From 94f8dca2e92c01f4aa6eace3ace69a2bd3f63117 Mon Sep 17 00:00:00 2001
From: kitsuyui <kitsuyui@kitsuyui.com>
Date: Fri, 10 Jan 2025 00:21:06 +0900
Subject: [PATCH 1/2] Revert "Revert "Set up provenance""

---
 .github/workflows/release.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be04e11e..20bd3661 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,10 @@ jobs:
 
     continue-on-error: true
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -33,6 +37,9 @@ jobs:
 
       - name: set git tag version
         run: |
+          # https://docs.npmjs.com/generating-provenance-statements
+          # This may not work properly. dynamic versioning may cause a problem.
+          export NPM_CONFIG_PROVENANCE=true
           git config user.email "dummy@dummy"
           git config user.name "dummy"
           pnpm version from-git --allow-same-version --no-git-tag-version -ws || true

From 11dbe81e3576214e5c4ee0f63d77abb94cecb4bb Mon Sep 17 00:00:00 2001
From: kitsuyui <kitsuyui@kitsuyui.com>
Date: Fri, 10 Jan 2025 00:21:57 +0900
Subject: [PATCH 2/2] Set NPM_CONFIG_PROVENANCE directly

---
 .github/workflows/release.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20bd3661..31bfb623 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,20 +39,19 @@ jobs:
         run: |
           # https://docs.npmjs.com/generating-provenance-statements
           # This may not work properly. dynamic versioning may cause a problem.
-          export NPM_CONFIG_PROVENANCE=true
           git config user.email "dummy@dummy"
           git config user.name "dummy"
           pnpm version from-git --allow-same-version --no-git-tag-version -ws || true
           pnpm format
 
       - name: deploy
-        run: pnpm publish --access=public --no-git-checks --recursive
+        run: NPM_CONFIG_PROVENANCE=true pnpm publish --access=public --no-git-checks --recursive
         if: github.event_name == 'release' && !github.event.release.prerelease
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: deploy (dry-run)
-        run: pnpm publish --access=public --no-git-checks --dry-run --recursive
+        run: NPM_CONFIG_PROVENANCE=true pnpm publish --access=public --no-git-checks --dry-run --recursive
         if: github.event_name != 'release' || github.event.release.prerelease
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}