diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6869f59d..6dcd7587 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -131,6 +131,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [update-api-specs]
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
     outputs:
       tag-name: ${{ steps.update-release.outputs.TAG_NAME }}
     steps:
@@ -141,16 +144,22 @@ jobs:
       - run: |
           git pull
           make install
-      - name: Use Node.js 18.x
-        uses: actions/setup-node@v2
+      - name: Use Node 20
+        uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: semanticRelease
         id: semantic-release
         run: DEBUG=semantic-release:* npx semantic-release -t \${version}
         env:
           GITHUB_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true # required for OIDC
       - name: Update release
         id: update-release
         run: |
diff --git a/.releaserc.json b/.releaserc.json
index 187d2ff9..fd0c2fb7 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -58,7 +58,13 @@
         "changelogFile": "CHANGES.md"
       }
     ],
-    "@semantic-release/npm",
+    [
+      "@semantic-release/npm",
+      {
+        "npmPublish": true,
+        "provenance": true
+      }
+    ],
     [
       "@semantic-release/github",
       {