diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfc53ac..ae508ff 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -78,6 +78,9 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     needs: [build-windows, build-linux, build-mac]
+    permissions:
+      id-token: write # Required for OIDC trusted publishing
+      contents: write # Required for committing package.json changes
     steps:
       - uses: actions/checkout@v4
         with:
@@ -128,9 +131,9 @@ jobs:
         uses: EndBug/add-and-commit@v9
         with:
           default_author: github_actions
-          message: 'Update package.json version to ${{ steps.tag-version.outputs.TAG_VERSION }}'
-          add: 'package.json'
-          
+          message: "Update package.json version to ${{ steps.tag-version.outputs.TAG_VERSION }}"
+          add: "package.json"
+
       - run: npm ci
 
       - name: Determine npm tag for pre-releases
@@ -144,6 +147,4 @@ jobs:
           echo "tag=${NPM_TAG}" >> $GITHUB_OUTPUT
           echo "npm tag: ${NPM_TAG}"
 
-      - run: npm publish --tag ${{ steps.npm_tag.outputs.tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --provenance --tag ${{ steps.npm_tag.outputs.tag }}
diff --git a/package.json b/package.json
index e34c9f1..53a5353 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hookdeck-cli",
-  "version": "1.4.0",
+  "version": "1.4.0-alpha.1",
   "description": "Hookdeck CLI",
   "repository": {
     "type": "git",