diff --git a/.github/actions/build-sign-and-package-plugin/action.yml b/.github/actions/build-sign-and-package-plugin/action.yml
index b4a6321f05..e0a9b6558b 100644
--- a/.github/actions/build-sign-and-package-plugin/action.yml
+++ b/.github/actions/build-sign-and-package-plugin/action.yml
@@ -7,18 +7,15 @@ inputs:
       it as the official plugin version.
     required: true
 outputs:
+  authoritative_version_number:
+    description: "The version number of the plugin used for publishing artifacts"
+    value: ${{ steps.plugin-version.outputs.version }}
   artifact_filename:
     description: "The filename of the plugin artifact"
     value: ${{ steps.artifact-filename.outputs.filename }}
 runs:
   using: "composite"
   steps:
-    # This will fetch the secret keys from vault and set them as environment variables for subsequent steps
-    - name: Get Vault secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@main
-      with:
-        repo_secrets: |
-          GRAFANA_ACCESS_POLICY_TOKEN=github_actions:cloud-access-policy-token
     - name: Determine official plugin version
       id: plugin-version
       shell: bash
diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml
index 82c40e8d77..dcb7fae09a 100644
--- a/.github/workflows/on-release-published.yml
+++ b/.github/workflows/on-release-published.yml
@@ -36,6 +36,7 @@ jobs:
         uses: grafana/shared-workflows/actions/get-vault-secrets@main
         with:
           repo_secrets: |
+            GRAFANA_ACCESS_POLICY_TOKEN=github_actions:cloud-access-policy-token
             GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON=github_actions:gcs-plugin-publisher
       - name: Build, sign, and package plugin
         id: build-sign-and-package-plugin
@@ -57,7 +58,7 @@ jobs:
         id: gcs-artifact-url
         # yamllint disable rule:line-length
         run: |
-          echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ github.ref_name }}.zip" >> $GITHUB_OUTPUT
+          echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ steps.build-sign-and-package-plugin.outputs.authoritative_version_number }}.zip" >> $GITHUB_OUTPUT
       - name: Publish plugin to grafana.com
         run: |
           curl -f -w "status=%{http_code}" -s -H "Authorization: Bearer ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }}" -d "download[any][url]=${{ steps.gcs-artifact-url.outputs.url }}" -d "download[any][md5]=$(curl -sL ${{ steps.gcs-artifact-url.outputs.url }} | md5sum | cut -d'' '' -f1)" -d url=https://github.com/grafana/oncall/grafana-plugin https://grafana.com/api/plugins