diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6184a5067..c368c4623 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,10 +4,17 @@ on:
   pull_request:
     branches:
       - main
-      - 'v*-dev'
-      - 'v*-stable'
+      - "v*-dev"
+      - "v*-stable"
     types: [closed]
 
+permissions:
+  contents: write
+  actions: read
+  issues: read
+  pull-requests: read
+  id-token: write
+
 jobs:
   publish:
     if: github.event.pull_request.merged == true
@@ -20,7 +27,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
       - name: Setup yarn
@@ -33,11 +40,6 @@ jobs:
       - name: Copy Readme
         run: |
           cp ./README.md packages/eagle/README.md
-      - name: Write .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          echo //registry.npmjs.org/:_authToken=$NPM_TOKEN >> ~/.npmrc
       - name: Set Current Version
         run: |
           CURRENT_VERSION=$(node -p 'require("./lerna.json").version')
@@ -64,12 +66,23 @@ jobs:
           github_repo: ${{ github.repository }}
           git_commit_sha: ${{ github.sha }}
           git_tag_prefix: "v"
+      - name: Setup npm trusted publishing
+        if: steps.tag_check.outputs.exists_tag == 'false'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.14.0
+          registry-url: https://registry.npmjs.org
+      - name: Install npm with OIDC support
+        if: steps.tag_check.outputs.exists_tag == 'false'
+        run: |
+          npm install -g npm@^11.5.1
+          npm --version
       - name: Publish
         uses: nick-fields/retry@v2
         if: steps.tag_check.outputs.exists_tag == 'false'
         with:
-          timeout_minutes: 10  # 设置超时时间，单位为分钟
-          max_attempts: 3  # 设置最大重试次数
+          timeout_minutes: 10 # 设置超时时间，单位为分钟
+          max_attempts: 3 # 设置最大重试次数
           command: |
             yarn lerna publish from-package --no-verify-access --yes
       - name: Get Output
@@ -131,9 +144,6 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           body: ${{steps.github_release.outputs.changelog}}
-          tag_name: 'v${{ env.CURRENT_VERSION }}'
+          tag_name: "v${{ env.CURRENT_VERSION }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Clean .npmrc
-        if: always()
-        run: rm ~/.npmrc