From 66c152c5eb819caffccead2afc3db1e4b702dece Mon Sep 17 00:00:00 2001
From: CedarMist <134699267+CedarMist@users.noreply.github.com>
Date: Wed, 28 Aug 2024 17:12:39 +0100
Subject: [PATCH 1/2] packaging: permissions necessary for provenance pubishing

---
 .github/workflows/publish.yaml | 5 +++++
 clients/js/package.json        | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 8a1480f4..fbf598c1 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -10,6 +10,11 @@ on:
       - integrations/viem-v2/v[0-9]+.[0-9]+.[0-9]+*
       - integrations/wagmi-v2/v[0-9]+.[0-9]+.[0-9]+*
 
+# See: https://docs.npmjs.com/generating-provenance-statements
+# See: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
+permissions:
+  id-token: write # to enable use of OIDC for npm provenance
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/clients/js/package.json b/clients/js/package.json
index 83d05e61..dfd1814c 100644
--- a/clients/js/package.json
+++ b/clients/js/package.json
@@ -2,7 +2,7 @@
   "type": "module",
   "name": "@oasisprotocol/sapphire-paratime",
   "license": "Apache-2.0",
-  "version": "2.0.0-next.2",
+  "version": "2.0.0-next.3",
   "description": "The Sapphire ParaTime Web3 integration library.",
   "homepage": "https://github.com/oasisprotocol/sapphire-paratime/tree/main/clients/js",
   "repository": {

From 7f0f316db496d9e9700ef3a5c330c77ea964e4d3 Mon Sep 17 00:00:00 2001
From: CedarMist <134699267+CedarMist@users.noreply.github.com>
Date: Wed, 28 Aug 2024 18:59:20 +0100
Subject: [PATCH 2/2] packaging: add 'contents:read' permission to publish
 workflow

---
 .github/workflows/publish.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index fbf598c1..34dfed82 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -14,6 +14,7 @@ on:
 # See: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
 permissions:
   id-token: write # to enable use of OIDC for npm provenance
+  contents: read
 
 jobs:
   publish: