diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f2a6903..986f3bb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
 
 permissions:
   contents: read
-  packages: write
+  id-token: write # for provenance and publish access
 
 jobs:
   publish-npm:
@@ -22,6 +22,4 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false --allow-same-version
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm whoami; npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
+      - run: npm publish --access public --provenance