diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index a660478..1c42d86 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -8,6 +8,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write # Required for npm OIDC trusted publishers
+  contents: read
+
 jobs:
   publish:
     name: publish
@@ -17,9 +21,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Set up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: |
@@ -28,5 +33,3 @@ jobs:
       - name: Publish to NPM
         run: |
           bash ./bin/publish-npm
-        env:
-          NPM_TOKEN: ${{ secrets.KERNEL_NPM_TOKEN || secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
index 588ae1b..2d0c931 100644
--- a/.github/workflows/release-doctor.yml
+++ b/.github/workflows/release-doctor.yml
@@ -17,6 +17,4 @@ jobs:
       - name: Check release environment
         run: |
           bash ./bin/check-release-environment
-        env:
-          NPM_TOKEN: ${{ secrets.KERNEL_NPM_TOKEN || secrets.NPM_TOKEN }}
 
diff --git a/bin/check-release-environment b/bin/check-release-environment
index e4b6d58..50d39be 100644
--- a/bin/check-release-environment
+++ b/bin/check-release-environment
@@ -1,22 +1,6 @@
 #!/usr/bin/env bash
 
-errors=()
-
-if [ -z "${NPM_TOKEN}" ]; then
-  errors+=("The NPM_TOKEN secret has not been set. Please set it in either this repository's secrets or your organization secrets")
-fi
-
-lenErrors=${#errors[@]}
-
-if [[ lenErrors -gt 0 ]]; then
-  echo -e "Found the following errors in the release environment:\n"
-
-  for error in "${errors[@]}"; do
-    echo -e "- $error\n"
-  done
-
-  exit 1
-fi
+# Publishing uses npm OIDC trusted publishers — no secrets required.
+# The GitHub Actions workflow must have `permissions: id-token: write`.
 
 echo "The environment is ready to push releases!"
-
diff --git a/bin/publish-npm b/bin/publish-npm
index 45e8aa8..fef50d4 100644
--- a/bin/publish-npm
+++ b/bin/publish-npm
@@ -2,8 +2,6 @@
 
 set -eux
 
-npm config set '//registry.npmjs.org/:_authToken' "$NPM_TOKEN"
-
 yarn build
 cd dist
 
@@ -57,5 +55,5 @@ else
   TAG="latest"
 fi
 
-# Publish with the appropriate tag
-yarn publish --tag "$TAG"
+# Publish with the appropriate tag using npm OIDC trusted publishers
+npm publish --provenance --access public --tag "$TAG"