From 64bd0c141a5d37b3de5c9dc249578e073e9ad042 Mon Sep 17 00:00:00 2001
From: Pekka Enberg <penberg@iki.fi>
Date: Thu, 3 Apr 2025 12:38:01 +0300
Subject: [PATCH] github: Fix JavaScript publish workflow permissions

The workflow enables npm's provenance feature, which requires write
permissions to the "id-token" on Github actions:

https://tsmx.net/npmjs-built-and-signed-on-github-actions/
---
 .github/workflows/napi.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/napi.yml b/.github/workflows/napi.yml
index c0f2de614..21b6ce4c4 100644
--- a/.github/workflows/napi.yml
+++ b/.github/workflows/napi.yml
@@ -205,6 +205,9 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     needs:
       - test-macOS-windows-binding
       - test-linux-x64-gnu-binding