diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a542031..483652e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,9 +7,13 @@ on:
         default: true
         required: false
         type: boolean
+      npm_scope: # FIXME until setup-node infers scope from package.json
+        description: 'Name of scope to publish package under.'
+        default: nodenv
+        required: false
+        type: string
 
-permissions:
-  contents: write
+permissions: {contents: write}
 
 jobs:
   github:
@@ -39,3 +43,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: git push -f origin "HEAD:${GITHUB_REF%%.*}"
+
+  npm:
+    permissions: {id-token: write}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with: # FIXME https://github.com/actions/setup-node/pull/129
+          scope: ${{ inputs.npm_scope }}
+          registry-url: https://registry.npmjs.org
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e07327c..2799446 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,17 +10,11 @@ jobs:
       - run: npm cit
 
   super-linter:
+    permissions: {contents: read, packages: read, statuses: write}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
-      statuses: write # to report status checks
     steps:
       - uses: actions/checkout@v4
-        with:
-          # super-linter needs the full git history to get the
-          # list of files that changed across commits
-          fetch-depth: 0
+        with: {fetch-depth: 0}
       - uses: super-linter/super-linter/slim@v6
         env:
           GITHUB_TOKEN: ${{ github.token }}