diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e47c9efd..c1f931d6 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -37,6 +37,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -47,7 +50,7 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
         # Linting can be skipped
       - run: npm run lint
         if: github.event.inputs.test != 'false'
@@ -71,7 +74,7 @@ jobs:
         include:
           - os: ubuntu-latest
             # Test the oldest LTS release of Node that's still receiving bugfixes and security patches, versions older than that have reached End-of-Life
-            node: lts/-2
+            node: lts/-1
           - os: ubuntu-latest
             # Test the actively developed version that will become the latest LTS release next October
             node: current
@@ -87,10 +90,15 @@ jobs:
         with:
           cache: npm
           node-version: ${{ matrix.node }}
-      - run: npm i
+      - run: npm install
       - run: npm test
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     needs: [build, test]
     # only run if opt-in during workflow_dispatch
     if: always() && github.event.inputs.release == 'true' && needs.build.result != 'failure' && needs.test.result != 'failure' && needs.test.result != 'cancelled'
@@ -106,7 +114,8 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
         # Branches that will release new versions are defined in .releaserc.json
       - run: npx semantic-release
         # Don't allow interrupting the release step if the job is cancelled, as it can lead to an inconsistent state
diff --git a/assets/inject/semver-workflow/.github/workflows/main.yml b/assets/inject/semver-workflow/.github/workflows/main.yml
index 76b465fc..eeb15e5d 100644
--- a/assets/inject/semver-workflow/.github/workflows/main.yml
+++ b/assets/inject/semver-workflow/.github/workflows/main.yml
@@ -37,6 +37,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -47,7 +50,7 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
         # Linting can be skipped
       - run: npm run lint --if-present
         if: github.event.inputs.test != 'false'
@@ -71,7 +74,7 @@ jobs:
         include:
           - os: ubuntu-latest
             # Test the oldest LTS release of Node that's still receiving bugfixes and security patches, versions older than that have reached End-of-Life
-            node: lts/-2
+            node: lts/-1
           - os: ubuntu-latest
             # Test the actively developed version that will become the latest LTS release next October
             node: current
@@ -87,10 +90,15 @@ jobs:
         with:
           cache: npm
           node-version: ${{ matrix.node }}
-      - run: npm i
+      - run: npm install
       - run: npm test --if-present
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     needs: [build, test]
     # only run if opt-in during workflow_dispatch
     if: always() && github.event.inputs.release == 'true' && needs.build.result != 'failure' && needs.test.result != 'failure' && needs.test.result != 'cancelled'
@@ -106,7 +114,8 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
         # Branches that will release new versions are defined in .releaserc.json
         # @TODO remove --dry-run after verifying everything is good to go
       - run: npx semantic-release --dry-run
@@ -116,9 +125,3 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-        # Re-run semantic release with rich logs if it failed to publish for easier debugging
-      - run: npx semantic-release --dry-run --debug
-        if: failure()
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
diff --git a/package.json b/package.json
index 2f752d89..3910333d 100644
--- a/package.json
+++ b/package.json
@@ -135,5 +135,9 @@
   "engines": {
     "node": ">=14"
   },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "binname": "sanity-plugin"
 }