From 32788807edb8945d76b14dbd7f4b7c05692ef41a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Best?= <github@francoisbest.com>
Date: Thu, 19 Dec 2024 21:49:31 +0100
Subject: [PATCH 1/4] chore: Enable provenance

---
 .github/workflows/ci-cd.yml | 5 +++++
 packages/nuqs/package.json  | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index d6a135bec..6f14a8cf7 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -231,6 +231,11 @@ jobs:
   cd:
     name: Deployment
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for NPM provenance
     needs:
       - lint
       - ci-core
diff --git a/packages/nuqs/package.json b/packages/nuqs/package.json
index d317741ba..47b85b2a5 100644
--- a/packages/nuqs/package.json
+++ b/packages/nuqs/package.json
@@ -29,7 +29,8 @@
     "react-router"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "dist/",

From 153ba041b23e9a279a3a1690e821f0b7f3e872a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Best?= <github@francoisbest.com>
Date: Thu, 19 Dec 2024 21:58:36 +0100
Subject: [PATCH 2/4] chore: Enable provenance in snapshot releases

---
 .github/workflows/snapshot-release.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/snapshot-release.yml b/.github/workflows/snapshot-release.yml
index 3cf21f636..0ca1d7891 100644
--- a/.github/workflows/snapshot-release.yml
+++ b/.github/workflows/snapshot-release.yml
@@ -6,8 +6,8 @@ on:
     inputs:
       version:
         description: Base version to use for the release
-        required: true
         type: string
+        default: '0.0.0'
 env:
   FORCE_COLOR: 3 # Diplay chalk colors
 
@@ -15,6 +15,11 @@ jobs:
   snapshot:
     name: Deployment
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for NPM provenance
     steps:
       - name: Generate snapshot version
         id: version
@@ -37,7 +42,7 @@ jobs:
         run: |
           pnpm pkg set version=${{ steps.version.outputs.version }}
           echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
-          pnpm publish --access public --tag snapshot --no-git-checks
+          pnpm publish --access public --provenance --tag snapshot --no-git-checks
           rm -f .npmrc
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

From c5abdf076ad15b821f4e578f0cb9c2de051be6b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Best?= <github@francoisbest.com>
Date: Thu, 19 Dec 2024 22:00:24 +0100
Subject: [PATCH 3/4] chore: Only install dependencies to build nuqs in
 snapshot

---
 .github/workflows/snapshot-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snapshot-release.yml b/.github/workflows/snapshot-release.yml
index 0ca1d7891..78450a6fb 100644
--- a/.github/workflows/snapshot-release.yml
+++ b/.github/workflows/snapshot-release.yml
@@ -34,7 +34,7 @@ jobs:
           node-version-file: .node-version
           cache: pnpm
       - name: Install dependencies
-        run: pnpm install --ignore-scripts --frozen-lockfile
+        run: pnpm install --ignore-scripts --frozen-lockfile --filter nuqs...
       - name: Build package
         run: pnpm build --filter nuqs
       - name: Publish package

From 3a5e8e45a26337a60f1bf7c66f56b11ddf5a5cad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Best?= <github@francoisbest.com>
Date: Thu, 19 Dec 2024 22:04:26 +0100
Subject: [PATCH 4/4] chore: Reduce permissions set for snapshot release

---
 .github/workflows/snapshot-release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/snapshot-release.yml b/.github/workflows/snapshot-release.yml
index 78450a6fb..aadafa853 100644
--- a/.github/workflows/snapshot-release.yml
+++ b/.github/workflows/snapshot-release.yml
@@ -16,9 +16,6 @@ jobs:
     name: Deployment
     runs-on: ubuntu-24.04
     permissions:
-      contents: write # to be able to publish a GitHub release
-      issues: write # to be able to comment on released issues
-      pull-requests: write # to be able to comment on released pull requests
       id-token: write # to enable use of OIDC for NPM provenance
     steps:
       - name: Generate snapshot version