diff --git a/.github/workflows/DeploySvelte2tsxProd.yml b/.github/workflows/DeploySvelte2tsxProd.yml
index 1adc194e0..1f31d1908 100644
--- a/.github/workflows/DeploySvelte2tsxProd.yml
+++ b/.github/workflows/DeploySvelte2tsxProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/svelte2tsx
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeploySvelteCheckProd.yml b/.github/workflows/DeploySvelteCheckProd.yml
index 0a23cedeb..bbfc47610 100644
--- a/.github/workflows/DeploySvelteCheckProd.yml
+++ b/.github/workflows/DeploySvelteCheckProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -33,7 +36,7 @@ jobs:
       - run: |
           cd packages/svelte-check
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeploySvelteLanguageServerProd.yml b/.github/workflows/DeploySvelteLanguageServerProd.yml
index f98cbb74e..67cb708fa 100644
--- a/.github/workflows/DeploySvelteLanguageServerProd.yml
+++ b/.github/workflows/DeploySvelteLanguageServerProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/language-server
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeployTypescriptPluginProd.yaml b/.github/workflows/DeployTypescriptPluginProd.yaml
index e195c42fc..90d1048c0 100644
--- a/.github/workflows/DeployTypescriptPluginProd.yaml
+++ b/.github/workflows/DeployTypescriptPluginProd.yaml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/typescript-plugin
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}