diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 02609ea4..396a6090 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -322,6 +322,7 @@ jobs:
         shell: bash
     permissions:
       deployments: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -338,7 +339,7 @@ jobs:
       - name: Publish
         env:
           PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
-        run: npm publish
+        run: npm publish --provenance
 
   post-release-integration:
     needs: [ release, release-integration ]
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index 4750060f..666e52c6 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "4.13.0"
+  ".": "4.14.1"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f2bdd18..2e50761a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,21 @@
 # Changelog
 
+## [4.14.1](https://github.com/npm/template-oss/compare/v4.14.0...v4.14.1) (2023-04-19)
+
+### Bug Fixes
+
+* [`f8976ca`](https://github.com/npm/template-oss/commit/f8976ca3a18ff6924c656cd486c9691f613d833f) [#303](https://github.com/npm/template-oss/pull/303) add id-token access to publish action (#303) (@wraithgar)
+
+## [4.14.0](https://github.com/npm/template-oss/compare/v4.13.0...v4.14.0) (2023-04-19)
+
+### Features
+
+* [`31ce960`](https://github.com/npm/template-oss/commit/31ce960dd269d0560fe9496b287efd1bbe4f01aa) [#302](https://github.com/npm/template-oss/pull/302) publish with provenance (#302) (@wraithgar)
+
+### Dependencies
+
+* [`d17e7d9`](https://github.com/npm/template-oss/commit/d17e7d9b7593f6a97038c8b01c35cf9b3fae9497) [#300](https://github.com/npm/template-oss/pull/300) bump glob from 9.3.5 to 10.1.0 (#300)
+
 ## [4.13.0](https://github.com/npm/template-oss/compare/v4.12.1...v4.13.0) (2023-03-23)
 
 ### Features
diff --git a/lib/content/_job-release-integration.yml b/lib/content/_job-release-integration.yml
index e064d4e4..49ade657 100644
--- a/lib/content/_job-release-integration.yml
+++ b/lib/content/_job-release-integration.yml
@@ -5,6 +5,7 @@ defaults:
     shell: bash
 permissions:
   deployments: write
+  id-token: write
 steps:
   - name: Checkout
     uses: actions/checkout@v3
@@ -21,7 +22,7 @@ steps:
   - name: Publish
     env:
       PUBLISH_TOKEN: $\{{ secrets.PUBLISH_TOKEN }}
-    run: npm publish
+    run: npm publish --provenance
 {{else}}
 runs-on: ubuntu-latest
 defaults:
diff --git a/lib/util/files.js b/lib/util/files.js
index 5c2851cc..c18979bf 100644
--- a/lib/util/files.js
+++ b/lib/util/files.js
@@ -2,7 +2,7 @@ const { join } = require('path')
 const { defaultsDeep } = require('lodash')
 const merge = require('./merge.js')
 const deepMapValues = require('just-deep-map-values')
-const glob = require('glob')
+const { glob } = require('glob')
 const Parser = require('./parser.js')
 const template = require('./template.js')
 
diff --git a/package.json b/package.json
index 8fa562a0..2286dd64 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/template-oss",
-  "version": "4.13.0",
+  "version": "4.14.1",
   "description": "templated files used in npm CLI team oss projects",
   "main": "lib/content/index.js",
   "bin": {
@@ -42,7 +42,7 @@
     "@npmcli/package-json": "^3.0.0",
     "@octokit/rest": "^19.0.4",
     "diff": "^5.0.0",
-    "glob": "^9.3.1",
+    "glob": "^10.1.0",
     "handlebars": "^4.7.7",
     "hosted-git-info": "^6.0.0",
     "ini": "^4.0.0",