diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml
index 323059e99e6b6..dfef0c90463a2 100644
--- a/.github/workflows/npm.yml
+++ b/.github/workflows/npm.yml
@@ -126,6 +126,12 @@ jobs:
           mkdir -p "$ARTIFACT_DIR"
           ls -la "$ARTIFACT_DIR" || true
 
+      - name: Require trusted workflow_run context for artifact consumption
+        if: ${{ github.event_name != 'workflow_run' }}
+        run: |
+          echo "Refusing to consume artifacts outside workflow_run context." >&2
+          exit 1
+
       - name: Download Release Assets
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
@@ -135,7 +141,7 @@ jobs:
           # Extract artifacts into an isolated temp directory, not the workspace
           path: ${{ steps.paths.outputs.artifact_dir }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id || inputs.run_id }}
+          run-id: ${{ github.event.workflow_run.id }}
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0