From c1e33de33c168629bd18accc5f68b07e2b389291 Mon Sep 17 00:00:00 2001
From: Lovell Fuller <github@lovell.info>
Date: Mon, 1 Sep 2025 12:37:16 +0100
Subject: [PATCH] CI: Automate npm publish-with-provenance

Temporarily flagged with dry-run for now
---
 .github/workflows/ci.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 605cea29..36786a20 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -300,6 +300,7 @@ jobs:
   release:
     permissions:
       contents: write
+      id-token: write
     runs-on: ubuntu-24.04
     needs:
       - build-native
@@ -314,11 +315,9 @@ jobs:
       - name: Create npm workspace tarball
         run: tar -vcaf npm-workspace.tar.xz --directory npm --exclude=from-local-build.js .
       - uses: actions/setup-node@v4
-        if: startsWith(github.ref, 'refs/tags/v')
         with:
-          node-version: "24"
+          node-version: '24'
       - name: Create release notes
-        if: startsWith(github.ref, 'refs/tags/v')
         run: npm run package-release-notes
       - name: Create GitHub release for tag
         if: startsWith(github.ref, 'refs/tags/v')
@@ -329,3 +328,9 @@ jobs:
           prerelease: ${{ contains(github.ref, '-rc') }}
           makeLatest: ${{ !contains(github.ref, '-rc') }}
           bodyFile: release-notes.md
+      - name: Publish platform-specific npm packages
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: cd npm && npm publish --workspaces --tag=${{ contains(github.ref, '-rc') && 'next' || 'latest' }} --dry-run
+      - name: Publish sharp npm package
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: npm publish --tag=${{ contains(github.ref, '-rc') && 'next' || 'latest' }} --dry-run