diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml
index fd6f7f505..f48d8adc3 100644
--- a/.github/workflows/covector-version-or-publish.yml
+++ b/.github/workflows/covector-version-or-publish.yml
@@ -74,10 +74,11 @@ jobs:
         with:
           fetch-depth: 0
       - run: npm i -g --force corepack
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 24
-          registry-url: 'https://registry.npmjs.org'
+      - name: Update npm
+        run: npm install -g npm
 
       - name: cargo login
         run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }}
diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml
index 7ccd24c59..c6d2bfcc8 100644
--- a/.github/workflows/publish-cli-js.yml
+++ b/.github/workflows/publish-cli-js.yml
@@ -368,15 +368,14 @@ jobs:
       #- test-linux-arm-bindings
     permissions:
       contents: write # update release
-      id-token: write # npm provenance / oidc token
+      id-token: write # oidc token
     steps:
       - uses: actions/checkout@v4
       - run: npm i -g --force corepack
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 24
-          registry-url: 'https://registry.npmjs.org'
           cache: 'pnpm'
       - name: Install dependencies
         run: pnpm i --frozen-lockfile --ignore-scripts
@@ -391,8 +390,8 @@ jobs:
         shell: bash
       - name: Publish
         run: |
+          npm install -g npm
           npm publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }}
-          NPM_CONFIG_PROVENANCE: true