From c9d4ff28e36e70b53b031bb2ef73cd96d1bafd07 Mon Sep 17 00:00:00 2001
From: Kenneth <kenneth@nym.sh>
Date: Sat, 28 Feb 2026 01:30:17 +0000
Subject: [PATCH] Add npm publish workflow on GitHub release

Requires NPM_TOKEN secret. Builds, tests, then publishes with provenance.

Co-authored-by: Ona <no-reply@ona.com>
---
 .github/workflows/publish.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..a470c9c
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,31 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: oven-sh/setup-bun@v2
+
+      - run: bun install
+
+      - run: bun run build
+
+      - run: bun test
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}