diff --git a/.github/workflows/npm-prepare-release.yml b/.github/workflows/npm-prepare-release.yml
index 895a6af07..963ae55d7 100644
--- a/.github/workflows/npm-prepare-release.yml
+++ b/.github/workflows/npm-prepare-release.yml
@@ -14,16 +14,22 @@ on:
           - minor
           - major
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare a new npm release
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out the source code
         uses: actions/checkout@v6
 
       - name: Run npm-prepare-release
-        uses: Automattic/vip-actions/npm-prepare-release@v0.7.3
+        uses: Automattic/vip-actions/npm-prepare-release@c8022b66e78461df4f802b935dc0dbb8399f96bc # v0.7.4
         with:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           npm-version-type: ${{ inputs.npm-version-type }}
diff --git a/.github/workflows/npm-publish-prerelease.yml b/.github/workflows/npm-publish-prerelease.yml
deleted file mode 100644
index 8324e5908..000000000
--- a/.github/workflows/npm-publish-prerelease.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: Publish prerelease to npm
-
-on:
-  workflow_dispatch:
-    inputs:
-      npm_tag:
-        description: 'NPM tag for prerelease'
-        default: 'next'
-
-jobs:
-  publish:
-    name: Publish prerelease
-    runs-on: ubuntu-latest
-    environment: npm-publish
-    permissions:
-      contents: write
-      id-token: write
-      pull-requests: write
-    steps:
-      - uses: Automattic/vip-actions/npm-publish-prerelease@v0.7.4
-        with:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          USE_TRUSTED_PUBLISHING: 'true'
-          PROVENANCE: 'true'
-          NPM_TAG: ${{ inputs.npm_tag }}
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 062def603..e3e8ff912 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,19 +3,24 @@ name: Publish to npm (if applicable)
 on:
   pull_request:
     types: [closed]
+  workflow_dispatch:
+    inputs:
+      npm_tag:
+        description: 'NPM tag for prerelease'
+        default: 'next'
 
 jobs:
   publish:
     name: Publish to npm
     runs-on: ubuntu-latest
     environment: npm-publish
-    if: contains( github.event.pull_request.labels.*.name, '[ Type ] NPM version update' ) && startsWith( github.head_ref, 'release/') && github.event.pull_request.merged == true
+    if: github.event_name == 'pull_request' && github.event.pull_request.merged == true && contains( github.event.pull_request.labels.*.name, '[ Type ] NPM version update' ) && startsWith( github.head_ref, 'release/')
     permissions:
       contents: write
       id-token: write
       pull-requests: write
     steps:
-      - uses: Automattic/vip-actions/npm-publish@v0.7.3
+      - uses: Automattic/vip-actions/npm-publish@c8022b66e78461df4f802b935dc0dbb8399f96bc # v0.7.4
         with:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           USE_TRUSTED_PUBLISHING: 'true'
@@ -40,3 +45,20 @@ jobs:
     needs: publish
     secrets:
       DOCS_SECRET_TOKEN: ${{ secrets.DOCS_SECRET_TOKEN }}
+
+  publish-prerelease:
+    name: Publish prerelease
+    runs-on: ubuntu-latest
+    environment: npm-publish
+    if: github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
+    steps:
+      - uses: Automattic/vip-actions/npm-publish-prerelease@c8022b66e78461df4f802b935dc0dbb8399f96bc # v0.7.4
+        with:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          USE_TRUSTED_PUBLISHING: 'true'
+          PROVENANCE: 'true'
+          NPM_TAG: ${{ inputs.npm_tag }}