diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0451fe2f04b..2cca381c28a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,8 +13,12 @@ jobs:
     # Prevents action from creating a PR on forks
     if: github.repository == 'apollographql/apollo-client'
     runs-on: ubuntu-latest
+    # Permissions necessary for Changesets to push a new branch and open PRs
+    # (for automated Version Packages PRs), and request the JWT for provenance.
+    # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
     permissions:
-      contents: read
+      contents: write
+      pull-requests: write
       id-token: write
     steps:
       - name: Checkout repo
@@ -33,6 +37,7 @@ jobs:
       - name: Append NPM token to .npmrc
         run: |
           cat << EOF > "$HOME/.npmrc"
+            provenance=true
             //registry.npmjs.org/:_authToken=$NPM_TOKEN
           EOF
         env:
diff --git a/.npmrc b/.npmrc
index d144543ec9b..521a9f7c077 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,2 +1 @@
 legacy-peer-deps=true
-provenance=true