From 8bb83a8e4928e6aa739959a61b132574cad27664 Mon Sep 17 00:00:00 2001
From: Tom Jenkinson <tjenkinson@users.noreply.github.com>
Date: Thu, 20 Apr 2023 08:58:15 +0100
Subject: [PATCH 1/3] give publish job permissions for npm provenance

---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 67c1c064576..13402c3da89 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -266,6 +266,9 @@ jobs:
     needs: [config, test_unit]
     if: needs.config.outputs.tag || needs.config.outputs.isMainBranch == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 

From bb3de9b682b33463aea82bd2410f022bbd298280 Mon Sep 17 00:00:00 2001
From: Tom Jenkinson <tjenkinson@users.noreply.github.com>
Date: Thu, 20 Apr 2023 09:03:17 +0100
Subject: [PATCH 2/3] =?UTF-8?q?add=20`=E2=80=94provenance`=20flag=20to=20`?=
 =?UTF-8?q?npm=20publish`?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/publish-npm.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
index 50b92440ea5..fd95fb16c46 100755
--- a/scripts/publish-npm.sh
+++ b/scripts/publish-npm.sh
@@ -6,7 +6,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
   # see https://docs.npmjs.com/private-modules/ci-server-config
   echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
   if [[  -z "$TAG" ]]; then
-    npm publish --tag canary
+    npm publish --provenance --tag canary
     echo "Published canary."
     curl https://purge.jsdelivr.net/npm/hls.js@canary
     curl https://purge.jsdelivr.net/npm/hls.js@canary/dist/hls-demo.js
@@ -19,7 +19,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
       exit 1
     fi
     echo "Publishing tag: ${tag}"
-    npm publish --tag "${tag}"
+    npm publish --provenance --tag "${tag}"
     curl "https://purge.jsdelivr.net/npm/hls.js@${tag}"
     echo "Published."
   fi

From 03b0ef1c9c933667df662b0a918cd471ee3c3c6c Mon Sep 17 00:00:00 2001
From: Tom Jenkinson <tjenkinson@users.noreply.github.com>
Date: Thu, 20 Apr 2023 09:04:40 +0100
Subject: [PATCH 3/3] remove unneeded `contents` permission

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 13402c3da89..9e32083a3d4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -267,7 +267,6 @@ jobs:
     if: needs.config.outputs.tag || needs.config.outputs.isMainBranch == 'true'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v3