Releasing software packages securely is a critical challenge, especially in light of recent supply-chain attacks like the Shai-Hulud incident. The author recounts their experience at Sentry, where they faced the risk of unauthorized releases due to the way access tokens were managed. With over 90 engineers having commit access to SDK repositories, any one of them could modify workflows and potentially exfiltrate sensitive credentials without detection. The existing system lacked proper audit trails, making it difficult to trace unauthorized actions. To address these vulnerabilities, the author introduced a solution based on a "valet key" concept. Instead of granting full access to publishing tokens, a separate repository was created specifically for releases. Access was tightly controlled—only 3-4 release engineers could modify this repository, while other team members could only request releases by creating issues. The approval process relied on labeling issues, allowing release managers to trigger publishes without direct access to sensitive credentials. This setup minimized risk while maintaining a streamlined workflow for developers. The implementation involved using Craft, a CLI tool designed to manage releases with two distinct phases: prepare and publish. The preparation phase handles tasks like building and testing without access to publishing tokens, while the publish phase only uploads pre-built artifacts to various registries. This architecture significantly reduces the attack surface. If an attacker compromised a dependency during the prepare phase, they would not have access to credentials during the publish phase, making supply-chain attacks more difficult to execute. The article highlights the importance of security in package management and offers a practical approach to mitigate risks.