From 08fe637743c170cc56bac46b6224f428bd36b25e Mon Sep 17 00:00:00 2001
From: John Dengis <john@deng.is>
Date: Sat, 22 Jun 2024 17:47:04 -0700
Subject: [PATCH] fix: publish workflow needs idtoken for provenance

---
 .github/workflows/build.yml   | 11 +++++++++--
 .github/workflows/lint.yml    | 11 +++++++++--
 .github/workflows/publish.yml | 10 ++++++----
 .github/workflows/test.yml    | 11 +++++++++--
 4 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4c76cf0..53432b8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,13 @@
 name: Build
-
-on: push
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 jobs:
   build:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index e2b692b..983cb77 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,13 @@
 name: Lint
-
-on: push
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 jobs:
   lint:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 448f265..6369e9a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,12 +1,14 @@
 name: Publish
 on:
-  push:
-    tags:
-      - v*
+  release:
+    types: [created]
 
 jobs:
-  test:
+  publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index db4051a..576346f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,6 +1,13 @@
 name: Test
-
-on: push
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 jobs:
   test: