diff --git a/.github/workflows/release_napi_minify.yml b/.github/workflows/release_napi_minify.yml
index d79466bd3..04310be1c 100644
--- a/.github/workflows/release_napi_minify.yml
+++ b/.github/workflows/release_napi_minify.yml
@@ -21,3 +21,5 @@ jobs:
       name: minify
     secrets:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    permissions:
+      id-token: write # for `pnpm publish --provenance`
diff --git a/.github/workflows/release_napi_parser.yml b/.github/workflows/release_napi_parser.yml
index 20d64cb92..2e0c8eaa1 100644
--- a/.github/workflows/release_napi_parser.yml
+++ b/.github/workflows/release_napi_parser.yml
@@ -21,3 +21,5 @@ jobs:
       name: parser
     secrets:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    permissions:
+      id-token: write # for `pnpm publish --provenance`
diff --git a/.github/workflows/release_napi_transform.yml b/.github/workflows/release_napi_transform.yml
index 8f53d7be6..02282b211 100644
--- a/.github/workflows/release_napi_transform.yml
+++ b/.github/workflows/release_napi_transform.yml
@@ -21,3 +21,5 @@ jobs:
       name: transform
     secrets:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    permissions:
+      id-token: write # for `pnpm publish --provenance`