diff --git a/.github/workflows/userscript-publish.yml b/.github/workflows/userscript-publish.yml
index f1e2ce301..23f8f92f5 100644
--- a/.github/workflows/userscript-publish.yml
+++ b/.github/workflows/userscript-publish.yml
@@ -16,18 +16,28 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       actions: write
+      attestations: write
       contents: write
+      id-token: write
       packages: write
       pull-requests: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+
       - name: Select NodeJS version
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
-        with:
+        env:
           # renovate: datasource=docker depName=node versioning=node
-          node-version: "20.12.2"
+          NODE_VERSION: "20.13.1"
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: https://registry.npmjs.org
+
+      - name: Enable Corepack
+        run: corepack enable
+
       - name: Install dependencies
         run: yarn install --immutable
       - name: Build everything
@@ -36,13 +46,16 @@ jobs:
         run: yarn lint:all
 
       - name: Get version
-        run: |
-          export KS_VERSION=$(yarn kitten-scientists:version)
-          echo "KS_VERSION=$KS_VERSION" >> $GITHUB_ENV
+        run: echo "KS_VERSION=$(yarn kitten-scientists:version)" >> $GITHUB_ENV
 
       - name: Build release
         run: yarn kitten-scientists:release
 
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: packages/kitten-scientists/output/*
+
       - name: Generate GitHub release
         uses: oliversalzburg/action-automatic-semantic-releases@bc429dc1af8c036b5f8c11fef7bcb0becfd5064d # v0.0.13
         with: