diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c452493d4..87198ae26 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,6 +3,10 @@ name: Publish
 on:
   workflow_dispatch:
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   release:
     if: github.ref == 'refs/heads/main'
@@ -15,21 +19,16 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
-      - name: Set node version to 22
+      - name: Set node version to 24
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          node-version: 22.22.0
+          node-version: 24
           cache: 'pnpm'
 
       - name: Prepare
         run: pnpm install --frozen-lockfile
 
-      - name: Set publishing config
-        run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}"
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish
         run: |
           PACKAGE_DIST_TAG=$(node -e "console.log(/^\d+\.\d+\.\d+(\-(\w+)\.\d+)$/.exec(require('./package.json').version)?.[2] || 'latest')")
-          pnpm publish --access public --tag $PACKAGE_DIST_TAG
+          pnpm publish --access public --tag $PACKAGE_DIST_TAG --provenance