From 5dad6a0f3cf300d89e0b5c6a2c6329d842c0b44f Mon Sep 17 00:00:00 2001
From: Lachlan Collins <1667261+lachlancollins@users.noreply.github.com>
Date: Mon, 22 Sep 2025 10:05:48 +0900
Subject: [PATCH 1/2] ci: add danielroe/provenance-action

---
 .github/setup/action.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/setup/action.yml b/.github/setup/action.yml
index 588ba65..e112706 100644
--- a/.github/setup/action.yml
+++ b/.github/setup/action.yml
@@ -3,6 +3,10 @@ description: Action that sets up Node, pnpm, and caching
 runs:
   using: composite
   steps:
+    - name: Check provenance
+      uses: danielroe/provenance-action@v0.1.1
+      with:
+        fail-on-provenance-change: true
     - name: Setup pnpm
       uses: pnpm/action-setup@v4.1.0
     - name: Setup Node

From 666159009b1e89b2465df4360601f8a7e02d65e1 Mon Sep 17 00:00:00 2001
From: Lachlan Collins <1667261+lachlancollins@users.noreply.github.com>
Date: Mon, 22 Sep 2025 10:06:49 +0900
Subject: [PATCH 2/2] Add fail-on-downgrade

---
 .github/setup/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/setup/action.yml b/.github/setup/action.yml
index e112706..b30a8ee 100644
--- a/.github/setup/action.yml
+++ b/.github/setup/action.yml
@@ -6,7 +6,7 @@ runs:
     - name: Check provenance
       uses: danielroe/provenance-action@v0.1.1
       with:
-        fail-on-provenance-change: true
+        fail-on-downgrade: true
     - name: Setup pnpm
       uses: pnpm/action-setup@v4.1.0
     - name: Setup Node