From 16884a7b6867c28fb8bbe75d75d713da7720a63f Mon Sep 17 00:00:00 2001
From: Sasha <alexander.markov@immutable.com>
Date: Fri, 15 Aug 2025 13:44:12 +1000
Subject: [PATCH] attest NPM package as a whole

---
 .github/workflows/publish.yaml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 5048c222..d14f2241 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -61,20 +61,21 @@ jobs:
         run: |
           rm -rf dist && yarn build
 
-      # ! Do NOT remove - this will cause a Sev 0 incident !
-      - name: Generate SDK attestation
+      # ! Do NOT remove - this will cause a Sev 0 incident !        
+      - name: Pack NPM package
+        run: |
+          npm pack
+
+      - name: Generate attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-path: |
-            dist
-            contracts
-            README.md
-            LICENSE.md
-            package.json
-  
+          subject-path: ./*.tgz
+      # ! ------------------------------------------------- !
+
       - name: Publish package
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1
         with:
           token: ${{ secrets.CONTRACTS_NPM_TOKEN }}
           access: public
           tag: "latest"
+          provenance: true
\ No newline at end of file