cartridge-gg · steebchen · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Copilot
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   publish:
     if:
@@ -37,15 +41,11 @@ jobs:
         if: ${{ github.event.pull_request.head.ref == 'prepare-release' }}
         run: |
           pnpm release
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish prerelease to npm
         if: ${{ github.event.pull_request.head.ref == 'prepare-prerelease' }}
         run: |
           pnpm release:prerelease
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Extract changelog for version
         id: get_changelog

diff --git a/package.json b/package.json
@@ -16,8 +16,8 @@
     "format": "turbo format lint:fix",
     "clean": "git clean -fdX && pnpm store prune",
     "ci": "pnpm clean && pnpm i",
-    "release": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag latest --no-git-checks --access public",
-    "release:prerelease": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag prerelease --no-git-checks --access public",
+    "release": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag latest --no-git-checks --access public --provenance",
+    "release:prerelease": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag prerelease --no-git-checks --access public --provenance",
     "keychain": "pnpm --filter @cartridge/keychain",
     "controller": "pnpm --filter @cartridge/controller",
     "connector": "pnpm --filter @cartridge/connector",