From 87d93976787009ad060ede8ed0be639918b856d4 Mon Sep 17 00:00:00 2001
From: Stephen Hellicar <shellicar@gmail.com>
Date: Wed, 8 Apr 2026 01:44:42 +1000
Subject: [PATCH 1/2] Add npm provenance attestation to publish step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds id-token: write permission and --provenance flag to pnpm publish.
The attestation cryptographically links each published package to the
specific commit and workflow that built it. Appears as a provenance
badge on the npmjs.com package page.

The npm token is still required for auth — npmjs.com does not support
secretless OIDC publishing.
---
 .github/workflows/npm-publish.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 518fd36..3b3eb9d 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -117,6 +119,6 @@ jobs:
             exit 1
           fi
           echo "Publishing with tag: $TAG"
-          pnpm publish --ignore-scripts --no-git-checks --tag "$TAG"
+          pnpm publish --provenance --ignore-scripts --no-git-checks --tag "$TAG"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.npm_token }}

From 11b92379fe0174f8b8fd9b8a8d93ebc03c26dee1 Mon Sep 17 00:00:00 2001
From: Stephen Hellicar <shellicar@gmail.com>
Date: Wed, 8 Apr 2026 02:05:55 +1000
Subject: [PATCH 2/2] Add contents: read permission alongside id-token: write

Explicitly setting any permission drops all implicit permissions.
Without contents: read, actions/checkout fails with a 403 because
GitHub revokes the default clone access.
---
 .github/workflows/npm-publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 3b3eb9d..9ad31e9 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -8,7 +8,8 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     permissions:
-      id-token: write
+      contents: read   # actions/checkout needs this to clone
+      id-token: write  # OIDC token for npm provenance attestation
     steps:
       - uses: actions/checkout@v4
         with: