diff --git a/.github/workflows/pxt-buildmain.yml b/.github/workflows/pxt-buildmain.yml
index e58a4719995f..764ceb6a8590 100644
--- a/.github/workflows/pxt-buildmain.yml
+++ b/.github/workflows/pxt-buildmain.yml
@@ -1,11 +1,13 @@
 name: pxt-buildmain
 
+permissions:
+  id-token: write  # Required for OIDC
+
 on:
   push:
     branches:
       - 'master'
       - 'main'
-  create:
 
 jobs:
   build:
@@ -18,7 +20,11 @@ jobs:
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@main
         with:
-          node-version: '16.x'
+          node-version: 20.x
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: npm install
         run: |
           sudo apt-get install xvfb
@@ -28,9 +34,8 @@ jobs:
         run: |
           npm test
         env:
-          CROWDIN_KEY: ${{ secrets.CROWDIN_KEY }}
           PXT_ACCESS_TOKEN: ${{ secrets.PXT_ACCESS_TOKEN }}
-          NPM_ACCESS_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
+          NPM_PUBLISH: true
           PXT_ENV: production
           CHROME_BIN: chromium-browser
           DISPLAY: :99.0
diff --git a/.github/workflows/pxt-buildpr.yml b/.github/workflows/pxt-buildpr.yml
index 5313b59901f2..95f192510a90 100644
--- a/.github/workflows/pxt-buildpr.yml
+++ b/.github/workflows/pxt-buildpr.yml
@@ -13,7 +13,11 @@ jobs:
       - name: Set Node.js version
         uses: actions/setup-node@main
         with:
-          node-version: '16.x'
+          node-version: 20.x
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: npm install
         run: |
           sudo apt-get install xvfb
diff --git a/.github/workflows/pxt-buildpush.yml b/.github/workflows/pxt-buildpush.yml
index 3249e06ec013..c6b39dc0e07c 100644
--- a/.github/workflows/pxt-buildpush.yml
+++ b/.github/workflows/pxt-buildpush.yml
@@ -1,11 +1,15 @@
 name: pxt-buildpush
 
+permissions:
+  id-token: write  # Required for OIDC
+
 on:
   push:
     # main/master has its own build that includes the crowdin key
     branches-ignore:
       - 'main'
       - 'master'
+  create:
 
 jobs:
   build:
@@ -18,18 +22,25 @@ jobs:
       - name: Set Node.js version
         uses: actions/setup-node@main
         with:
-          node-version: '16.x'
+          node-version: 20.x
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: npm install
         run: |
           sudo apt-get install xvfb
           sudo npm install -g pxt
           npm install
+
       - name: npm test
         run: |
           npm test
+
         env:
+          CROWDIN_KEY: ${{ secrets.CROWDIN_KEY }}
           PXT_ACCESS_TOKEN: ${{ secrets.PXT_ACCESS_TOKEN }}
-          NPM_ACCESS_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
+          NPM_PUBLISH: true
           PXT_ENV: production
           CHROME_BIN: chromium-browser
           DISPLAY: :99.0
diff --git a/cli/cli.ts b/cli/cli.ts
index 9f7f5fe7bf4f..bc863ec354fd 100644
--- a/cli/cli.ts
+++ b/cli/cli.ts
@@ -414,14 +414,10 @@ async function ciAsync() {
         buildInfo.branch = "local"
 
     const { tag, branch, pullRequest } = buildInfo
-    const atok = process.env.NPM_ACCESS_TOKEN
-    const npmPublish = /^v\d+\.\d+\.\d+$/.exec(tag) && atok;
+    const npmPublish = /^v\d+\.\d+\.\d+$/.exec(tag) && process.env.NPM_PUBLISH;
 
     if (npmPublish) {
-        let npmrc = path.join(process.env.HOME, ".npmrc")
-        pxt.log(`setting up ${npmrc}`)
-        let cfg = "//registry.npmjs.org/:_authToken=" + atok + "\n"
-        fs.writeFileSync(npmrc, cfg)
+        pxt.log(`npm publish is true`)
     }
 
     process.env["PXT_ENV"] = "production";