diff --git a/.github/workflows/publish_next_compute-baseline.yml b/.github/workflows/publish_next_compute-baseline.yml
index c95b86cfd6c..553e39b1429 100644
--- a/.github/workflows/publish_next_compute-baseline.yml
+++ b/.github/workflows/publish_next_compute-baseline.yml
@@ -7,6 +7,8 @@ on:
     paths:
       - packages/compute-baseline/**
 
+permissions: {}
+
 env:
   package: "compute-baseline"
   package_dir: "packages/compute-baseline"
@@ -15,6 +17,8 @@ env:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -27,6 +31,12 @@ jobs:
     if: github.repository == 'web-platform-dx/web-features'
     runs-on: ubuntu-latest
     needs: "test"
+    permissions:
+      contents: read
+      # Required for OIDC and trusted publishing. See:
+      # - https://docs.npmjs.com/trusted-publishers
+      # - https://docs.github.com/en/actions/concepts/security/openid-connect
+      id-token: write
     steps:
       - name: Get timestamp
         id: timestamp
@@ -37,6 +47,7 @@ jobs:
           node-version-file: .node-version
           cache: npm
           registry-url: "https://registry.npmjs.org"
+      - run: npm install -g 'npm@>=11.5.1  # required for trusted publishing
       - run: npm ci
       - name: Get package.json version
         id: version
@@ -49,5 +60,3 @@ jobs:
           VERSION: ${{ steps.version.outputs.VERSION }}
           TIMESTAMP: ${{ steps.timestamp.outputs.TIMESTAMP }}
       - run: npm publish --workspace=${{ env.package }} --tag ${{ env.dist_tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish_next_web-features.yml b/.github/workflows/publish_next_web-features.yml
index b36d0542f1e..e9beb169b39 100644
--- a/.github/workflows/publish_next_web-features.yml
+++ b/.github/workflows/publish_next_web-features.yml
@@ -12,8 +12,7 @@ on:
       - index.ts
       - scripts/build.ts
 
-permissions:
-  contents: write
+permissions: {}
 
 env:
   package: "web-features"
@@ -23,6 +22,8 @@ env:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -35,6 +36,12 @@ jobs:
     if: github.repository == 'web-platform-dx/web-features'
     runs-on: ubuntu-latest
     needs: "test"
+    permissions:
+      contents: write
+      # Required for OIDC and trusted publishing. See:
+      # - https://docs.npmjs.com/trusted-publishers
+      # - https://docs.github.com/en/actions/concepts/security/openid-connect
+      id-token: write
     steps:
       - uses: actions/checkout@v6
       - name: Get timestamp and short hash
@@ -48,6 +55,8 @@ jobs:
           node-version-file: .node-version
           cache: npm
           registry-url: "https://registry.npmjs.org"
+
+      - run: npm install -g 'npm@>=11.5.1'  # required for trusted publishing
       - run: npm ci
 
       - run: npm run build
@@ -67,11 +76,8 @@ jobs:
           VERSION: ${{ steps.version.outputs.VERSION }}
           TIMESTAMP: ${{ steps.timestamp_and_hash.outputs.TIMESTAMP }}
           SHORT_HASH: ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }}
-      - if: ${{ env.NODE_AUTH_TOKEN }}
-        run: npm publish --tag ${{ env.dist_tag }}
+      - run: npm publish --tag ${{ env.dist_tag }}
         working-directory: ${{ env.package_dir }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Set existing release to draft
         run: gh release edit --draft "$TAG"