diff --git a/.github/workflows/ci-verify.yml b/.github/workflows/ci-verify.yml
new file mode 100644
index 0000000..c5bdc83
--- /dev/null
+++ b/.github/workflows/ci-verify.yml
@@ -0,0 +1,51 @@
+name: CI - Verify
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    strategy:
+      matrix:
+        node-version: [20.x, 22.x, 24.x]
+    steps:
+      - uses: actions/checkout@v7
+      - name: Install node ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        run: npm test
+      - name: Report Coverage
+        if: always()
+        uses: davelosert/vitest-coverage-report-action@v2
+        with:
+          threshold-icons: "{0: '🔴', 80: '🟠', 90: '🟢'}"
+  verify-publish:
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "24.x"
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci
+      - run: npm run build
+      - name: Generate provenance
+        uses: actions/attest-build-provenance@v4
+        with:
+          subject-path: dist/**
+      - name: Verify npm publish
+        run: npm publish --provenance --dry-run || true
diff --git a/.github/workflows/ci-vitest.yml b/.github/workflows/ci-vitest.yml
deleted file mode 100644
index 87219eb..0000000
--- a/.github/workflows/ci-vitest.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: CI - Run Vitest
-on:
-  pull_request:
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    strategy:
-      matrix:
-        node-version: [20.x, 22.x, 24.x]
-    steps:
-      - uses: actions/checkout@v7
-      - name: Install node ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install dependencies
-        run: npm ci
-      - name: Run tests
-        run: npx vitest --coverage.enabled true
-      - name: "Report Coverage"
-        if: always()
-        uses: davelosert/vitest-coverage-report-action@v2
-        with:
-          threshold-icons: "{0: '🔴', 80: '🟠', 90: '🟢'}"
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 9ce4e03..dd41308 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -1,8 +1,10 @@
 name: Publish Package to npmjs
+
 on:
   push:
     tags:
       - "v*"
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -20,10 +22,7 @@ jobs:
       - run: npm ci
       - run: npm run build
       - name: Generate provenance
-        uses: actions/attest-build-provenance@v1
-        env:
-          # actions/attest-build-provenance@v1 uses Node 20
-          ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+        uses: actions/attest-build-provenance@v4
         with:
           subject-path: dist/**
       - run: npm publish --provenance --access public