diff --git a/.github/workflows/stage-release-candidate.yml b/.github/workflows/stage-release-candidate.yml
index a07380908a..749218f0e7 100644
--- a/.github/workflows/stage-release-candidate.yml
+++ b/.github/workflows/stage-release-candidate.yml
@@ -31,61 +31,40 @@ jobs:
     steps:
       - name: Check version parameter
         run: |-
-          if [[ "$REF" != *"-RC"* ]]; then 
+          if [[ "$REF" != "refs/tags/"* ]]; then 
+            echo "Trigger this workflow on a tag"
+            exit 1
+          fi
+          if [[ "$REF" == *"-RC"* ]]; then 
             echo "Trigger this workflow on an RC tag"
             exit 1
           fi
-          export VERSION=$(echo $REF | sed -e "s/\(.*\)-.*/\\1/")
+          export VERSION=$(echo $REF | sed -e "s/refs\/tags\/\(.*\)-.*/\\1/")
           echo "Version: $VERSION"
-          echo "RC: $REF"
         env:
-          REF: ${{ github.ref_name }}
+          REF: ${{ github.event.ref }}
 
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           fetch-tags: true
           persist-credentials: false
 
+      - name: Setup Java 17
+        uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Install sbt
+        uses: sbt/setup-sbt@17575ea4e18dd928fe5968dbe32294b97923d65b # v1.1.13
+
+      # We intentionally do not use the Coursier cache for release candidates,
+      # to reduce attack surface
+
+      # We intentionally postpone the signing to a separate step, to reduce
+      # attack surface
       - name: Generate source dist
         run: |-
-          VERSION=$(echo $REF | sed -e "s/\(.*\)-.*/\\1/")
-          PREFIX=apache-pekko-$VERSION
-          DATE=$(git log -n1 --format=%cs | tr -d -)
-          TARBALL=$PREFIX-src-$DATE.tgz
-
-          mkdir dist
-          git archive --format=tar.gz --output=dist/$TARBALL --prefix=$PREFIX/ HEAD
-          cd dist
-          sha512sum $TARBALL > $TARBALL.sha512
-        env:
-          REF: ${{ github.ref_name }}
-
-      - name: Sign source dist
-        run: |-
-          echo $PEKKO_GPG_SECRET_KEY | base64 -d | gpg --batch --import --import-options import-show
-          gpg -ab dist/*.tgz
-        env:
-          PEKKO_GPG_SECRET_KEY: ${{ secrets.PEKKO_GPG_SECRET_KEY }}
-
-      - uses: actions/forgejo-release@v2.7.2
-        with:
-          direction: upload
-          url: https://forge.engelen.eu
-          repo: raboof/pekko
-          release-dir: dist
-          release-notes: "MY RELEASE NOTES"
-          
-      - name: Upload source dist
-        run: |-
-          svn checkout https://dist.apache.org/repos/dist/dev/pekko dist
-          cd dist
-          mkdir $REF
-          cp ../*.tgz* $REF
-          svn add $REF $REF/*
-          svn commit --username $PEKKO_SVN_DEV_USERNAME --password $PEKKO_SVN_DEV_PASSWORD --message "Stage Pekko $REF" $REF
-        env:
-          PEKKO_SVN_DEV_USERNAME: ${{ secrets.PEKKO_SVN_DEV_USERNAME }}
-          PEKKO_SVN_DEV_PASSWORD: ${{ secrets.PEKKO_SVN_DEV_PASSWORD }}
-          REF: ${{ github.ref_name }}
+          sbt "clean; set ThisBuild / version := \"$VERSION\"; sourceDistGenerate"