diff --git a/.github/workflows/insiders.yaml b/.github/workflows/insiders.yaml
index dc23cc43673b8..cd50e6397bcc3 100644
--- a/.github/workflows/insiders.yaml
+++ b/.github/workflows/insiders.yaml
@@ -7,6 +7,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write
+  packages: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +62,6 @@ jobs:
           npx hereby configure-insiders
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag insiders
+          npm publish --provenance --tag insiders
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 375a8255ae67b..0ee6bde832ecb 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -8,6 +8,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write
+  packages: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +62,6 @@ jobs:
           npx hereby configure-nightly
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag next
+          npm publish --provenance --tag next
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}