diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8cdd763aa..5c655716f9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -674,6 +674,8 @@ jobs:
         shell: bash
 
   publish:
+    permissions:
+      id-token: write
     needs:
       - test-installation-npm
       - test-installation-pnpm
@@ -701,11 +703,9 @@ jobs:
         shell: bash
 
       - name: Publish packages on npm with tag "ci"
-        env:
-          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
         run: |
           yarn workspaces foreach -W --no-private \
-            npm publish --tolerate-republish --tag ci
+            npm publish --provenance --tolerate-republish --tag ci
 
       - name: Update Website Playground
         run: curl -X POST "${{ secrets.CLOUDFLARE_PAGES_DEPLOYMENT_HOOK }}"
diff --git a/package.json b/package.json
index 412921c3ed..93d7c8daae 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,10 @@
     "Paul Tsnobiladzé (https://github.com/tsnobip)",
     "Woonki Moon (https://github.com/mununki)"
   ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "engines": {
     "node": ">=20.11.0"
   },
diff --git a/packages/@rescript/darwin-arm64/package.json b/packages/@rescript/darwin-arm64/package.json
index 7e82654ebd..7ac7a5fc83 100644
--- a/packages/@rescript/darwin-arm64/package.json
+++ b/packages/@rescript/darwin-arm64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/darwin-x64/package.json b/packages/@rescript/darwin-x64/package.json
index ce04820cf2..21be87bb17 100644
--- a/packages/@rescript/darwin-x64/package.json
+++ b/packages/@rescript/darwin-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/linux-arm64/package.json b/packages/@rescript/linux-arm64/package.json
index dfc96fa106..96a65d09d6 100644
--- a/packages/@rescript/linux-arm64/package.json
+++ b/packages/@rescript/linux-arm64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/linux-x64/package.json b/packages/@rescript/linux-x64/package.json
index 954321db53..88c4ae67cd 100644
--- a/packages/@rescript/linux-x64/package.json
+++ b/packages/@rescript/linux-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/runtime/package.json b/packages/@rescript/runtime/package.json
index 0864474c19..570e6cfa44 100644
--- a/packages/@rescript/runtime/package.json
+++ b/packages/@rescript/runtime/package.json
@@ -27,7 +27,8 @@
     "Woonki Moon (https://github.com/mununki)"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "lib"
diff --git a/packages/@rescript/win32-x64/package.json b/packages/@rescript/win32-x64/package.json
index f7829a2b3c..ac77db5116 100644
--- a/packages/@rescript/win32-x64/package.json
+++ b/packages/@rescript/win32-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",