diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index a86f3c1..70fd261 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8e219eb..2e113f5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,10 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
@@ -19,6 +23,6 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm whoami; npm --ignore-scripts publish
+      - run: npm whoami; npm --ignore-scripts publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0a53206..bb737c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ on:
         description: Semver descriptor for new version ("major", "minor", or "patch")
         required: true
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   bump-version:
     name: Bump package version
@@ -70,6 +74,6 @@ jobs:
       - name: Build package
         run: npm run build --if-present
       - name: Publish
-        run: npm publish --access public
+        run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}