diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4b17aae..c6c0d8c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,23 +12,29 @@ jobs:
     name: push
     runs-on: ubuntu-latest
 
+    permissions:
+      # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
+      id-token: write
+
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4.2.2
         with:
           lfs: true
-      - uses: actions/setup-node@v2
+      - run: corepack enable
+      - uses: actions/setup-node@v4.1.0
         with:
-          node-version: 16.x
-          registry-url: https://registry.npmjs.org
+          node-version: 22.x
+          cache: yarn
 
-      - run: corepack enable
-      - run: yarn install --frozen-lockfile
+      - run: yarn install --immutable
       - run: yarn run build
       - run: yarn run lint:ci
       - run: yarn run test
 
+      - run: yarn pack
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: yarn publish --access public
+        # `yarn npm publish` does not currently support --provenance: https://github.com/yarnpkg/berry/issues/5430
+        run: npm publish package.tgz --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
diff --git a/.gitignore b/.gitignore
index a52167f..e3858f4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -106,5 +106,10 @@ dist
 # MacOS
 .DS_Store
 
-# Yarn
+# Yarn & packaging
+.pnp.*
 .yarn
+!.yarn/patches
+!.yarn/plugins
+!.yarn/sdks
+*.tgz
\ No newline at end of file