diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3b8ba9d..2e67043 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -70,8 +70,9 @@ jobs:
       # This will publish a version of a package.
       - name: Publish version
         if: steps.release.outputs.tag == ''
-        run: npm publish
+        # --provenance enables npm sigstore-backed provenance via Trusted Publishing
+        run: npm publish --provenance
 
       - name: Publish tagged version
         if: steps.release.outputs.tag != ''
-        run: npm publish --tag ${{ steps.release.outputs.tag }}
\ No newline at end of file
+        run: npm publish --provenance --tag ${{ steps.release.outputs.tag }}