diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 70dfb5464..cc57c81f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ on:
 
 env:
   FORCE_COLOR: "1"
+  # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
 
 permissions:
   id-token: write
@@ -34,8 +36,6 @@ jobs:
 
       - name: Setup npm config for JFrog
         env:
-          # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
-          NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
           NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
         run: |
           cat << EOF | tee .npmrc
@@ -50,26 +50,38 @@ jobs:
         with:
           publish: pnpm release
           # to remove
+          title: "⚙️ (release) [NO-ISSUE]: Version packages"
+          commit: "⚙️ (release): Version packages"
           branch: feat/no-issue-jfrog-attest-sign-package
+          createGithubReleases: false
         env:
           GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
       
       - name: Download published packages to attest and sign
-        # if: steps.changesets.outputs.published == 'true'
+        if: steps.changesets.outputs.published == 'true'
         run: |
           # Extract package name
-          PACKAGE_NAME=${{ steps.changesets.outputs.publishedPackages }}
+          # output will be in the form of
+          # [{"name":"@ledgerhq/device-sdk-core","version":"0.4.0"}]
+          cat << EOF | tee published-packages.json
+          ${{ steps.changesets.outputs.publishedPackages }}
+          EOF
+          PACKAGE_NAME=$(cat published-packages.json | jq -r '.[0].name')
+          PACKAGE_VERSION=$(cat published-packages.json | jq -r '.[0].version')
           
-          echo $PACKAGE_NAME
-
+          # Create dist directory
           mkdir dist
+          curl -s --output dist/${PACKAGE_NAME}-{PACKAGE_VERSION}.tgz https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-{PACKAGE_VERSION}.tgz
 
-      # - name: Attest tarball
-      #   if: steps.changesets.outputs.published == 'true'
-      #   uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
-      #   with:
-      #     subject-path: ./dist
-      #     push-to-registry: true
+          ls -al
+          ls -al dist
+
+      - name: Attest tarball
+        if: steps.changesets.outputs.published == 'true'
+        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+        with:
+          subject-path: ./dist
+          push-to-registry: true
 
       # - name: Sign tarball
       #   if: steps.changesets.outputs.published == 'true'