diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2fc825d..8e4c8f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,11 +5,12 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -19,34 +20,57 @@ jobs:
             goarch: amd64
           - goos: windows
             goarch: arm64
+    env:
+      GOOS: ${{ matrix.goos }}
+      GOARCH: ${{ matrix.goarch }}
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: vendor/build/siso/go.mod
-          cache-dependency-path: vendor/build/siso/go.sum
+          cache: false
 
       - name: Apply patches
         run: script/apply-patches
 
       - name: Build
-        env:
-          GOOS: ${{ matrix.goos }}
-          GOARCH: ${{ matrix.goarch }}
         run: script/build
 
       - name: Checksum
         run: |
           cd out
-          sha256sum siso-${{ matrix.goos }}-${{ matrix.goarch }}* > siso-${{ matrix.goos }}-${{ matrix.goarch }}.sha256
+          sha256sum "siso-${GOOS}-${GOARCH}"* > "siso-${GOOS}-${GOARCH}.sha256"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: siso-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: out/siso-${{ matrix.goos }}-${{ matrix.goarch }}*
+          if-no-files-found: error
 
-      - name: Upload release assets
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+  release:
+    needs: build
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
-          files: |
-            out/siso-${{ matrix.goos }}-${{ matrix.goarch }}*
+          path: dist
+          merge-multiple: true
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          ls -la dist/
+          gh release create "$TAG" --verify-tag --title "$TAG" --generate-notes dist/*