diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 016376a..2d0af9d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,6 +43,7 @@ permissions:
 jobs:
   release:
     name: Release
+    environment: npm
     permissions:
       contents: write
       # To publish packages with provenance
@@ -67,13 +68,33 @@ jobs:
 
       - name: Run Test
         run: pnpm run test
-      
+      - name: Obtain OIDC token
+        id: oidc
+        run: |
+          token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=cfa.rspack.dev" | jq -r '.value')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+        shell: bash
+      - name: Obtain GitHub credentials
+        id: github_creds
+        run: |
+          token=$(curl --fail "https://cfa.rspack.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
+            --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+        shell: bash
       - name: Try release to npm
         run: pnpm run release
         env:
           DRY_RUN: ${{ inputs.dry_run }}
           TAG: ${{ inputs.tag }}
           VERSION: ${{ inputs.version }}
+          GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
+          GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}