diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 874126a20..dd53c7eb6 100755
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     # Note that these steps are *identical* to build-and-test (with the caveat
     # that build-and-test uses several versions of Node, and Release only uses
@@ -15,12 +18,13 @@ jobs:
     # that yet.
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
           node-version: 16.x
           cache: npm
-          cache-dependency-path: package-lock.json
 
       - name: install
         run: |
@@ -51,6 +55,6 @@ jobs:
       - name: publish
         run: |
           echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > .npmrc
-          npm publish
+          npm publish --access public --provenance
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}