diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh
index 449d9b866..bc8655844 100644
--- a/.github/scripts/publish-npm.sh
+++ b/.github/scripts/publish-npm.sh
@@ -57,8 +57,9 @@ do
     echo "Could not authenticate with $REGISTRY"
     exit 1
   fi
-  npm publish --tag "$TAG" db-ui-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
-  npm publish --tag "$TAG" db-ui-ngx-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
-  npm publish --tag "$TAG" db-ui-react-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
-  npm publish --tag "$TAG" db-ui-v-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
+  # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
+  npm publish --tag "$TAG" db-ui-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-ngx-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-react-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-v-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
 done
diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml
index 06bade191..2a2618b44 100644
--- a/.github/workflows/03-publish-packages.yml
+++ b/.github/workflows/03-publish-packages.yml
@@ -24,6 +24,8 @@ jobs:
       fail-fast: false
       matrix:
         themes: [default, enterprise]
+    permissions:
+      id-token: write
     steps:
       - name: ⬇ Checkout repo
         uses: actions/checkout@v4