diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 841a2ea..d3aae83 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -59,6 +62,9 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [build, test]
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v3
@@ -76,7 +82,7 @@ jobs:
         run: npm ci
 
       - name: Publish to npm
-        run: npm publish --provenance
+        run: npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -84,6 +90,8 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     needs: publish
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v3
diff --git a/package.json b/package.json
index efac84f..af8dc8b 100644
--- a/package.json
+++ b/package.json
@@ -61,6 +61,7 @@
     "node": ">=14.17.0"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }