diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0ad677f..6a4f59d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -43,14 +43,17 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '24'
+          node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@11.5.1
+
       - name: Install Dependencies
         run: npm ci
 
       - name: Publish to npm
-        run: npm publish --access public
+        run: npm publish --access public --provenance
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
diff --git a/.github/workflows/recover-release.yml b/.github/workflows/recover-release.yml
new file mode 100644
index 0000000..407ac0a
--- /dev/null
+++ b/.github/workflows/recover-release.yml
@@ -0,0 +1,63 @@
+name: Recover Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag to recover, for example v3.0.4"
+        required: true
+        type: string
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  recover:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.tag }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+          cache: "npm"
+
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@11.5.1
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Verify requested tag
+        run: |
+          PACKAGE_VERSION="$(node -p "require('./package.json').version")"
+          if [ "${{ inputs.tag }}" != "v${PACKAGE_VERSION}" ]; then
+            echo "Tag ${{ inputs.tag }} does not match package version v${PACKAGE_VERSION}" >&2
+            exit 1
+          fi
+
+      - name: Publish to npm if missing
+        run: |
+          PACKAGE_NAME="$(node -p "require('./package.json').name")"
+          PACKAGE_VERSION="$(node -p "require('./package.json').version")"
+          if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
+            echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published; skipping npm publish."
+            exit 0
+          fi
+          npm publish --access public --provenance
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ inputs.tag }}
+          generate_release_notes: true