diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dea9f3b9ef4..08d09b66038 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -391,11 +391,11 @@ jobs:
         checks:
           - advisories
           - bans licenses sources
-    # Prevent sudden announcement of a new advisory from failing ci:
-    continue-on-error: ${{ matrix.checks == 'advisories' }}
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
       - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe  # v2
+        # Prevent sudden announcement of a new advisory from failing CI or blocking PR merges.
+        continue-on-error: ${{ matrix.checks == 'advisories' }}
         with:
           command: check ${{ matrix.checks }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6398c54c20e..0eab1a2dd95 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,7 +12,18 @@ on:
     types: [published]
 
 jobs:
+  rustsec-audit:
+    name: RustSec Audit
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe  # v2
+        with:
+          command: check advisories
+
   package:
+    needs: [rustsec-audit]
     uses: ./.github/workflows/package.yml
     with:
       version: ${{ github.event.release.tag_name }}