From 815a1ffdf6443b944ef071835f800b514b341882 Mon Sep 17 00:00:00 2001
From: Simon H <5968653+dummdidumm@users.noreply.github.com>
Date: Tue, 20 Aug 2024 14:36:39 +0200
Subject: [PATCH] chore: publish package provenance info (#2469)

According to https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow

closes #2461
---
 .github/workflows/DeploySvelte2tsxProd.yml           | 5 ++++-
 .github/workflows/DeploySvelteCheckProd.yml          | 5 ++++-
 .github/workflows/DeploySvelteLanguageServerProd.yml | 5 ++++-
 .github/workflows/DeployTypescriptPluginProd.yaml    | 5 ++++-
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/DeploySvelte2tsxProd.yml b/.github/workflows/DeploySvelte2tsxProd.yml
index 1adc194e0..1f31d1908 100644
--- a/.github/workflows/DeploySvelte2tsxProd.yml
+++ b/.github/workflows/DeploySvelte2tsxProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/svelte2tsx
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeploySvelteCheckProd.yml b/.github/workflows/DeploySvelteCheckProd.yml
index 0a23cedeb..bbfc47610 100644
--- a/.github/workflows/DeploySvelteCheckProd.yml
+++ b/.github/workflows/DeploySvelteCheckProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -33,7 +36,7 @@ jobs:
       - run: |
           cd packages/svelte-check
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeploySvelteLanguageServerProd.yml b/.github/workflows/DeploySvelteLanguageServerProd.yml
index f98cbb74e..67cb708fa 100644
--- a/.github/workflows/DeploySvelteLanguageServerProd.yml
+++ b/.github/workflows/DeploySvelteLanguageServerProd.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/language-server
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/DeployTypescriptPluginProd.yaml b/.github/workflows/DeployTypescriptPluginProd.yaml
index e195c42fc..90d1048c0 100644
--- a/.github/workflows/DeployTypescriptPluginProd.yaml
+++ b/.github/workflows/DeployTypescriptPluginProd.yaml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      id-token: write # OpenID Connect token needed for provenance
+
     runs-on: ubuntu-latest
 
     steps:
@@ -32,7 +35,7 @@ jobs:
       - run: |
           cd packages/typescript-plugin
           pnpm install
-          pnpm publish --no-git-checks
+          pnpm publish --provenance --no-git-checks
 
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}