diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index a6e5b9a..53a330e 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -5,12 +5,15 @@ on:
     types: [published]
   # or it is called by another workflow
   workflow_call:
-    secrets:
-      NPM_TOKEN:
-        required: true
 jobs:
   build:
     runs-on: ubuntu-latest
+    # Required for npm Trusted Publishing (OIDC). Without `id-token: write`
+    # GitHub will not mint the OIDC token that npm exchanges for a
+    # short-lived publish credential.
+    permissions:
+      id-token: write
+      contents: read
     # When invoked via `workflow_call`, `github.event_name` reflects the
     # ROOT triggering event of the caller (e.g. `pull_request`), NOT
     # `workflow_call` — so a `== 'workflow_call'` check never matches.
@@ -24,13 +27,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22"
           registry-url: "https://registry.npmjs.org"
       - name: Install dependencies
         run: npm ci
       - name: Publish package on NPM
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index c1f624f..353adfa 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -90,5 +90,8 @@ jobs:
   publish-package:
     needs: publish-release
     uses: ./.github/workflows/npm-publish.yml
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    # npm Trusted Publishing (OIDC) — no NPM_TOKEN secret needed.
+    # The called workflow declares `permissions: id-token: write` itself.
+    permissions:
+      id-token: write
+      contents: read