From 522854ae576852f2a22d43f1ef8aa7710e525598 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 6 Feb 2026 18:02:37 +0000
Subject: [PATCH] Add OIDC permissions for trusted publishing

Co-authored-by: Kent C. Dodds <me+github@kentcdodds.com>
---
 .github/workflows/validate.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 011c9bc0..69dbb96c 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -47,6 +47,13 @@ jobs:
   release:
     needs: main
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      id-token: write # to enable use of OIDC for npm provenance
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+    env:
+      NPM_CONFIG_PROVENANCE: 'true'
     if:
       ${{ github.repository == 'kentcdodds/kcd-scripts' &&
       contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha',
@@ -82,4 +89,3 @@ jobs:
             ]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}