diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 4c33cf9..f6795d6 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -17,9 +17,7 @@ jobs:
       github.event.pull_request.merged == true &&
       contains(github.event.pull_request.labels.*.name, 'skip-release') == false
     runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: write
+    environment: 'deployment'
 
     steps:
       - name: Checkout repository
@@ -37,7 +35,7 @@ jobs:
         id: calculate
         uses: UKHomeOffice/sas-github-workflows/.github/actions/calculate-semver-value@v2
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.AUTH_TOKEN }}
           default_to_highest: ${{ github.base_ref == 'main' }}
 
       - name: Bump release version
@@ -50,19 +48,20 @@ jobs:
           npm --loglevel warn ci --ignore-scripts
         shell: bash
         env:
-          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          NODE_AUTH_TOKEN: ${{secrets.AUTH_TOKEN}}
 
       - name: Publish npm package
         run: |
           npm publish
         shell: bash
         env:
-          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          NODE_AUTH_TOKEN: ${{secrets.AUTH_TOKEN}}
 
       - name: Configure git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git remote set-url origin https://${{ secrets.AUTH_TOKEN }}@github.com/username/repository.git
         shell: bash
 
       - name: Commit version
@@ -76,4 +75,4 @@ jobs:
         uses: UKHomeOffice/semver-tag-action@v4
         with:
           tag: ${{ steps.calculate.outputs.version }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.AUTH_TOKEN }}