diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 7a96710..9af28f2 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -2,35 +2,40 @@ name: CI
 
 on: [push]
 
-env:
-  PYTHON_SRC: "src"
-
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   python:
+    uses: ./.github/workflows/python.yml
+    with:
+      os: ${{ matrix.os }}
+      target: ${{ matrix.target }}
+      python-version: ${{ matrix.python-version }}
+    name: Python CI (${{ matrix.os }})
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-20.04, macos-13]
-    uses: ./.github/workflows/python.yml
-    name: Python CI (${{ matrix.os }})
-    with:
-      os: ${{ matrix.os }}
+        target: [x86_64]
+        python-version: ['3.8', '3.9', '3.10', '3.11']      
 
   release:
-    name: Release
-    runs-on: ubuntu-latest
-    if: "startsWith(github.ref, 'refs/tags/')"
     needs: python
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-      - name: Publish to PyPI
-        uses: PyO3/maturin-action@v1
-        env:
-          MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
-        with:
-          command: upload
-          args: --skip-existing *
+    uses: ./.github/workflows/pypi_release.yml
+    with:
+      os: ${{ matrix.os }}
+      target: ${{ matrix.target }}
+      python-version: ${{ matrix.python-version }}
+    name: Release (${{ matrix.os }})
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-20.04, macos-13]
+        target: [x86_64]
+        python-version: ['3.8', '3.9', '3.10', '3.11']
+    permissions:
+      contents: read
+      id-token: write
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
new file mode 100644
index 0000000..04169ea
--- /dev/null
+++ b/.github/workflows/pypi_release.yml
@@ -0,0 +1,32 @@
+name: Release CI
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+      target:
+        required: true
+        type: string
+      python-version:
+        required: true
+        type: string
+
+jobs:
+  release:
+    name: Python ${{ inputs.python-version }} (${{ inputs.target }})
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+      url: https://pypi.org/p/intel-sgx-ra
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.os }}-${{ inputs.python-version }}-${{ inputs.target }}-wheels
+          path: dist
+
+      - name: Publish packages to PyPi
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index be5d8ca..2c1c704 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -6,6 +6,16 @@ on:
       os:
         required: true
         type: string
+      target:
+        required: true
+        type: string
+      python-version:
+        required: true
+        type: string
+    outputs:
+      package-version:
+        description: "Version of the Python package"
+        value: ${{ jobs.build.outputs.package-version }}
 
 env:
   PYTHON_SRC: "src"
@@ -14,38 +24,31 @@ permissions:
   contents: read
 
 jobs:
-  python:
+  build:
+    name: Python ${{ inputs.python-version }} (${{ inputs.target }})
     runs-on: ${{ inputs.os }}
-    strategy:
-      matrix:
-        target: [x86_64]
-        python-version: ['3.8', '3.9', '3.10', '3.11']
-    name: Python ${{ matrix.python-version }} (${{ matrix.target }})
+    outputs:
+      package-version: ${{ steps.metadata.outputs.PACKAGE_VERSION }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up Python ${{ inputs.python-version }}
         uses: actions/setup-python@v5
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: ${{ inputs.python-version }}
           cache: 'pip'  # caching pip dependencies
 
       - name: Build wheels
         uses: PyO3/maturin-action@v1
         with:
-          target: ${{ matrix.target }}
+          target: ${{ inputs.target }}
           manylinux: manylinux2014
           container: quay.io/pypa/manylinux2014_x86_64
-          args: --release --out dist -i ${{ matrix.python-version }}
+          args: --release --out dist -i ${{ inputs.python-version }}
           sccache: 'true'
 
-      - name: Upload wheels
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ inputs.os }}-${{ matrix.python-version }}-${{ matrix.target }}-wheels
-          path: dist
-
       - name: Install dependencies
         run: |
           if [ -f tests/requirements.txt ]; then python -m pip install -r tests/requirements.txt; fi
@@ -84,3 +87,9 @@ jobs:
       - name: Test with pytest
         run: |
           python -m pytest
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.os }}-${{ inputs.python-version }}-${{ inputs.target }}-wheels
+          path: dist
diff --git a/pyproject.toml b/pyproject.toml
index 3b39378..74ae9cd 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "intel-sgx-ra"
-version = "2.3.0"
+version = "2.2.0"
 description = "Intel SGX Remote Attestation verification library"
 authors = [
     {name = "Cosmian Tech", email = "tech@cosmian.com"},