diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0e4e67a..ab1d318 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -61,6 +61,5 @@ jobs:
     name: Publish release
     permissions:
       contents: write
+      id-token: write
     uses: ./.github/workflows/publish-release.yml
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 231f361..4eec7b5 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -2,9 +2,6 @@ name: Publish Release
 
 on:
   workflow_call:
-    secrets:
-      NPM_TOKEN:
-        required: true
 
 jobs:
   publish-release:
@@ -110,13 +107,11 @@ jobs:
           fail-on-cache-miss: true
       - name: Publish web
         working-directory: pkg-web
-        run: npm publish --access=public
+        run: npm publish --access=public --provenance
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           SKIP_PREPACK: true
       - name: Publish node
         working-directory: pkg-node
-        run: npm publish --access=public
+        run: npm publish --access=public --provenance
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           SKIP_PREPACK: true