diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a695dec..9fdf1eb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,12 +3,14 @@ on:
   push:
     branches:
       - main
-permissions:
-  contents: read
-  id-token: write # required for npm trusted publisher (OIDC)
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # required for npm trusted publisher (OIDC)
+
 
     steps:
       - uses: actions/checkout@v4
@@ -16,7 +18,18 @@ jobs:
         with:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
+
+      - name: Use latest npm (trusted publisher support)
+        run: npm install -g npm@latest
+        
+      - name: Clean legacy npm auth config
+        run: npm config delete //registry.npmjs.org/:_authToken || true
+        
       - run: npm ci
       - run: npm run build
+      
+      - name: Verify identity (OIDC)
+        run: npm whoami
+
       # OIDC auth + provenance; no token needed when using trusted publishers
       - run: npm publish --provenance --access public
diff --git a/package.json b/package.json
index 13490e4..23e465a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@watts-lab/surveys",
-  "version": "1.19.3",
+  "version": "1.19.4",
   "description": "",
   "main": "dist/index.js",
   "module": "dist/index.js",