diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 37fcf13..31b2eb8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -32,6 +32,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint]
     if: github.event_name == 'push'
+    permissions:
+      contents: write       # push release commits, tags, create GitHub Releases
+      issues: write         # @semantic-release/github comments on resolved issues
+      pull-requests: write  # @semantic-release/github comments on merged PRs
+      id-token: write       # OIDC token for npm trusted publishing
     steps:
       - uses: actions/checkout@v4
       - name: Enable Corepack
@@ -53,7 +58,6 @@ jobs:
       - name: release
         env:
           GITHUB_TOKEN: ${{ secrets.ASSOCIATION_RELEASE_TOKEN }}
-          NPM_TOKEN: ${{ secrets.ASSOCIATION_NPM_TOKEN }}
         run: |
           cd dist
           yarn --immutable