diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6220d35f..28280938 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,22 +38,14 @@ jobs:
         env: { CI: true }
 
       # npm publish
-      - name: Set npm auth
-        run: |
-          npm config set //registry.npmjs.org/:_authToken=${NPM_TOKEN}
-          npm whoami
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Publish to npm
         run: |
           VERSION=$(node -p "require('./package.json').version")
           if [[ "$VERSION" == *-* ]]; then
-            pnpm publish --access public --no-git-checks --tag next
+            pnpm publish --access public --provenance --tag next
           else
-            pnpm publish --access public --no-git-checks
+            pnpm publish --access public --provenance
           fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       # JSR publish (OIDC, no secret needed once linked)
       - name: Publish to JSR