diff --git a/.github/workflows/openvex.yml b/.github/workflows/openvex.yml
index b3384578ea..5b80fa92b2 100644
--- a/.github/workflows/openvex.yml
+++ b/.github/workflows/openvex.yml
@@ -3,7 +3,8 @@ name: openvex
 on:
   workflow_dispatch:
   release:
-    types: [published]
+    types:
+      - released
 
 permissions:
   contents: read
@@ -11,13 +12,26 @@ permissions:
 jobs:
   vexctl:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Set environment variables
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
       - uses: openvex/generate-vex@c59881b41451d7ccba5c3b74cd195382b8971fcd
         # Refer: https://github.com/openvex/vexctl#operational-model
         name: Run vexctl
         with:
             product: pkg:golang/k8s.io/kube-state-metrics/v2@${{ env.RELEASE_VERSION }}
+            file: kube-state-metrics.openvex.json
+
+      - name: Upload OpenVEX document to GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload ${{ env.RELEASE_VERSION }} kube-state-metrics.openvex.json