diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml
index 83ff2ddac..170bc3ef3 100644
--- a/.github/workflows/covector-version-or-publish.yml
+++ b/.github/workflows/covector-version-or-publish.yml
@@ -61,7 +61,7 @@ jobs:
       actions: write # required for workflow_dispatch
       contents: write # required to create new releases
       pull-requests: write # required to open version update pr
-      id-token: write # pnpm provenance
+      id-token: write # pnpm provenance / oidc token
     outputs:
       change: ${{ steps.covector.outputs.change }}
       commandRan: ${{ steps.covector.outputs.commandRan }}
@@ -74,10 +74,9 @@ jobs:
         with:
           fetch-depth: 0
       - run: npm i -g --force corepack
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version: 20
-          registry-url: 'https://registry.npmjs.org'
+          node-version: 24
 
       - name: cargo login
         run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }}
@@ -95,7 +94,6 @@ jobs:
         uses: jbolda/covector/packages/action@covector-v0
         id: covector
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
           CARGO_AUDIT_OPTIONS: ${{ secrets.CARGO_AUDIT_OPTIONS }}
           NPM_CONFIG_PROVENANCE: true
         with:
diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml
index 3d18f3114..3e4f76081 100644
--- a/.github/workflows/publish-cli-js.yml
+++ b/.github/workflows/publish-cli-js.yml
@@ -20,6 +20,10 @@ defaults:
   run:
     working-directory: packages/cli/
 
+permissions:
+  contents: write # update release
+  id-token: write # oidc token
+
 jobs:
   build:
     strategy:
@@ -366,16 +370,13 @@ jobs:
       - test-linux-x64-gnu-binding
       - test-linux-x64-musl-binding
       #- test-linux-arm-bindings
-    permissions:
-      contents: write # update release
-      id-token: write # npm provenance
     steps:
       - uses: actions/checkout@v4
       - run: npm i -g --force corepack
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 24
           cache: 'pnpm'
       - name: Install dependencies
         run: pnpm i --frozen-lockfile --ignore-scripts
@@ -390,10 +391,8 @@ jobs:
         shell: bash
       - name: Publish
         run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
           npm publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ''
           RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }}
-          NPM_CONFIG_PROVENANCE: true