From 0ea943a719667f20c71182162d6bde08c64aa578 Mon Sep 17 00:00:00 2001
From: timo <22354443+tnkuehne@users.noreply.github.com>
Date: Thu, 27 Nov 2025 09:34:20 +0100
Subject: [PATCH 1/2] Generate provenance statement on release to increase
 security

---
 .github/workflows/release.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index bcc018f..a73c499 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,6 +11,9 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       matrix:
         node-version: [18]
@@ -47,7 +50,7 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - run: node scripts/prepublish.mjs
-      - run: pnpm publish --no-git-checks --filter '!monorepo'
+      - run: pnpm publish --provenance --no-git-checks --filter '!monorepo'
 
       - name: Archive npm failure logs
         uses: actions/upload-artifact@v4

From adfbe9b826facc4e8c43d066dbb06e13d6e8325e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20Coss=C3=ADo?= <luis.cossio@outlook.com>
Date: Mon, 1 Dec 2025 17:58:22 -0300
Subject: [PATCH 2/2] add comment

---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a73c499..f55113b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      id-token: write # Required for provenance statement
     strategy:
       matrix:
         node-version: [18]