From da32fb3bd89be5ad3c70dd329a34c9f150fa552f Mon Sep 17 00:00:00 2001
From: sudo rm -rf --no-preserve-root / <pcaversaccio@users.noreply.github.com>
Date: Tue, 22 Apr 2025 23:24:43 +0200
Subject: [PATCH] Add missing `id-token: write` permission in release pipeline
 (#5645)

Signed-off-by: Pascal Marco Caversaccio <pascal.caversaccio@hotmail.ch>
---
 .github/workflows/release-cycle.yml | 2 ++
 scripts/release/workflow/publish.sh | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-cycle.yml b/.github/workflows/release-cycle.yml
index fc1295508..02d547833 100644
--- a/.github/workflows/release-cycle.yml
+++ b/.github/workflows/release-cycle.yml
@@ -131,6 +131,7 @@ jobs:
     environment: npm
     permissions:
       contents: write
+      id-token: write
     if: needs.state.outputs.publish == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -153,6 +154,7 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           TARBALL: ${{ steps.pack.outputs.tarball }}
           TAG: ${{ steps.pack.outputs.tag }}
+          NPM_CONFIG_PROVENANCE: true
       - name: Create Github Release
         uses: actions/github-script@v7
         env:
diff --git a/scripts/release/workflow/publish.sh b/scripts/release/workflow/publish.sh
index 131d02854..e490e5d00 100644
--- a/scripts/release/workflow/publish.sh
+++ b/scripts/release/workflow/publish.sh
@@ -9,7 +9,7 @@ PACKAGE_JSON_VERSION="$(tar xfO "$TARBALL" package/package.json | jq -r .version
 echo "//registry.npmjs.org/:_authToken=\${NPM_TOKEN}" > .npmrc
 
 # Actual publish
-npm publish --provenance "$TARBALL" --tag "$TAG"
+npm publish "$TARBALL" --tag "$TAG"
 
 # Clean up tags
 delete_tag() {