From ce48f267e43ee3fe2abd10076dada80bc8f13368 Mon Sep 17 00:00:00 2001 From: Michael Darmawan Date: Mon, 30 Mar 2026 14:12:14 -0500 Subject: [PATCH 1/5] persist credentials, revert envVAR name Signed-off-by: Michael Darmawan --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 661cfc8..8e735f4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -101,5 +101,5 @@ jobs: - name: Run semantic-release env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} run: npm run semantic-release From e1070aeeeeb0ab173c80a83f3a3eeb8023bab760 Mon Sep 17 00:00:00 2001 From: Michael Darmawan Date: Mon, 30 Mar 2026 14:13:43 -0500 Subject: [PATCH 2/5] rename env var again Signed-off-by: Michael Darmawan --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8e735f4..661cfc8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -101,5 +101,5 @@ jobs: - name: Run semantic-release env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} run: npm run semantic-release From 5dd2e72252e3fc30790fcc9520c82bdc58055397 Mon Sep 17 00:00:00 2001 From: Michael Darmawan Date: Mon, 30 Mar 2026 15:43:51 -0500 Subject: [PATCH 3/5] fix(build): using autogenned GITHUB_TOKEN Signed-off-by: Michael Darmawan --- .github/workflows/build.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 661cfc8..943f3fe 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -81,8 +81,10 @@ jobs: name: semantic-release needs: build permissions: - contents: write # REPO PERMISSIONS - id-token: write # OIDC PERMISSIONS + contents: write # Repo permissions + id-token: write # Open ID Connect permissions + issues: write # Permission to write to issues if failed + pull-requests: write runs-on: ubuntu-latest steps: @@ -101,5 +103,5 @@ jobs: - name: Run semantic-release env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Using auto-populated GITHUB_TOKEN with above permissions run: npm run semantic-release From 4b4143690956b8d1f9cc2f72a3bf3a5b3173677f Mon Sep 17 00:00:00 2001 From: Michael Darmawan Date: Mon, 30 Mar 2026 15:49:28 -0500 Subject: [PATCH 4/5] add provenance Signed-off-by: Michael Darmawan --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 943f3fe..e3991b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -100,7 +100,8 @@ jobs: run: | npm ci npm run build - + - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies + run: npm audit signatures - name: Run semantic-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Using auto-populated GITHUB_TOKEN with above permissions From 9af732bfb18b7a0b4375d69b6206263b478f59d7 Mon Sep 17 00:00:00 2001 From: Michael Darmawan Date: Mon, 30 Mar 2026 15:49:47 -0500 Subject: [PATCH 5/5] newlines Signed-off-by: Michael Darmawan --- .github/workflows/build.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e3991b5..801edd0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -100,8 +100,10 @@ jobs: run: | npm ci npm run build + - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies run: npm audit signatures + - name: Run semantic-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Using auto-populated GITHUB_TOKEN with above permissions