diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d46250d..db757a6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -34,7 +34,12 @@ jobs:
       packages: write
       pull-requests: write
       issues: write
-    
+      # OIDC
+      id-token: write
+    env:
+      # Force npm to emit provenance (SLSA) when publishing via OIDC.
+      NPM_CONFIG_PROVENANCE: true
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -57,7 +62,10 @@ jobs:
         run: |
           corepack enable
           corepack prepare yarn@3.6.1 --activate
-      
+
+      - name: Ensure npm 11.5.1+ for trusted publishing
+        run: npm install -g npm@^11.5.1
+
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
@@ -109,7 +117,6 @@ jobs:
         run: ${{ steps.release_cmd.outputs.cmd }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}
       
       - name: Upload npm logs on failure
         if: failure()