From 3c95fd8dc3ccc6fa2c32a0f8441787b23baf1e2b Mon Sep 17 00:00:00 2001
From: Grace Park <gracepark@github.com>
Date: Tue, 22 Oct 2024 22:38:41 +0000
Subject: [PATCH 1/3] upgrade node to 22 and add provenance

---
 .github/workflows/nodejs.yml  |  4 ++--
 .github/workflows/publish.yml | 11 +++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index f7b61ba..c6cb444 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -6,9 +6,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
+          node-version: '22.x'
       - run: npm install
       - run: npm run build --if-present
       - run: npm test
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c1b229d..7b520a3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,14 +4,17 @@ on:
   release:
     types: [created]
 
+permissions:
+  id-token: write
+
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: 14
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: npm
       - run: npm ci
@@ -19,6 +22,6 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm whoami; npm --ignore-scripts publish
+      - run: npm whoami; npm --ignore-scripts publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}

From 855e98a0aeba7f5af50b9cb7edb3fb349820065d Mon Sep 17 00:00:00 2001
From: Grace Park <gracepark@github.com>
Date: Wed, 23 Oct 2024 08:32:18 -0700
Subject: [PATCH 2/3] Update .github/workflows/publish.yml

Co-authored-by: Dusty Greif <dgreif@users.noreply.github.com>
---
 .github/workflows/publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7b520a3..4ec5765 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,7 @@ on:
     types: [created]
 
 permissions:
+  contents: read
   id-token: write
 
 jobs:

From 1cef1bc957391fedc985fb98a77b0d3a437bf8c3 Mon Sep 17 00:00:00 2001
From: Grace Park <gracepark@github.com>
Date: Wed, 23 Oct 2024 08:32:56 -0700
Subject: [PATCH 3/3] Add read permissions to Node.js CI workflow

---
 .github/workflows/nodejs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index c6cb444..5e3c3a4 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -1,5 +1,7 @@
 name: Node.js CI
 on: [push]
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest