diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
index de2a25c0ca3..1da357b5e3a 100644
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   prerelease:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
@@ -39,6 +42,6 @@ jobs:
       - name: Push changes
         run: git push --follow-tags
       - name: Run npm publish
-        run: npm publish --tag=${{ steps.extract.outputs.tag }}
+        run: npm publish --tag=${{ steps.extract.outputs.tag }} --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3a650d418fc..7a603ac8282 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -24,6 +24,10 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
     needs: create-release
     if: ${{ needs.create-release.outputs.release_created }}
     steps:
@@ -38,6 +42,6 @@ jobs:
       - name: Install core dependencies
         run: npm ci --no-audit
 
-      - run: npm publish
+      - run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
diff --git a/package.json b/package.json
index 3ed0971c5ee..c15f1adb677 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
     "static"
   ],
   "license": "MIT",
-  "repository": "netlify/cli",
+  "repository": "https://github.com/netlify/cli",
   "bin": {
     "ntl": "./bin/run.mjs",
     "netlify": "./bin/run.mjs"