diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5030b9494..886571d96 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,6 +3,10 @@ name: Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   publish:
     name: Publish
@@ -27,5 +31,6 @@ jobs:
         run: pnpm changeset publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - run: git push origin --follow-tags
diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml
index 8cfdb2fbe..f82f95396 100644
--- a/.github/workflows/publish_snapshot.yml
+++ b/.github/workflows/publish_snapshot.yml
@@ -7,6 +7,10 @@ on:
         description: 'The npm tag to publish to'
         required: true
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   publish_snapshot:
     name: Publish (Snapshot)
@@ -36,6 +40,7 @@ jobs:
         run: pnpm changeset publish --tag ${{ inputs.tag }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       # reset, then push the dangling commit
       - name: git push