From 04332b65b201d8a21bbfd7bf5f72bd7064cc0387 Mon Sep 17 00:00:00 2001
From: Mark <mark@remarkablemark.org>
Date: Sat, 5 Oct 2024 21:09:29 -0400
Subject: [PATCH] ci(github): publish package to npm registry with provenance

https://docs.npmjs.com/generating-provenance-statements

Release-As: 1.0.7
---
 .github/workflows/release-please.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 9302be6..e2b515f 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -4,10 +4,6 @@ on:
     branches:
       - master
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
@@ -16,15 +12,19 @@ jobs:
 
     steps:
       - name: Release Please
-        uses: google-github-actions/release-please-action@v4
+        uses: googleapis/release-please-action@v4
         id: release
         with:
           release-type: node
 
   publish:
-    needs: release-please
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    needs: release-please
     if: ${{ needs.release-please.outputs.release_created }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -32,13 +32,13 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          registry-url: 'https://registry.npmjs.org'
           node-version-file: .nvmrc
+          registry-url: https://registry.npmjs.org
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --prefer-offline
 
       - name: Publish
-        run: npm publish
+        run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}