DIRECTORY}
+source $(dirname $0)/stage-artifacts.sh
+stage_artifacts products-for-release
 
 # Copy the Docker image that goreleaser just built into the artifacts - we only do
 # this in a dry run, because in a real release the image will be available from
diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh
index c350fbf38..62a7a5f8d 100755
--- a/scripts/release/publish.sh
+++ b/scripts/release/publish.sh
@@ -2,9 +2,8 @@
 
 set -euo pipefail
 
-echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin
-
-sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make publish
+source $(dirname $0)/stage-artifacts.sh
+stage_artifacts publish
 
 # make bitbucket and github known hosts to push successfully
 mkdir -m700 ~/.ssh
diff --git a/scripts/release/stage-artifacts.sh b/scripts/release/stage-artifacts.sh
new file mode 100755
index 000000000..1c9e98240
--- /dev/null
+++ b/scripts/release/stage-artifacts.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -euo pipefail
+
+stage_artifacts() {
+  TARGET=$1
+
+  echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USERNAME" --password-stdin
+
+  sudo PATH="$PATH" GITHUB_TOKEN="$GITHUB_TOKEN" make "$TARGET"
+
+  mkdir -p "$ARTIFACT_DIRECTORY"
+  cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt "$ARTIFACT_DIRECTORY"
+}