From 3e39c87075862eb83951c605eb97d6aae445757a Mon Sep 17 00:00:00 2001
From: Mikola Lysenko <mikolalysenko@gmail.com>
Date: Sat, 15 Nov 2025 11:33:19 -0500
Subject: [PATCH] Add GitHub Actions workflow for npm publishing with
 provenance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sets up automated publishing workflow using Socket Registry provenance system for secure package releases with attestations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 33 +++++++++++++++++++++++++++++++++
 package.json                  |  7 ++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..f84cf50
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,33 @@
+name: 📦 Publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      dist-tag:
+        description: 'npm dist-tag (latest, next, beta, canary, backport, etc.)'
+        required: false
+        default: 'latest'
+        type: string
+      debug:
+        description: 'Enable debug output'
+        required: false
+        default: '0'
+        type: string
+        options:
+          - '0'
+          - '1'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish:
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@63ad52562c1f2d007a1833b2b22cffc3001e1cc2 # main
+    with:
+      debug: ${{ inputs.debug }}
+      dist-tag: ${{ inputs.dist-tag }}
+      package-name: '@socketsecurity/socket-patch'
+      publish-script: 'publish:ci'
+      setup-script: 'pnpm run build'
+      use-trusted-publishing: true
diff --git a/package.json b/package.json
index d754000..cfca8fe 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,12 @@
     "patch": "node dist/cli.js",
     "lint": "oxlint -c ./.oxlintrc.json --tsconfig ./tsconfig.json --deny-warnings",
     "lint:fix": "pnpm run lint --fix && pnpm run lint:fix:fast",
-    "lint:fix:fast": "biome format --write"
+    "lint:fix:fast": "biome format --write",
+    "publish:ci": "npm publish --provenance --access public"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
   },
   "keywords": [
     "security",