diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
index 5cfe38295..56147d423 100644
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'shopify'
     name: Changelog PR or Release
+    permissions:
+      id-token: write
     outputs:
       published: ${{ steps.changesets.outputs.published }}
       # A JSON array to present the published packages. The format is [{"name": "@xx/xx", "version": "1.2.0"}, {"name": "@xx/xy", "version": "0.8.9"}]
@@ -63,6 +65,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
   compile:
     needs: changelog
diff --git a/.github/workflows/next-release.yml b/.github/workflows/next-release.yml
index 757e8c387..a01a1359c 100644
--- a/.github/workflows/next-release.yml
+++ b/.github/workflows/next-release.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     # don't run if a commit message with [ci] release is present. The release workflow will do the release
     if: github.repository_owner == 'shopify' && !startsWith(github.event.head_commit.message, '[ci] release')
+    permissions:
+      id-token: write
     outputs:
       NEXT_VERSION: ${{ steps.version.outputs.NEXT_VERSION }}
     steps:
@@ -60,6 +62,7 @@ jobs:
           npm run version:post
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: 🏗 Build
         if: steps.version.outputs.NEXT_VERSION
diff --git a/.github/workflows/snapit.yml b/.github/workflows/snapit.yml
index 803feab94..9db744a25 100644
--- a/.github/workflows/snapit.yml
+++ b/.github/workflows/snapit.yml
@@ -10,6 +10,8 @@ jobs:
     name: Snapit
     if: ${{ github.event.issue.pull_request && github.event.comment.body == '/snapit' }}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       # WARNING: DO NOT RUN ANY CUSTOM LOCAL SCRIPT BEFORE RUNNING THE SNAPIT ACTION
       # This action can be executed by 3rd party users and it should not be able to run arbitrary code from a PR.
@@ -29,3 +31,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 3ca49b9a7..11c180c80 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -7,6 +7,11 @@
   "version": "9.0.4",
   "license": "MIT",
   "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Shopify/hydrogen.git",
+    "directory": "packages/cli-hydrogen"
+  },
   "scripts": {
     "build": "tsup && node scripts/build-check.mjs",
     "dev": "tsup --watch ./src --watch ../../templates/skeleton",
diff --git a/packages/create-hydrogen/package.json b/packages/create-hydrogen/package.json
index 4acc9904e..f02cf5fc0 100644
--- a/packages/create-hydrogen/package.json
+++ b/packages/create-hydrogen/package.json
@@ -7,6 +7,11 @@
   "license": "MIT",
   "version": "5.0.14",
   "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Shopify/hydrogen.git",
+    "directory": "packages/create-hydrogen"
+  },
   "scripts": {
     "build": "tsup --clean",
     "dev": "tsup --watch src --watch ../cli/src",
diff --git a/packages/hydrogen/package.json b/packages/hydrogen/package.json
index d70d36b16..4633b1ba0 100644
--- a/packages/hydrogen/package.json
+++ b/packages/hydrogen/package.json
@@ -11,6 +11,11 @@
   "module": "dist/production/index.js",
   "types": "dist/production/index.d.ts",
   "sideEffects": false,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Shopify/hydrogen.git",
+    "directory": "packages/hydrogen"
+  },
   "scripts": {
     "build": "tsup --clean",
     "dev": "tsup --watch ./src --watch ../../node_modules/@shopify/hydrogen-react/dist/browser-prod/index.mjs",
diff --git a/packages/mini-oxygen/package.json b/packages/mini-oxygen/package.json
index 70cac9375..8a298d0ff 100644
--- a/packages/mini-oxygen/package.json
+++ b/packages/mini-oxygen/package.json
@@ -12,7 +12,11 @@
   "module": "dist/worker/index.js",
   "types": "./dist/worker/index.d.ts",
   "sideEffects": false,
-  "repository": "https://github.com/Shopify/hydrogen.git",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Shopify/hydrogen.git",
+    "directory": "packages/mini-oxygen"
+  },
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",
diff --git a/packages/remix-oxygen/package.json b/packages/remix-oxygen/package.json
index 9c2514192..acb3732f8 100644
--- a/packages/remix-oxygen/package.json
+++ b/packages/remix-oxygen/package.json
@@ -11,6 +11,11 @@
   "module": "dist/production/index.js",
   "types": "dist/production/index.d.ts",
   "sideEffects": false,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Shopify/hydrogen.git",
+    "directory": "packages/remix-oxygen"
+  },
   "scripts": {
     "build": "tsup --clean",
     "dev": "tsup --watch",