From a6fa2c74f47c549361d4f77b2a02baaf62a1ebbc Mon Sep 17 00:00:00 2001
From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com>
Date: Tue, 1 Oct 2024 10:14:16 +0200
Subject: [PATCH] feat: generating provenance statements (#968)

---
 .github/scripts/publish-npm.sh            | 3 ++-
 .github/workflows/03-publish-packages.yml | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh
index e0e5526bf7..1be1320839 100644
--- a/.github/scripts/publish-npm.sh
+++ b/.github/scripts/publish-npm.sh
@@ -41,5 +41,6 @@ do
     echo "Could not authenticate with $REGISTRY"
     exit 1
   fi
-  npm publish --tag "$TAG" db-ui-core-"$VALID_SEMVER_VERSION".tgz
+  # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
+  npm publish --tag "$TAG" db-ui-core-"$VALID_SEMVER_VERSION".tgz --provenance
 done
diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml
index acef8ef021..a34e00160d 100644
--- a/.github/workflows/03-publish-packages.yml
+++ b/.github/workflows/03-publish-packages.yml
@@ -20,6 +20,8 @@ jobs:
   publish:
     name: Publish latest package versions to GitHub Packages
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: ⬇ Checkout repo
         uses: actions/checkout@v4