From c68ee7f9a031fe80ea408b24be056d0d31c86b94 Mon Sep 17 00:00:00 2001
From: Jakob Guddas <github@jguddas.de>
Date: Fri, 11 Apr 2025 10:39:20 +0200
Subject: [PATCH] feat(ci): added npm package provenance attestation (#3016)

---
 .github/workflows/release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f35b3e358..f1594ce73 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,8 @@ jobs:
     if: github.repository == 'lucide-icons/lucide'
     runs-on: ubuntu-latest
     needs: pre-release
+    permissions:
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -80,11 +82,15 @@ jobs:
 
       - name: Publish
         run: pnpm --filter ${{ matrix.package }} publish --access public --no-git-checks --ignore-scripts
+        env:
+          NPM_CONFIG_PROVENANCE: true
 
   lucide-static:
     if: github.repository == 'lucide-icons/lucide'
     runs-on: ubuntu-latest
     needs: [pre-release, lucide-font]
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
@@ -111,6 +117,8 @@ jobs:
 
       - name: Publish
         run: pnpm --filter lucide-static publish --no-git-checks
+        env:
+          NPM_CONFIG_PROVENANCE: true
 
   lucide-font:
     if: github.repository == 'lucide-icons/lucide'