From b5bfe7a9c960ef602ed783689eb41e67a0987b6e Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 10:10:57 +0100
Subject: [PATCH] feat(ci): package-registry provenance

---
 .github/workflows/affine-vscode-publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/affine-vscode-publish.yml b/.github/workflows/affine-vscode-publish.yml
index afbaa5ba..02f6a5b2 100644
--- a/.github/workflows/affine-vscode-publish.yml
+++ b/.github/workflows/affine-vscode-publish.yml
@@ -23,6 +23,7 @@ on:
       - 'affine-vscode-v*'
 permissions:
   contents: read
+  id-token: write # npm provenance via GitHub OIDC
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -54,7 +55,7 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > "${HOME}/.npmrc"
       - name: Publish to npm
         working-directory: packages/affine-vscode
-        run: npm publish --access public
+        run: npm publish --provenance --access public
       - name: Clean up npm auth
         if: always()
         run: rm -f "${HOME}/.npmrc"