From 91d4962d4758cfd9088102eb800753ac68c50378 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20De=20Boey?= <info@michaeldeboey.be>
Date: Wed, 16 Oct 2024 22:09:33 +0200
Subject: [PATCH] fix: generate provenance statements on release

---
 .github/workflows/release.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f6f6bfdd..51bc417b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,12 @@ concurrency:
   group: release
   cancel-in-progress: false
 
+permissions:
+  contents: write # to be able to publish a GitHub release
+  id-token: write # to enable use of OIDC for npm provenance
+  issues: write # to be able to comment on released issues
+  pull-requests: write # to be able to comment on released pull requests
+
 jobs:
   publish:
     name: Publish NPM package
@@ -37,7 +43,8 @@ jobs:
         run: npm run build
 
       - name: Release new version
+        run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
           NPM_TOKEN: ${{ secrets.NPM_AUTOMATION_TOKEN }}
-        run: npx semantic-release