From 501081656e56d2c132ea1027491714718544d9a9 Mon Sep 17 00:00:00 2001
From: Nacho Vazquez <nacho.vazquez.dev@gmail.com>
Date: Sun, 7 Jul 2024 13:42:01 -0300
Subject: [PATCH] chore: allow npm provenance

---
 .github/workflows/cd.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 5912779d2..b2d4dc789 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -6,11 +6,14 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # needed for provenance data generation
 
     if: github.ref == 'refs/heads/main'
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup
         uses: ./.github/actions/setup
         with:
@@ -21,6 +24,7 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
         # Use npx instead of yarn because yarn automagically sets NPM_* environment variables
         # like NPM_CONFIG_REGISTRY so npm publish ends up ignoring the .npmrc file
         # which is set up by `setup-node` action.