diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 203c900..a4f5742 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18, 20, 22]
+        node-version: [20, 22, 24]
         zarrita-version: ["0.5", "0.6", "0.7"]
 
     steps:
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 207f4ba..cf8930d 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -15,10 +15,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Use Node.js 20
+      - name: Use Node.js 24
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
           cache: "npm"
           registry-url: https://registry.npmjs.org
 
@@ -33,5 +33,3 @@ jobs:
 
       - name: Publish to npm
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/RELEASING.md b/RELEASING.md
new file mode 100644
index 0000000..66c65a4
--- /dev/null
+++ b/RELEASING.md
@@ -0,0 +1,10 @@
+# Releasing
+
+Publishing to npm runs in CI (`.github/workflows/publish.yaml`).
+
+1. `npm version <patch|minor|major>` — bumps `package.json`, commits, tags `vX.Y.Z`.
+2. `git push --follow-tags`
+3. `gh release create vX.Y.Z --generate-notes` — triggers the publish (the tag alone does not).
+4. CI installs, tests, builds, and publishes. Verify with `npm view icechunk-js version`.
+
+Manual fallback (no provenance; prompts for your 2FA code): `npm ci && npm run build && npm publish --access public`.
diff --git a/package.json b/package.json
index 167d07c..71eec7f 100644
--- a/package.json
+++ b/package.json
@@ -2,6 +2,9 @@
   "name": "icechunk-js",
   "version": "0.5.0",
   "description": "Read-only JavaScript/TypeScript reader for Icechunk repositories",
+  "engines": {
+    "node": ">=20"
+  },
   "publishConfig": {
     "access": "public"
   },