diff --git a/.github/workflows/test-and-tag.yml b/.github/workflows/test-and-tag.yml
index b199b92dbe..c08294c396 100644
--- a/.github/workflows/test-and-tag.yml
+++ b/.github/workflows/test-and-tag.yml
@@ -6,6 +6,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 concurrency:
   group: test-build-${{ github.ref_name }}-${{ github.event_name }}
   cancel-in-progress: true
@@ -46,7 +50,14 @@ jobs:
           TZ: America/New_York
         run: npm test
 
+      - name: Upgrade npm for OIDC support 📦
+        # Upgrade npm to support OIDC trusted publishing. Earlier steps run with the
+        # npm version bundled with current Node version to maintain consistency with
+        # the development environment. Only the Publish step requires the newer version.
+        # See https://docs.npmjs.com/trusted-publishers
+        # > Note: Trusted publishing requires npm CLI version 11.5.1 or later.
+        # TODO: This can be removed once we upgrade to Node 24 or greater.
+        run: npm install -g npm@^11.5.1
+
       - name: Publish 📚
         run: npm publish --tag next --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}