From 8ab5adafa06f043fa6800ba2d5799bdfa7317683 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Mon, 12 Feb 2024 14:56:18 +0100
Subject: [PATCH] build: enable `provenance` (#518)

---
 .github/workflows/build.yml | 7 +++++++
 .npmrc                      | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8fd38d9..2fc2c12 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,6 +23,9 @@ env:
   NODE_VERSION: 20 # needs to be in sync with other versions below
   DRY_RUN: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: ${{ matrix.node-version == 20 && format('test ({0})', matrix.os) || format('test ({0}, node-{1})', matrix.os, matrix.node-version) }}
@@ -134,6 +137,10 @@ jobs:
     # tests shouldn't need more time
     timeout-minutes: 15
 
+    permissions:
+      contents: write
+      id-token: write
+
     steps:
       # full checkout for semantic-release
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.npmrc b/.npmrc
index be1b108..13011ca 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,6 +1,8 @@
 save-exact = true
 save-prefix =
 
+provenance = true
+
 # pnpm run settings
 # https://pnpm.io/cli/run
 shell-emulator = true