diff --git a/.github/workflows/bindings_nodejs.yml b/.github/workflows/bindings_nodejs.yml
index 21d662b6ce1..c5afbf1e223 100644
--- a/.github/workflows/bindings_nodejs.yml
+++ b/.github/workflows/bindings_nodejs.yml
@@ -206,6 +206,8 @@ jobs:
     runs-on: ubuntu-latest
     if: "startsWith(github.ref, 'refs/tags/')"
     needs: [macos, linux, windows]
+    permissions:
+      id-token: write
 
     # Notes: this defaults only apply on run tasks.
     defaults:
@@ -244,7 +246,7 @@ jobs:
       - name: Publish
         run: |
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-          npm publish --access public
+          npm publish --access public --provenance
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}