From 7ccda72385dd6b7443c5b9460848eaaf06b44603 Mon Sep 17 00:00:00 2001
From: Cezar Augusto <boss@cezaraugusto.net>
Date: Tue, 7 Oct 2025 16:21:01 -0300
Subject: [PATCH] ci(release): enforce npm provenance (single-package publish,
 NPM_CONFIG_PROVENANCE)

---
 .github/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 84b166b..153d8ba 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -32,10 +33,11 @@ jobs:
       - name: Changesets publish
         uses: changesets/action@v1
         with:
-          publish: pnpm -r publish --access public --provenance --no-git-checks
+          publish: pnpm publish --access public --provenance --no-git-checks
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true