diff --git a/.github/.OwlBot.lock.yaml b/.github/.OwlBot.lock.yaml
index 788f7a9f..0b836e11 100644
--- a/.github/.OwlBot.lock.yaml
+++ b/.github/.OwlBot.lock.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,4 +13,4 @@
 # limitations under the License.
 docker:
   image: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest
-  digest: sha256:fe04ae044dadf5ad88d979dbcc85e0e99372fb5d6316790341e6aca5e4e3fbc8
+  digest: sha256:e6d785d6de3cab027f6213d95ccedab4cab3811b0d3172b78db2216faa182e32
diff --git a/.kokoro/publish.sh b/.kokoro/publish.sh
index 949e3e1d..ca1d47af 100755
--- a/.kokoro/publish.sh
+++ b/.kokoro/publish.sh
@@ -27,4 +27,16 @@ NPM_TOKEN=$(cat $KOKORO_KEYSTORE_DIR/73713_google-cloud-npm-token-1)
 echo "//wombat-dressing-room.appspot.com/:_authToken=${NPM_TOKEN}" > ~/.npmrc
 
 npm install
-npm publish --access=public --registry=https://wombat-dressing-room.appspot.com
+npm pack .
+# npm provides no way to specify, observe, or predict the name of the tarball
+# file it generates.  We have to look in the current directory for the freshest
+# .tgz file.
+TARBALL=$(ls -1 -t *.tgz | head -1)
+
+npm publish --access=public --registry=https://wombat-dressing-room.appspot.com "$TARBALL"
+
+# Kokoro collects *.tgz and package-lock.json files and stores them in Placer
+# so we can generate SBOMs and attestations.
+# However, we *don't* want Kokoro to collect package-lock.json and *.tgz files
+# that happened to be installed with dependencies.
+find node_modules -name package-lock.json -o -name "*.tgz" | xargs rm -f
\ No newline at end of file
diff --git a/.kokoro/release/publish.cfg b/.kokoro/release/publish.cfg
index 90b0bc09..2479b117 100644
--- a/.kokoro/release/publish.cfg
+++ b/.kokoro/release/publish.cfg
@@ -37,3 +37,15 @@ env_vars: {
     key: "TRAMPOLINE_BUILD_FILE"
     value: "github/google-auth-library-nodejs/.kokoro/publish.sh"
 }
+
+# Store the packages we uploaded to npmjs.org and their corresponding
+# package-lock.jsons in Placer.  That way, we have a record of exactly
+# what we published, and which version of which tools we used to publish
+# it, which we can use to generate SBOMs and attestations.
+action {
+  define_artifacts {
+    regex: "github/**/*.tgz"
+    regex: "github/**/package-lock.json"
+    strip_prefix: "github"
+  }
+}