diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 67c1c064576..9e32083a3d4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -266,6 +266,8 @@ jobs:
     needs: [config, test_unit]
     if: needs.config.outputs.tag || needs.config.outputs.isMainBranch == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 
diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
index 50b92440ea5..fd95fb16c46 100755
--- a/scripts/publish-npm.sh
+++ b/scripts/publish-npm.sh
@@ -6,7 +6,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
   # see https://docs.npmjs.com/private-modules/ci-server-config
   echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
   if [[  -z "$TAG" ]]; then
-    npm publish --tag canary
+    npm publish --provenance --tag canary
     echo "Published canary."
     curl https://purge.jsdelivr.net/npm/hls.js@canary
     curl https://purge.jsdelivr.net/npm/hls.js@canary/dist/hls-demo.js
@@ -19,7 +19,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
       exit 1
     fi
     echo "Publishing tag: ${tag}"
-    npm publish --tag "${tag}"
+    npm publish --provenance --tag "${tag}"
     curl "https://purge.jsdelivr.net/npm/hls.js@${tag}"
     echo "Published."
   fi