diff --git a/.github/workflows/propose-release.yml b/.github/workflows/propose-release.yml
new file mode 100644
index 000000000..1ba7f43e7
--- /dev/null
+++ b/.github/workflows/propose-release.yml
@@ -0,0 +1,29 @@
+on:
+  workflow_dispatch:
+    inputs:
+      reference-id:
+        type: string
+        required: true
+      version:
+        type: string
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  propose-release:
+    uses: DeterminateSystems/propose-release/.github/workflows/workflow.yml@main
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+    with:
+      update-flake: false
+      reference-id: ${{ inputs.reference-id }}
+      version: ${{ inputs.version }}
+      extra-commands-early: |
+        echo ${{ inputs.version }} > .version-determinate
+        git add .version-determinate
+        git commit -m "Set .version-determinate to ${{ inputs.version }}"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 839ace594..00ca3ec53 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,20 +1,23 @@
-name: Publish on FlakeHub
+name: Release
 
 on:
-  push:
-    tags:
-      - "v*.*.*"
+  release:
+    types:
+      - released
 
-publish:
-  runs-on: ubuntu-latest
-  permissions:
-    contents: read
-    id-token: write
-  steps:
-    - uses: actions/checkout@v4
-    - uses: DeterminateSystems/nix-installer-action@main
-    - uses: "DeterminateSystems/flakehub-push@main"
-      with:
-        visibility: "private"
-        name: "DeterminateSystems/nix-priv"
-        tag: "${{ github.ref_name }}"
+jobs:
+  publish:
+    if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')))
+    environment: ${{ github.event_name == 'release' && 'production' || '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: "DeterminateSystems/flakehub-push@main"
+        with:
+          rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          visibility: "private"
+          tag: "${{ github.ref_name }}"