diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 011c9bc0..69dbb96c 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -47,6 +47,13 @@ jobs:
   release:
     needs: main
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      id-token: write # to enable use of OIDC for npm provenance
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+    env:
+      NPM_CONFIG_PROVENANCE: 'true'
     if:
       ${{ github.repository == 'kentcdodds/kcd-scripts' &&
       contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha',
@@ -82,4 +89,3 @@ jobs:
             ]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}