From c880a4a89b64bd3fae27aab40415301b54b246e0 Mon Sep 17 00:00:00 2001
From: Nacho Vazquez <nacho@naxo.dev>
Date: Wed, 16 Jul 2025 23:03:58 -0300
Subject: [PATCH 1/2] ci: add npm provenance

https://docs.npmjs.com/generating-provenance-statements
---
 .github/workflows/npm-publish.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 6fcd960f..1f8fe6a7 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -4,32 +4,35 @@ on:
   workflow_call:
     inputs:
       tag:
-        description: 'Release tag to publish (e.g., v1.0.0)'
+        description: "Release tag to publish (e.g., v1.0.0)"
         required: true
         type: string
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Release tag to publish (e.g., v1.0.0)'
+        description: "Release tag to publish (e.g., v1.0.0)"
         required: true
         type: string
 
 jobs:
   npm-publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     env:
       NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.tag }}
-      
+
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 22
-          registry-url: 'https://registry.npmjs.org'
-      
+          registry-url: "https://registry.npmjs.org"
+
       - name: Download release assets
         run: |
           TAG="${{ inputs.tag }}"
@@ -50,7 +53,7 @@ jobs:
           for platform_dir in platform-packages/go-blueprint-*; do
             if [ -d "$platform_dir" ]; then
               cd "$platform_dir"
-              npm publish --access public
+              npm publish --provenance --access public
               cd - > /dev/null
             fi
           done
@@ -58,4 +61,5 @@ jobs:
       - name: Publish main package to npm
         run: |
           cd npm-package
-          npm publish --access public
\ No newline at end of file
+          npm publish --provenance --access public
+

From 3067d7441ba7ceb02f94251274964410c605094b Mon Sep 17 00:00:00 2001
From: Nacho Vazquez <nacho@naxo.dev>
Date: Thu, 17 Jul 2025 10:23:28 -0300
Subject: [PATCH 2/2] ci: add needed permissions to caller action

---
 .github/workflows/release.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0eb2a6bb..c23c2fa2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,9 +16,8 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.21.1'
-      -
-        name: Run GoReleaser
+          go-version: "1.21.1"
+      - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5.0.0
         with:
           distribution: goreleaser
@@ -30,7 +29,11 @@ jobs:
 
   npm-publish:
     needs: goreleaser
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/npm-publish.yml
     with:
       tag: ${{ github.ref_name }}
-    secrets: inherit
\ No newline at end of file
+    secrets: inherit
+