diff --git a/.github/workflows/rust.yml b/.github/workflows/build.yml
similarity index 86%
rename from .github/workflows/rust.yml
rename to .github/workflows/build.yml
index e20dc9c1b1..e12d6a27b6 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/build.yml
@@ -1,15 +1,11 @@
 name: Rust
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-  workflow_dispatch:
-  merge_group:
-    types: [checks_requested]
-  schedule:
-    # Runs at 03:30, every Saturday
-    - cron: "30 3 * * 6"
+  workflow_call:
+    inputs:
+      release:
+        required: true
+        type: boolean
 
 env:
   RUST_BACKTRACE: 1
@@ -46,6 +42,13 @@ jobs:
         run: |
           cargo build --verbose --features ${{ matrix.features }}
           cargo test --tests --examples --verbose --features ${{ matrix.features }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        if: ${{ inputs.release && contains(matrix.features, 'streams') }}
+        with:
+          subject-path: ./target/libmozjs-${{ matrix.platform.target }}.tar.gz
+
       - name: Upload artifact
         if: ${{ contains(matrix.features, 'streams') }}
         uses: actions/upload-artifact@v4
@@ -81,6 +84,13 @@ jobs:
         run: |
           bash ./mozjs/src/generate_wrappers.sh
           git diff --quiet --exit-code
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        if: ${{ inputs.release && contains(matrix.features, 'streams') }}
+        with:
+          subject-path: ./target/libmozjs-x86_64-unknown-linux-gnu.tar.gz
+
       - name: Upload artifact
         if: ${{ contains(matrix.features, 'streams') }}
         uses: actions/upload-artifact@v4
@@ -122,6 +132,13 @@ jobs:
         shell: cmd
         run: |
           cargo test --tests --examples --verbose --target ${{ matrix.target }} --features ${{ matrix.features }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        if: ${{ inputs.release && !contains(matrix.target, 'aarch64') && contains(matrix.features, 'streams') }}
+        with:
+          subject-path: ./target/${{ matrix.target }}/libmozjs-x86_64-pc-windows-msvc.tar.gz
+
       - name: Upload artifact
         if: ${{ !contains(matrix.target, 'aarch64') && contains(matrix.features, 'streams') }}
         uses: actions/upload-artifact@v4
@@ -149,39 +166,11 @@ jobs:
           ./android-build cargo build --target="armv7-linux-androideabi"
 
   ohos:
-    name: "OpenHarmony build"
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        target: [ 'aarch64-unknown-linux-ohos', 'x86_64-unknown-linux-ohos' ]
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup OpenHarmony SDK
-        id: setup_sdk
-        uses: openharmony-rs/setup-ohos-sdk@v0.1
-        with:
-          version: "4.1"
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.target }}
-      - name: Build (arch ${{ matrix.target }} )
-        env:
-          OHOS_SDK_NATIVE: ${{ steps.setup_sdk.outputs.ohos_sdk_native }}
-        run: |
-          ./ohos-build cargo build --target="${{ matrix.target }}"
-
-  ohos-release:
-    name: "OpenHarmony release artifact"
+    name: "OpenHarmony"
     runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
-    permissions:
-      id-token: write
-      contents: read
-      attestations: write
     strategy:
       matrix:
-        target: [ 'aarch64-unknown-linux-ohos', 'x86_64-unknown-linux-ohos' ]
+        target: ["aarch64-unknown-linux-ohos", "x86_64-unknown-linux-ohos"]
     steps:
       - uses: actions/checkout@v4
       - name: Setup OpenHarmony SDK
@@ -197,11 +186,12 @@ jobs:
         env:
           OHOS_SDK_NATIVE: ${{ steps.setup_sdk.outputs.ohos_sdk_native }}
         run: |
-          ./ohos-build cargo build --release --target="${{ matrix.target }}"
+          ./ohos-build cargo build --target="${{ matrix.target }}" --features "streams"
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
+        if: ${{ inputs.release }}
         with:
-          subject-path: './target/libmozjs-${{ matrix.target }}.tar.gz'
+          subject-path: "./target/libmozjs-${{ matrix.target }}.tar.gz"
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -257,7 +247,7 @@ jobs:
   publish-release:
     name: Check version and publish release
     runs-on: ubuntu-latest
-    needs: ["linux", "mac", "windows", "ohos-release"]
+    needs: ["linux", "mac", "windows", "ohos"]
     if: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
     steps:
       - uses: actions/checkout@v4
@@ -266,7 +256,7 @@ jobs:
           merge-multiple: true
       - name: Publish release if tag doesn't exist
         id: check-tag
-        if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        if: ${{ inputs.release }}
         run: |
           RELEASE_TAG=mozjs-sys-v$(cargo metadata --format-version=1 --no-deps | jq -r '.packages[] | select(.name == "mozjs_sys") | .version')
           git fetch --tags --quiet
@@ -281,7 +271,7 @@ jobs:
     name: Verify release
     needs: publish-release
     if: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-    uses: ./.github/workflows/release.yml
+    uses: ./.github/workflows/release-check.yml
     with:
       release-tag: ${{ needs.publish-release.outputs.release-tag }}
 
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000000..bcbdd1dc3f
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,44 @@
+name: Rust
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+  merge_group:
+    types: [checks_requested]
+  schedule:
+    # Runs at 03:30, every Saturday
+    - cron: "30 3 * * 6"
+
+# dispatches build workflow with different permissions
+jobs:
+  elevated:
+    if: ${{ github.event_name == 'push' }}
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+    uses: ./.github/workflows/build.yml
+    with:
+      release: true
+    secrets: inherit
+  normal:
+    if: ${{ github.event_name != 'push' }}
+    uses: ./.github/workflows/build.yml
+    with:
+      release: false
+    secrets: inherit
+
+  build_result:
+    name: Result
+    runs-on: ubuntu-latest
+    needs: ["elevated", "normal"]
+    if: ${{ always() }}
+    steps:
+      - name: Mark the job as successful
+        if: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+        run: exit 0
+      - name: Mark the job as unsuccessful
+        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        run: exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release-check.yml
similarity index 100%
rename from .github/workflows/release.yml
rename to .github/workflows/release-check.yml
diff --git a/mozjs-sys/Cargo.toml b/mozjs-sys/Cargo.toml
index 040e14bf0a..5004acd56c 100644
--- a/mozjs-sys/Cargo.toml
+++ b/mozjs-sys/Cargo.toml
@@ -2,7 +2,7 @@
 name = "mozjs_sys"
 description = "System crate for the Mozilla SpiderMonkey JavaScript engine."
 repository.workspace = true
-version = "0.128.0-12"
+version = "0.128.0-13"
 authors = ["Mozilla"]
 links = "mozjs"
 build = "build.rs"