From bd347afaae74113af2bdcc3cb37de9c6731b2da6 Mon Sep 17 00:00:00 2001
From: Nexory <St4yl3r30@hotmail.de>
Date: Fri, 29 May 2026 17:54:31 +0200
Subject: [PATCH 1/2] ci(publish): add --provenance to npm publish commands

The workflow grants 'id-token: write' for Trusted Publishing (line 16)
but the actual 'npm publish' invocations omit the --provenance flag, so
the elevated permission is held without generating any attestation.

Adding --provenance to both invocations turns on npm provenance
statements (sigstore-backed attestations) at publish time. The node
version is already pinned to 22.18.0 (well above the 11.5.1 minimum
required for Trusted Publishing as the existing comment notes).
---
 .github/workflows/publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3b8ba9d..6c73554 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -70,8 +70,8 @@ jobs:
       # This will publish a version of a package.
       - name: Publish version
         if: steps.release.outputs.tag == ''
-        run: npm publish
+        run: npm publish --provenance
 
       - name: Publish tagged version
         if: steps.release.outputs.tag != ''
-        run: npm publish --tag ${{ steps.release.outputs.tag }}
\ No newline at end of file
+        run: npm publish --provenance --tag ${{ steps.release.outputs.tag }}
\ No newline at end of file

From 45f0ec086c251986eb55c2e878f8caaf49d071f0 Mon Sep 17 00:00:00 2001
From: Nexory <St4yl3r30@hotmail.de>
Date: Mon, 1 Jun 2026 22:37:53 +0200
Subject: [PATCH 2/2] ci(publish): self-document --provenance + ensure trailing
 newline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add inline comment above the first `npm publish --provenance` call
  explaining that the flag enables sigstore-backed provenance via npm
  Trusted Publishing — keeps intent self-evident for future maintainers
  in the same style as the existing comments above each job.
- Fix missing newline at end of file to keep publish.yml POSIX-compliant
  and avoid the "\ No newline at end of file" lint nit.
---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6c73554..2e67043 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -70,8 +70,9 @@ jobs:
       # This will publish a version of a package.
       - name: Publish version
         if: steps.release.outputs.tag == ''
+        # --provenance enables npm sigstore-backed provenance via Trusted Publishing
         run: npm publish --provenance
 
       - name: Publish tagged version
         if: steps.release.outputs.tag != ''
-        run: npm publish --provenance --tag ${{ steps.release.outputs.tag }}
\ No newline at end of file
+        run: npm publish --provenance --tag ${{ steps.release.outputs.tag }}