diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 62d97f7..8f78aed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,10 @@ jobs:
   release-stable:
     runs-on: ubuntu-24.04
     name: Release Stable
+    permissions:
+      contents: write
+      id-token: write # Needed for npm trusted publishing
+      pull-requests: write
     outputs:
       published: ${{ steps.changesets.outputs.published }}
     steps:
@@ -24,6 +28,9 @@ jobs:
           node-version: 24
           cache: "pnpm"
 
+      - name: Update npm
+        run: npm install -g npm@^11
+
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile
 
@@ -37,7 +44,6 @@ jobs:
           version: pnpm changeset-version
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Get current package version
         id: get_version
@@ -53,6 +59,8 @@ jobs:
     runs-on: ubuntu-24.04
     name: Release Unstable
     needs: release-stable
+    permissions:
+      id-token: write # Needed for npm trusted publishing
     if: always() && github.event_name == 'push' && needs.release-stable.outputs.published == 'false'
     steps:
       - name: Checkout Repo
@@ -65,21 +73,15 @@ jobs:
           node-version: 24
           cache: "pnpm"
 
+      - name: Update npm
+        run: npm install -g npm@^11
+
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Creating .npmrc
-        run: |
-          cat << EOF > ".npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Create unstable release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           # this ensures there's always a patch release created
           cat << 'EOF' > .changeset/snapshot-template-changeset.md