From bea287428274ce815b99fd923fceb90a604feffb Mon Sep 17 00:00:00 2001
From: Brandon Teng <bteng22@github.com>
Date: Mon, 20 Apr 2026 13:05:30 -0700
Subject: [PATCH 1/3] Configure npm publish workflow with provenance support

Updated publish workflow to include provenance and removed npm whoami step.
---
 .github/workflows/publish.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f2a6903..f435936 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,7 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write # for provenance and publish access
 
 jobs:
   publish-npm:
@@ -22,6 +23,4 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false --allow-same-version
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm whoami; npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
+      - run: npm publish --provenance

From 7f29f6be9af23f43b0b2defbcfb3291285182edc Mon Sep 17 00:00:00 2001
From: Brandon Teng <bteng22@github.com>
Date: Mon, 20 Apr 2026 13:44:59 -0700
Subject: [PATCH 2/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/publish.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f435936..0bd864b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
   id-token: write # for provenance and publish access
 
 jobs:

From ad77067f7eb842551e0392cc8200afb28d83b162 Mon Sep 17 00:00:00 2001
From: Brandon Teng <bteng22@github.com>
Date: Mon, 20 Apr 2026 13:45:32 -0700
Subject: [PATCH 3/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0bd864b..986f3bb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -22,4 +22,4 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false --allow-same-version
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      - run: npm publish --provenance
+      - run: npm publish --access public --provenance