From ba3583efba1864f6cb47899d1f756ace0cbb8ece Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Oct 2025 13:46:04 +0000
Subject: [PATCH 1/3] Initial plan


From ce32fa3a9fd4a70409fa193d420383ec7031ff4f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Oct 2025 13:51:54 +0000
Subject: [PATCH 2/3] Add permissions configuration to all workflow files and
 provenance to npm publish

Co-authored-by: dgreif <3026298+dgreif@users.noreply.github.com>
---
 .github/workflows/nodejs.yml  | 3 +++
 .github/workflows/publish.yml | 3 +++
 .github/workflows/release.yml | 6 +++++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index a86f3c1..70fd261 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8e219eb..77d9cc7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0a53206..bb737c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ on:
         description: Semver descriptor for new version ("major", "minor", or "patch")
         required: true
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   bump-version:
     name: Bump package version
@@ -70,6 +74,6 @@ jobs:
       - name: Build package
         run: npm run build --if-present
       - name: Publish
-        run: npm publish --access public
+        run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From 0aa94b3e4296bd0f2be08de53c8e918451c8aec4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Oct 2025 13:53:47 +0000
Subject: [PATCH 3/3] Add id-token permission and provenance to publish.yml
 workflow

Co-authored-by: dgreif <3026298+dgreif@users.noreply.github.com>
---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 77d9cc7..2e113f5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish-npm:
@@ -22,6 +23,6 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm whoami; npm --ignore-scripts publish
+      - run: npm whoami; npm --ignore-scripts publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}