diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cc0d643..a57fd2c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -308,6 +308,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [detect-version-change, build-and-verify, create-release]
     if: needs.detect-version-change.outputs.version-changed == 'true'
+    permissions:
+      contents: read
+      id-token: write  # Required for NPM Trusted Publishing (OIDC)
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -393,9 +396,7 @@ jobs:
           max_attempts: 3
           command: |
             cd npm-publish-temp
-            npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+            npm publish --access public --provenance
       
       - name: Clean up
         if: always()