From 47a17d2df16f85edc5d4852d335949106f6f7748 Mon Sep 17 00:00:00 2001
From: Francisco Cabezas <francisco.cabezas@gmail.com>
Date: Thu, 30 Apr 2026 09:50:34 -0400
Subject: [PATCH] chore(ci): scope NODE_AUTH_TOKEN to npm publish and add
 --provenance

Move NODE_AUTH_TOKEN out of the actions/setup-node step so it is no
longer exposed to install-time dependency lifecycle scripts (e.g.
postinstall during `pnpm install`, build, lint, and test). The token
is now only set on the `npm publish` step, which is the only place it
is required.

Also add `--provenance` to `npm publish` so released artifacts include
npm package provenance attestations, leveraging the existing
`id-token: write` permission.

This reduces the blast radius of any future install-time supply-chain
compromise without changing release behavior.

Made-with: Cursor
---
 .github/workflows/publish-to-npm.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-to-npm.yml b/.github/workflows/publish-to-npm.yml
index 3a07817..a8fa277 100644
--- a/.github/workflows/publish-to-npm.yml
+++ b/.github/workflows/publish-to-npm.yml
@@ -27,8 +27,6 @@ jobs:
           cache: pnpm
           node-version-file: package.json
           registry-url: https://registry.npmjs.org
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
 
       - name: Install dependencies
         run: pnpm install
@@ -50,4 +48,6 @@ jobs:
   
       - name: Publish to npm
         id: publish
-        run: npm publish --no-git-checks
+        run: npm publish --no-git-checks --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}