From b0d9d9321b3538bb4d61de569ecb3d1fe5405ec2 Mon Sep 17 00:00:00 2001
From: Nya Candy <dev@candinya.com>
Date: Fri, 20 Dec 2024 10:50:01 +0800
Subject: [PATCH] feat(ci): publish package with provenance

---
 .github/workflows/auto-release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index c06681f7..b3b9fde9 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -28,13 +31,13 @@ jobs:
       
       - name: Publish stable release version (with default latest tag)
         if: ${{ ! contains(github.ref_name, '-') }}
-        run: npm publish
+        run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_CANDINYA }}
       
       - name: Publish unstable pre-release version (with next tag)
         if: ${{ contains(github.ref_name, '-') }} # Refer to Semantic Versioning , use a hyphen to split version code and pre-release identifier
-        run: npm publish --tag next
+        run: npm publish --provenance --tag next
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_CANDINYA }}