From ca98dc77d47c3b9e11f4ee238cc93a57dc0f522a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 12 Mar 2024 10:09:34 -0500
Subject: [PATCH 1/5] ci(action): update actions/checkout digest to 9bb5618
 (#373)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/codeql.yml          | 2 +-
 .github/workflows/release.yml         | 2 +-
 .github/workflows/test.yml            | 4 ++--
 .github/workflows/update-prettier.yml | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3e669cb..b266444 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8bd0492..cd536cb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9f4ae55..dd40440 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
           - 18
           - 20
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
       - name: Use Node.js ${{ matrix.node_version }}
         uses: actions/setup-node@v4
         with:
@@ -33,7 +33,7 @@ jobs:
     steps:
       - run: exit 1
         if: ${{ needs.test_matrix.result != 'success' }}
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
       - uses: actions/setup-node@v4
         with:
           node-version: "lts/*"
diff --git a/.github/workflows/update-prettier.yml b/.github/workflows/update-prettier.yml
index d03357f..b4f399f 100644
--- a/.github/workflows/update-prettier.yml
+++ b/.github/workflows/update-prettier.yml
@@ -7,7 +7,7 @@ jobs:
   update_prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
       - uses: actions/setup-node@v4
         with:
           cache: npm

From 55eb14e833140fae2623a2145af9d83c8fc73351 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 12 Mar 2024 08:29:50 -0700
Subject: [PATCH 2/5] ci(action): update actions/checkout digest to b4ffde6

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/codeql.yml          | 2 +-
 .github/workflows/release.yml         | 2 +-
 .github/workflows/test.yml            | 4 ++--
 .github/workflows/update-prettier.yml | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b266444..3e669cb 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cd536cb..8bd0492 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index dd40440..9f4ae55 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
           - 18
           - 20
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Use Node.js ${{ matrix.node_version }}
         uses: actions/setup-node@v4
         with:
@@ -33,7 +33,7 @@ jobs:
     steps:
       - run: exit 1
         if: ${{ needs.test_matrix.result != 'success' }}
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@v4
         with:
           node-version: "lts/*"
diff --git a/.github/workflows/update-prettier.yml b/.github/workflows/update-prettier.yml
index b4f399f..d03357f 100644
--- a/.github/workflows/update-prettier.yml
+++ b/.github/workflows/update-prettier.yml
@@ -7,7 +7,7 @@ jobs:
   update_prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@v4
         with:
           cache: npm

From 47417cb28010f9088aed078bd76d4e2b5fbeafb5 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 14:37:20 -0700
Subject: [PATCH 3/5] ci(action): update actions/add-to-project action to
 v0.6.1 (#375)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/add_to_octokit_project.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/add_to_octokit_project.yml b/.github/workflows/add_to_octokit_project.yml
index e1c5331..84f2877 100644
--- a/.github/workflows/add_to_octokit_project.yml
+++ b/.github/workflows/add_to_octokit_project.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/add-to-project@v0.6.0
+      - uses: actions/add-to-project@v0.6.1
         with:
           project-url: https://github.com/orgs/octokit/projects/10
           github-token: ${{ secrets.OCTOKITBOT_PROJECT_ACTION_TOKEN }}

From bc85afc8a8723fc437cb0ee3b3379bc05594b5ea Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 27 Mar 2024 11:34:41 -0700
Subject: [PATCH 4/5] ci(action): update actions/add-to-project action to v1

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/add_to_octokit_project.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/add_to_octokit_project.yml b/.github/workflows/add_to_octokit_project.yml
index 84f2877..0ac7fd7 100644
--- a/.github/workflows/add_to_octokit_project.yml
+++ b/.github/workflows/add_to_octokit_project.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/add-to-project@v0.6.1
+      - uses: actions/add-to-project@v1.0.0
         with:
           project-url: https://github.com/orgs/octokit/projects/10
           github-token: ${{ secrets.OCTOKITBOT_PROJECT_ACTION_TOKEN }}

From fe1538e19abf3ee9882a2bade037eefe7d87d4ec Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron@runcitadel.space>
Date: Wed, 3 Apr 2024 21:49:40 +0200
Subject: [PATCH 5/5] feat(security): Add provenance (#377)

* Enable provenance in package.json

* Add necessary permissions to the release workflow
---
 .github/workflows/release.yml | 7 +++++++
 package.json                  | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8bd0492..510b902 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,13 @@ name: Release
   push:
     branches:
       - main
+# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance
+permissions:
+    contents: write # to be able to publish a GitHub release
+    issues: write # to be able to comment on released issues
+    pull-requests: write # to be able to comment on released pull requests
+    id-token: write # to enable use of OIDC for npm provenance
+
 jobs:
   release:
     name: release
diff --git a/package.json b/package.json
index 574e788..6d37ff3 100644
--- a/package.json
+++ b/package.json
@@ -95,7 +95,8 @@
     ]
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "engines": {
     "node": ">= 18"