diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d929c1..1a48c09 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,13 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    # npm publishes via OIDC trusted publishing (no tokens) — same config as the
+    # proven force-release.yml. contents/pull-requests are for the changesets
+    # version PR.
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -15,9 +22,9 @@ jobs:
           fetch-depth: 0
 
       - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 20 
+          node-version: 22
           registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
@@ -38,5 +45,4 @@ jobs:
         run: yarn run publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file
+          NPM_CONFIG_PROVENANCE: true
\ No newline at end of file