diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b863410..b4fae87 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
 
     steps:
       - name: Resolve tag to publish
@@ -42,8 +43,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: npm
+          node-version: 24
           registry-url: https://registry.npmjs.org
 
       - run: npm ci
@@ -70,10 +70,8 @@ jobs:
             echo "already_published=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - run: npm publish --access public
+      - run: npm publish --access public --provenance
         if: steps.npm_state.outputs.already_published != 'true'
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Ensure GitHub Release exists
         env:
diff --git a/RELEASE.md b/RELEASE.md
index d0a9d35..810e4ae 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -5,7 +5,16 @@ Use this checklist to cut a new npm release for `@aredotna/cli`.
 Publishing is automated by GitHub Actions when a PR with a release label is merged to `main`.
 Use exactly one label on the PR: `major`, `minor`, or `patch`.
 The `Release` workflow bumps the version and pushes the release commit and tag.
-That tag then triggers the `Publish` workflow, which publishes to npm using the `NPM_TOKEN` GitHub secret and creates the GitHub Release.
+That tag then triggers the `Publish` workflow, which publishes to npm with trusted publishing and provenance, then creates the GitHub Release.
+No long-lived npm publish token is required.
+
+The npm package must have a trusted publisher configured on npmjs.com:
+
+- Provider: GitHub Actions
+- Organization/user: `aredotna`
+- Repository: `cli`
+- Workflow filename: `publish.yml`
+- Allowed action: `npm publish`
 
 ## 1) Preflight
 
@@ -75,7 +84,8 @@ arena whoami --json
 
 ## Troubleshooting
 
-- Publish job fails with npm auth error (401/404): verify the `NPM_TOKEN` repository secret exists and has permission to publish `@aredotna/cli`.
+- Publish job fails with npm auth error (401/404): verify npm trusted publishing is configured for `aredotna/cli` with workflow filename `publish.yml` and allowed action `npm publish`.
+- Publish job fails before auth: verify the workflow still grants `id-token: write` and publishes on Node 22.14.0 or newer with npm 11.5.1 or newer.
 - Workflow skips publishing: merged PR did not contain one of `major`, `minor`, or `patch` labels.
 - Workflow fails with multiple release labels: keep exactly one of `major|minor|patch` on the PR.
 - Release job says `main` advanced after the PR merged: re-run the `Release` workflow manually after reviewing current `main`.
diff --git a/package-lock.json b/package-lock.json
index d893228..1d59538 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7,6 +7,10 @@
     "": {
       "name": "@aredotna/cli",
       "version": "0.9.1",
+      "repository": {
+        "type": "git",
+        "url": "git+https://github.com/aredotna/cli.git"
+      },
       "dependencies": {
         "ink": "^6.8.0",
         "openapi-fetch": "^0.17.0",
@@ -29,7 +33,7 @@
         "typescript": "^5.5.0"
       },
       "engines": {
-        "node": ">=18"
+        "node": ">=20"
       }
     },
     "node_modules/@alcalzone/ansi-tokenize": {
diff --git a/package.json b/package.json
index 93daa85..01e32bb 100644
--- a/package.json
+++ b/package.json
@@ -3,6 +3,10 @@
   "version": "0.9.1",
   "description": "Are.na from the terminal",
   "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aredotna/cli.git"
+  },
   "bin": {
     "arena": "./dist/cli.js"
   },