From 4d7882f38c9deaecf6021f0ba992f7697d0902f8 Mon Sep 17 00:00:00 2001
From: Mathias Buus <mathiasbuus@gmail.com>
Date: Thu, 19 Mar 2026 12:18:29 +0100
Subject: [PATCH 1/3] tweaks

---
 .github/workflows/public-publish.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/public-publish.yml b/.github/workflows/public-publish.yml
index c074a80..39bafc0 100644
--- a/.github/workflows/public-publish.yml
+++ b/.github/workflows/public-publish.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: lts/*
@@ -27,7 +29,7 @@ jobs:
       - run: |
           git config user.name "github-actions"
           git config user.email "github-actions@github.com"
-          npm version ${{ inputs.bump }}
+          npm version ${{ inputs.bump }} --provenance
           npm publish --access public
           git push --follow-tags
         env:

From a7da4c7fa101fe80d74065182493c234391b2edb Mon Sep 17 00:00:00 2001
From: Mathias Buus <mathiasbuus@gmail.com>
Date: Thu, 19 Mar 2026 13:48:13 +0100
Subject: [PATCH 2/3] fix

---
 .github/workflows/public-publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/public-publish.yml b/.github/workflows/public-publish.yml
index 39bafc0..2048982 100644
--- a/.github/workflows/public-publish.yml
+++ b/.github/workflows/public-publish.yml
@@ -16,7 +16,7 @@ jobs:
     environment: release
     permissions:
       contents: write
-
+      id-token: write  # needed for OIDC token provenance
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -29,8 +29,8 @@ jobs:
       - run: |
           git config user.name "github-actions"
           git config user.email "github-actions@github.com"
-          npm version ${{ inputs.bump }} --provenance
-          npm publish --access public
+          npm version ${{ inputs.bump }}
+          npm publish --access public --provenance
           git push --follow-tags
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From fd77c1d491fd7b1c66036d991a1f9f338cea7673 Mon Sep 17 00:00:00 2001
From: Mathias Buus <mathiasbuus@gmail.com>
Date: Thu, 19 Mar 2026 13:53:25 +0100
Subject: [PATCH 3/3] robot stuff

---
 .github/workflows/public-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/public-publish.yml b/.github/workflows/public-publish.yml
index 2048982..6ab1204 100644
--- a/.github/workflows/public-publish.yml
+++ b/.github/workflows/public-publish.yml
@@ -29,6 +29,7 @@ jobs:
       - run: |
           git config user.name "github-actions"
           git config user.email "github-actions@github.com"
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
           npm version ${{ inputs.bump }}
           npm publish --access public --provenance
           git push --follow-tags