diff --git a/.changes/config.json b/.changes/config.json
index b01389c4..3e552724 100644
--- a/.changes/config.json
+++ b/.changes/config.json
@@ -9,7 +9,17 @@
           "url": "https://registry.npmjs.com/${ pkg.pkgFile.pkg.name }/${ pkg.pkgFile.version }"
         }
       },
-      "publish": ["pnpm build", "pnpm publish --access public --no-git-checks"]
+      "publish": [
+        {
+          "command": "pnpm build",
+          "dryRunCommand": "pnpm build"
+        },
+        {
+          "command": "npm publish --provenance --access public",
+          "dryRunCommand": "npm publish --provenance --access public --dry-run",
+          "pipe": true
+        }
+      ]
     },
     "rust": {
       "version": true,
diff --git a/.github/workflows/covector-version-or-publish-v2.yml b/.github/workflows/covector-version-or-publish-v2.yml
index 37307dee..0662c688 100644
--- a/.github/workflows/covector-version-or-publish-v2.yml
+++ b/.github/workflows/covector-version-or-publish-v2.yml
@@ -9,6 +9,14 @@ on:
     branches:
       - v2
 
+permissions:
+  # required for npm provenance
+  id-token: write
+  # required to create the GitHub Release
+  contents: write
+  # required for creating the Version Packages Release
+  pull-requests: write
+
 jobs:
   version-or-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml
index d705669a..1828bf2f 100644
--- a/.github/workflows/covector-version-or-publish.yml
+++ b/.github/workflows/covector-version-or-publish.yml
@@ -9,6 +9,14 @@ on:
     branches:
       - v1
 
+permissions:
+  # required for npm provenance
+  id-token: write
+  # required to create the GitHub Release
+  contents: write
+  # required for creating the Version Packages Release
+  pull-requests: write
+
 jobs:
   version-or-publish:
     runs-on: ubuntu-latest