From 2e919700fb0ecf58c44f8eb42ebf7a4bc0323c84 Mon Sep 17 00:00:00 2001
From: milstan <milstan@gmail.com>
Date: Mon, 20 Apr 2026 23:40:43 -0700
Subject: [PATCH] fix(release): re-add --provenance now that repo is public
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Provenance was dropped in c0mmit that merged as PR #8 because the repo
was internal — sigstore requires a public source repo to verify the
attestation chain. Repo is now public, so provenance publishes again.

Next bump will ship with signed provenance to transparency.sigstore.dev.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ad05e1e..1707bf0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -110,9 +110,9 @@ jobs:
             exit 0
           fi
           if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then
-            npm publish --access public --dry-run
+            npm publish --access public --provenance --dry-run
           else
-            npm publish --access public
+            npm publish --access public --provenance
           fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -169,9 +169,9 @@ jobs:
             exit 0
           fi
           if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then
-            npm publish --access public --dry-run
+            npm publish --access public --provenance --dry-run
           else
-            npm publish --access public
+            npm publish --access public --provenance
           fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}