From 5a5a584531f9f5740f7cec36b82821f21f829e4d Mon Sep 17 00:00:00 2001
From: Frazer Smith <frazer.dev@icloud.com>
Date: Wed, 25 Feb 2026 12:29:29 +0000
Subject: [PATCH] ci(cd): make provenance publishing explicit

Security tooling can't tell i'm using npm's oidc for provenance, so add this back in.
---
 .github/workflows/cd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index aea096f..1502ea9 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -62,7 +62,7 @@ jobs:
                   npm i --ignore-scripts
                   npm run build --if-present
                   npm pkg delete commitlint devDependencies scripts
-                  npm publish --access public --ignore-scripts
+                  npm publish --access public --ignore-scripts --provenance
 
     publish-ghp:
         name: Publish to GitHub Packages