From b3afc46e1c53d92a3bce60a5584886f89a780ece Mon Sep 17 00:00:00 2001
From: Steven <steven@ceriously.com>
Date: Mon, 24 Apr 2023 10:08:55 -0400
Subject: [PATCH] fix: npm publish provenance permissions (#48757)

Co-authored-by: Jiachi Liu <inbox@huozhi.im>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
---
 .github/workflows/build_test_deploy.yml | 4 ++++
 .npmrc                                  | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/build_test_deploy.yml b/.github/workflows/build_test_deploy.yml
index c4230b4343..8e6e679619 100644
--- a/.github/workflows/build_test_deploy.yml
+++ b/.github/workflows/build_test_deploy.yml
@@ -966,6 +966,9 @@ jobs:
       - build
       - build-wasm
       - build-native
+    permissions:
+      contents: write
+      id-token: write
     env:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
     steps:
@@ -997,6 +1000,7 @@ jobs:
           name: wasm-binaries
           path: packages/next-swc/crates/wasm
 
+      - run: npm i -g npm@9 # need latest version for provenance
       - run: npm i -g pnpm@${PNPM_VERSION}
       - run: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
       - run: ./scripts/publish-native.js
diff --git a/.npmrc b/.npmrc
index 7e6ce68381..5626f81fde 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,3 +1,4 @@
+provenance = true
 save-exact = true
 tag-version-prefix=""
 strict-peer-dependencies = false