diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 4fbf59f..1a48df5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -11,6 +11,9 @@ run-name: >-
     ''
   }}
 
+permissions:
+  contents: read # for checkout
+
 on:
   # Build on pushes branches that have a PR (including drafts)
   pull_request:
@@ -91,6 +94,11 @@ jobs:
       - run: npm test
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     needs: [build, test]
     # only run if opt-in during workflow_dispatch
     if: always() && github.event.inputs.release == 'true' && needs.build.result != 'failure' && needs.test.result != 'failure' && needs.test.result != 'cancelled'
@@ -113,11 +121,13 @@ jobs:
         # e.g. git tags were pushed but it exited before `npm publish`
         if: always()
         env:
+          NPM_CONFIG_PROVENANCE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
         # Re-run semantic release with rich logs if it failed to publish for easier debugging
       - run: npx semantic-release --dry-run --debug
         if: failure()
         env:
+          NPM_CONFIG_PROVENANCE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}