diff --git a/.github/workflows/public-publish.yml b/.github/workflows/public-publish.yml
index c074a80..6ab1204 100644
--- a/.github/workflows/public-publish.yml
+++ b/.github/workflows/public-publish.yml
@@ -16,9 +16,11 @@ jobs:
     environment: release
     permissions:
       contents: write
-
+      id-token: write  # needed for OIDC token provenance
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: lts/*
@@ -27,8 +29,9 @@ jobs:
       - run: |
           git config user.name "github-actions"
           git config user.email "github-actions@github.com"
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
           npm version ${{ inputs.bump }}
-          npm publish --access public
+          npm publish --access public --provenance
           git push --follow-tags
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}