From aaa65bf3fccc1621e93bfb06d0deec921e9bda80 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Mon, 1 Jul 2024 13:16:16 +0200
Subject: [PATCH] Generate provenance statements on npm publish

This PR adds [Provenance statements](https://docs.npmjs.com/generating-provenance-statements) on `npm publish`, increasing supply-chain security.
---
 .github/workflows/publish_release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
index 741fdf0fb4a83..51e578558f75c 100644
--- a/.github/workflows/publish_release.yml
+++ b/.github/workflows/publish_release.yml
@@ -4,6 +4,7 @@ on:
     types: [published]
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish:
@@ -33,6 +34,6 @@ jobs:
         run: npx gulp dist
 
       - name: Publish the `pdfjs-dist` library to NPM
-        run: npm publish ./build/dist
+        run: npm publish ./build/dist --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}