diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 11e235076..96962a161 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ permissions:
 on:
   push:
     tags: [ "v[0-9]+*" ]
+    branches:
+      - main
 
 env:
   BUILD_PACKAGES: build/packages
@@ -15,6 +17,7 @@ jobs:
 
   release-started:
     runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags')
     steps:
       - uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
         with:
@@ -29,6 +32,9 @@ jobs:
     uses: ./.github/workflows/build.yml
 
   build-packages:
+    permissions:
+      contents: read
+      packages: read
     needs:
       - build
     uses: ./.github/workflows/build-packages.yml
@@ -39,6 +45,10 @@ jobs:
       - build-packages
     env:
       BUCKET_NAME: "apm-agent-php"
+    permissions:
+      attestations: write
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
@@ -46,6 +56,11 @@ jobs:
           name: package
           path: ${{ env.BUILD_PACKAGES }}
 
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/${{ env.BUILD_PACKAGES }}/*"
+
       ## NOTE: The name of the zip should match the name of the folder to be zipped.
       - name: Prepare packages to be signed
         run: zip -r packages.zip packages/
@@ -74,6 +89,7 @@ jobs:
           predefinedAcl: "publicRead"
 
       - id: buildkite
+        if: startsWith(github.ref, 'refs/tags')
         name: Run buildkite pipeline
         uses: elastic/apm-pipeline-library/.github/actions/buildkite@current
         with:
@@ -90,12 +106,17 @@ jobs:
             BUNDLE_URL=https://storage.googleapis.com/${{ env.BUCKET_NAME }}/${{ steps.upload-file.outputs.uploaded }}
 
   generate-test-packages-matrix:
+    if: startsWith(github.ref, 'refs/tags')
     uses: ./.github/workflows/generate-matrix.yml
 
   test-packages:
+    if: startsWith(github.ref, 'refs/tags')
     needs:
       - sign
       - generate-test-packages-matrix
+    permissions:
+      contents: read
+      packages: read
     uses: ./.github/workflows/test-packages.yml
     with:
       include: ${{ needs.generate-test-packages-matrix.outputs.include }}
@@ -126,12 +147,15 @@ jobs:
           PACKAGE_FILE: "signed-artifacts.zip"
 
       - name: Create draft release
+        if: startsWith(github.ref, 'refs/tags')
         run: make -f .ci/Makefile draft-release
 
       - name: Verify draft release
+        if: startsWith(github.ref, 'refs/tags')
         run: ORIGINAL_PACKAGES_LOCATION=${{ env.BUILD_PACKAGES }} make -f .ci/Makefile download-verify
 
       - name: Publish release
+        if: startsWith(github.ref, 'refs/tags')
         run: make -f .ci/Makefile github-release-ready
 
   notify:
@@ -150,6 +174,7 @@ jobs:
         with:
           needs: ${{ toJSON(needs) }}
       - uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
+        if: startsWith(github.ref, 'refs/tags')
         with:
           status: ${{ steps.check.outputs.status }}
           vaultUrl: ${{ secrets.VAULT_ADDR }}