diff --git a/.github/actions/npm-publish-hardened/action.yml b/.github/actions/npm-publish-hardened/action.yml
index 43b069f..1d04249 100644
--- a/.github/actions/npm-publish-hardened/action.yml
+++ b/.github/actions/npm-publish-hardened/action.yml
@@ -39,4 +39,15 @@ runs:
       env:
         TARBALL: ${{ inputs.tarball }}
         DIST_TAG: ${{ inputs.tag }}
-      run: ${{ github.action_path }}/publish.sh
+      # Invoke bash explicitly rather than running the path as a command.
+      # The GitHub Actions runner does not always preserve the file-mode
+      # exec bit on action checkouts, so `./publish.sh` can silently
+      # fail with "permission denied" while still surfacing as exit 1
+      # with no script output. `bash <path>` removes that dependency
+      # entirely — bash reads the file regardless of its mode.
+      #
+      # `-e -o pipefail` mirror the runner's default shell flags. The
+      # shebang's flags are ignored when invoked via `bash <path>`, so
+      # passing them explicitly here protects the empty window between
+      # bash startup and the script's own `set -euo pipefail` on line 2.
+      run: bash -eo pipefail "${{ github.action_path }}/publish.sh"