diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 1db730a9eb..ab1a9c9b38 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -49,6 +49,9 @@ jobs:
   publish:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 
@@ -69,6 +72,9 @@ jobs:
       - name: Gen npmrc
         run: echo "//registry.npmjs.com/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" >> ./.npmrc
 
+      - name: Update npm
+        run: npm install npm@latest -g
+
       - name: Build&publish
         run: sh ./scripts/publish.sh
         env: