diff --git a/.github/workflows/publish-typescript-sdk.yml b/.github/workflows/publish-typescript-sdk.yml
index 4dece9d8de..2f1f5379bc 100644
--- a/.github/workflows/publish-typescript-sdk.yml
+++ b/.github/workflows/publish-typescript-sdk.yml
@@ -25,22 +25,6 @@ env:
   ACTIONS_RUNNER_DEBUG: true
 
 jobs:
-  changelog:
-    # manually temporarily disabled
-    if: false
-    name: 'Generate Changelog'
-    runs-on: ['ubuntu-latest']
-    steps:
-      - name: 'Checkout'
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: 'Generate Changelog'
-        run: npm_config_yes=true npx changelogithub
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   publish-npm:
     # manually temporarily disabled
     if: false
@@ -76,16 +60,19 @@ jobs:
 
       - name: 'Publish to NPM'
         working-directory: './typescript-sdk'
-        run: |
-          npm publish --access='public' --no-git-checks
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # https://docs.npmjs.com/generating-provenance-statements
+          NPM_CONFIG_PROVENANCE: true
+        run: |
+          npm publish --access='public' --no-git-checks
 
   publish-github:
     name: 'Publish GitHub Package Registry'
     permissions:
+      contents: read
       id-token: write
-      contents: write
+      packages: write
     runs-on: ['ubuntu-latest']
     steps:
       - name: 'Checkout'
@@ -101,12 +88,17 @@ jobs:
       - name: 'Install Nix'
         uses: cachix/install-nix-action@v25
         with:
-          nix_path: nixpkgs=channel:${{ env.NIXPKGS_CHANNEL }}
           github_access_token: ${{ github.token }}
+          nix_path: nixpkgs=channel:${{ env.NIXPKGS_CHANNEL }}
       - run: |
           nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_CHANNEL }} nixpkgs
           nix-channel --update
 
+      - name: 'Update ~/.npmrc'
+        working-directory: './typescript-sdk'
+        run: |
+          echo "//npm.pkg.github.com:_authToken=${{ secrets.GITHUB_TOKEN }}" >> .npmrc
+
       - name: 'Build SDK'
         working-directory: './typescript-sdk'
         run: |
@@ -114,7 +106,27 @@ jobs:
 
       - name: 'Publish to GitHub Package Registry'
         working-directory: './typescript-sdk'
+        env:
+          NPM_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # https://docs.npmjs.com/generating-provenance-statements
+          NPM_CONFIG_PROVENANCE: true
         run: |
-          npm publish --access='private' --no-git-checks
+          yarn publish --access='public' --registry='https://npm.pkg.github.com' --no-git-checks
+
+  changelog:
+    # manually temporarily disabled
+    if: false
+    name: 'Generate Changelog'
+    runs-on: ['ubuntu-latest']
+    needs: ['publish-npm']
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: 'Generate Changelog'
+        run: npm_config_yes=true npx changelogithub
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}