From 719dd3cc9da0fd304f567d1b23536770c71e1eb9 Mon Sep 17 00:00:00 2001
From: John Gozde <john@gozde.ca>
Date: Tue, 21 Oct 2025 14:44:41 -0600
Subject: [PATCH 1/2] Add npm trusted publishing support

- Add id-token, contents, and pull-requests write permissions to release job
- Add npm update step to ensure latest npm version for provenance support
- Add --provenance flag for npm publish
- Add changeset for all packages
- Enables automated publishing via OIDC without requiring OTP
---
 .changeset/npm-trusted-publishing.md | 7 +++++++
 .github/workflows/build.yml          | 9 ++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/npm-trusted-publishing.md

diff --git a/.changeset/npm-trusted-publishing.md b/.changeset/npm-trusted-publishing.md
new file mode 100644
index 0000000..4e1b6cd
--- /dev/null
+++ b/.changeset/npm-trusted-publishing.md
@@ -0,0 +1,7 @@
+---
+"immutable-class": patch
+"eslint-plugin-immutable-class": patch
+"immutable-class-tester": patch
+---
+
+Add npm trusted publishing support for automated releases via OIDC
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e0b750b..fe237f7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,6 +37,10 @@ jobs:
     needs: [build]
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
 
     steps:
       - uses: actions/checkout@v4
@@ -51,11 +55,14 @@ jobs:
 
       - run: npm install --prefer-offline --no-audit
 
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
         with:
-          publish: npx changeset publish
+          publish: npx changeset publish --provenance
           createGithubReleases: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From bcb536cec11ed5538db618ba388e3d17738b3921 Mon Sep 17 00:00:00 2001
From: John Gozde <john@gozde.ca>
Date: Tue, 21 Oct 2025 15:04:02 -0600
Subject: [PATCH 2/2] Remove --provenance

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fe237f7..359e456 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -62,7 +62,7 @@ jobs:
         id: changesets
         uses: changesets/action@v1
         with:
-          publish: npx changeset publish --provenance
+          publish: npx changeset publish
           createGithubReleases: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}