From 2695e5c8ca4e9da61ae0cdc507d87aa590950df3 Mon Sep 17 00:00:00 2001
From: Elijah Flinders <14484665+Lijah99@users.noreply.github.com>
Date: Tue, 16 Jun 2026 09:16:40 -0600
Subject: [PATCH] Add NPM Provenance publishing and attestation

---
 .github/workflows/publish-npm.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 8d91d75..c650257 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -7,6 +7,7 @@ on:
 permissions:
   id-token: write # Required for OIDC provenance
   contents: read
+  attestations: write
 
 jobs:
   build:
@@ -32,4 +33,10 @@ jobs:
         run: npm install -g npm@11.5.1
       - run: npm --version
       - run: npm install --package-lock=false
-      - run: npm publish
+      - name: Pack
+        run: npm pack
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "*.tgz"
+      - run: npm publish --provenance