diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
index 1e105b6..5b7a41f 100644
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -8,9 +8,6 @@ env:
   CR_PACKAGE_PATH: "${{ github.workspace }}/.cr-release-packages"
   CR_TOOL_PATH: "${{ github.workspace }}/.cr-tool"
   CR_VERSION: "1.5.0"
-permissions:
-  contents: read
-  id-token: write
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -65,12 +62,23 @@ jobs:
     needs: [setup]
     runs-on: ubuntu-latest
     if: needs.setup.outputs.changed == 'true'
+    permissions:
+      contents: write
+      id-token: write
     steps:
+    - id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      with:
+        # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+        repo_secrets: |
+          APP_ID=github-app:app-id
+          PRIVATE_KEY=github-app:private-key
     - uses: actions/create-github-app-token@v1
       id: app-token
       with:
-        app-id: ${{ secrets.app-id }}
-        private-key: ${{ secrets.private-key }}
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
     - name: Checkout
       uses: actions/checkout@v4
       with:
diff --git a/docs/create_new_release.md b/docs/create_new_release.md
new file mode 100644
index 0000000..282959f
--- /dev/null
+++ b/docs/create_new_release.md
@@ -0,0 +1,10 @@
+# Create a new release
+
+1. Update the version field in charts/meta-monitoring/Chart.yaml in a new PR. Merge this PR if approved.
+
+2. On the [Actions tab](https://github.com/grafana/meta-monitoring-chart/actions):
+   - Select `Release Helm chart` in the workflows on the left
+   - Click the `Run workflow` button
+   - Leave the `main` branch as is
+   - Click the green `Run workflow` button
+