diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a2c6dfc..85a547e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,6 +33,10 @@ jobs:
     needs: release
     if: contains(fromJson(needs.release.outputs.paths_released), 'packages/core') || inputs.force_release_core
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: pnpm/action-setup@v2.2.3
@@ -45,7 +49,7 @@ jobs:
           cache: 'npm'
       - run: npm ci
       - run: npm run build --workspace=packages/core
-      - run: npm publish --access=public --workspace=packages/core
+      - run: npm publish --access=public --workspace=packages/core --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
   npm-cli: