diff --git a/.github/workflows/package-publish.yml b/.github/workflows/package-publish.yml
index 5f6907510..c82f2cfaf 100644
--- a/.github/workflows/package-publish.yml
+++ b/.github/workflows/package-publish.yml
@@ -19,6 +19,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -26,7 +29,7 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 24
           cache: 'yarn'
       - name: Check if the release branch exists
         run: |
@@ -57,13 +60,14 @@ jobs:
           yarn install
           yarn build
       - name: Publish to npm
+        env:
+          NPM_TAG: ${{ github.event.inputs.npm_tag }}
         run: |
           cd ./dist
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.npm_token }}" > .npmrc
-          if [ -z "${{ github.event.inputs.npm_tag }}" ]; then
-            npm publish --access=public
+          if [ -z "$NPM_TAG" ]; then
+            npm publish --access=public --provenance
           else
-            npm publish --tag ${{ github.event.inputs.npm_tag }} --access=public
+            npm publish --tag "$NPM_TAG" --access=public --provenance
             echo "npm_tag is provided; Skipping the rest of the steps."
             echo "SKIP_REST=true" >> $GITHUB_ENV
           fi