diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 64a2fc14..94c2452f 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -4,8 +4,9 @@ env:
   APP_NAME: blst
   MACOSX_DEPLOYMENT_TARGET: "10.13"
 permissions:
-  contents: write
-  id-token: write
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
 
 on:
   pull_request:
@@ -220,7 +221,7 @@ jobs:
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version: ${{ matrix.bun }}
-      - name: Install deps 
+      - name: Install deps
         run: bun install --frozen-lockfile
       - name: Download artifacts
         uses: actions/download-artifact@v4
@@ -389,6 +390,9 @@ jobs:
         with:
           node-version: "22.4.x"
           cache: yarn
+      - name: Upgrade npm for OIDC
+        if: ${{ steps.release.outputs.releases_created }}
+        run: npm i -g npm@^11.5.1
       - name: Create tag
         id: tag
         uses: butlerlogic/action-autotag@1.1.2
@@ -418,15 +422,12 @@ jobs:
           npm config set provenance true
           if node -e "console.log(require('./package.json').version)" | grep "^[0-9]\+\.[0-9]\+\.[0-9]\+$";
           then
-            echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
             npm publish --access public
           elif node -e "console.log(require('./package.json').version)" | grep "^[0-9]\+\.[0-9]\+\.[0-9]\+";
           then
-            echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
             npm publish --tag next --access public
           else
             echo "Not a release, skipping publish"
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}