From c4c3c0d48de5300155b90c384b91b27ceb7e6fd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Molinero=20Fern=C3=A1ndez?=
 <hector@molinero.dev>
Date: Thu, 18 Jan 2024 20:08:37 +0100
Subject: [PATCH] Publish package with provenance statement

---
 .github/workflows/main.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ede0d59..b56a5ed 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -168,10 +168,11 @@ jobs:
   publish-npm:
     name: 'Publish npm package'
     if: "startsWith(github.ref, 'refs/tags/v')"
-    needs: ['build', 'test-node', 'test-deno', 'test-bun', 'test-browser']
+    needs: ['test-node', 'test-deno', 'test-bun', 'test-browser']
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'read'
+      id-token: 'write'
     steps:
       - name: 'Checkout'
         uses: 'actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11'
@@ -191,13 +192,13 @@ jobs:
         run: |
           PKG_NAME="$(jq -r '.name' ./package.json)"; PKG_VERSION="$(jq -r '.version' ./package.json)"
           if [ "$(npm view "${PKG_NAME:?}" versions --json | jq -r --arg v "${PKG_VERSION:?}" 'index($v)')" = 'null' ]; then
-            npm publish
+            npm publish --provenance --access public
           fi
 
   publish-github-release:
     name: 'Publish GitHub release'
     if: "startsWith(github.ref, 'refs/tags/v')"
-    needs: ['build', 'test-node', 'test-deno', 'test-bun', 'test-browser']
+    needs: ['test-node', 'test-deno', 'test-bun', 'test-browser']
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'write'