diff --git a/.github/workflows/deploy.yml b/.github/workflows/cd.yml
similarity index 80%
rename from .github/workflows/deploy.yml
rename to .github/workflows/cd.yml
index 91241f2..471668d 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/cd.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - v*
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -59,10 +63,16 @@ jobs:
           git push origin main
           git push origin ${{ steps.version.outputs.current-version }}
 
+      - name: Setup Node.js for NPM publish
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Update npm for OIDC support
+        run: npm install -g npm@latest
+
       - name: Publish to NPM
-        run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc
-          echo "//registry.npmjs.org/:always-auth=true" >> ~/.npmrc
-          npm publish
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+        run: npm publish --provenance