diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
new file mode 100644
index 00000000..e0f59910
--- /dev/null
+++ b/.github/workflows/npm-publish.yml
@@ -0,0 +1,25 @@
+name: Publish to NPM
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish-to-npm:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: .node-version
+          registry-url: https://registry.npmjs.org/
+      - name: Upgrade npm for Trusted Publishing
+        run: npm i -g npm@latest
+      - run: yarn --strict-semver --frozen-lockfile
+      - run: yarn build
+      - name: Publish to npmjs.com
+        run: npm publish --access public --provenance
diff --git a/changelog.d/120.misc b/changelog.d/120.misc
new file mode 100644
index 00000000..fd833078
--- /dev/null
+++ b/changelog.d/120.misc
@@ -0,0 +1 @@
+Update CI to use NPM Trusted Publishing.