diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 9240f86..ba1cfc6 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -1,8 +1,8 @@
 name: CD
 
 on:
-  release:
-    types: [created]
+  workflow_call: # invoked by release-please.yml on release_created
+  workflow_dispatch: # manual backup via Actions UI
 
 jobs:
   publish-npm:
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'chrislyons-dev/archlette'
     permissions:
-      id-token: write # for provenance
+      id-token: write # for npm trusted publishing (OIDC)
       contents: read
     steps:
       - uses: actions/checkout@v5
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d387640..eb3ba8a 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -5,15 +5,26 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    if: github.repository == 'chrislyons-dev/archlette'
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
     steps:
       - uses: googleapis/release-please-action@v4
+        id: release
         with:
           release-type: node
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  publish-npm:
+    needs: release-please
+    if: needs.release-please.outputs.release_created == 'true'
+    uses: ./.github/workflows/cd.yml
+    permissions:
+      id-token: write
+      contents: read