diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
index 211c9d90fd2..f9ba5e32b8b 100644
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -34,16 +34,25 @@ on:
 permissions:
   # contents: write allows the action(s) to create github releases
   contents: write
+  id-token: write
 
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/github_release path in Vault
+          repo_secrets: |
+            GRAFANA_MISC_STATS_API_KEY=github_release:GRAFANA_MISC_STATS_API_KEY
+
       - name: Create GitHub release (manually invoked)
         uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}
-          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+          metrics_api_key: ${{ env.GRAFANA_MISC_STATS_API_KEY }}
           latest: ${{ inputs.latest }}
           dry_run: ${{ inputs.dry_run }}