diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a52fb848..32122c13 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Verify OpenCode package payload
         run: node tests/scripts/build-opencode.test.js
diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
index a6fe2cec..4368a0c1 100644
--- a/.github/workflows/reusable-release.yml
+++ b/.github/workflows/reusable-release.yml
@@ -50,7 +50,7 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Verify OpenCode package payload
         run: node tests/scripts/build-opencode.test.js
diff --git a/tests/scripts/release-publish.test.js b/tests/scripts/release-publish.test.js
index 6a061b50..6365161d 100644
--- a/tests/scripts/release-publish.test.js
+++ b/tests/scripts/release-publish.test.js
@@ -41,6 +41,10 @@ for (const workflow of [
     assert.match(content, /registry-url:\s*['"]https:\/\/registry\.npmjs\.org['"]/);
   });
 
+  test(`${workflow} ignores dependency lifecycle scripts before privileged publish`, () => {
+    assert.match(content, /npm ci --ignore-scripts/);
+  });
+
   test(`${workflow} checks whether the tagged npm version already exists`, () => {
     assert.match(content, /Check npm publish state/);
     assert.match(content, /npm view "\$\{PACKAGE_NAME\}@\$\{PACKAGE_VERSION\}" version/);