From 43a549fe97aad0e015c26c3428701001da33c150 Mon Sep 17 00:00:00 2001
From: Matthew Hartstonge <matt@mykro.co.nz>
Date: Wed, 9 Oct 2024 09:02:46 +1300
Subject: [PATCH 1/4] ci(.github/workflows): publish fix.

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8f2966f..dee3e08 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -94,6 +94,6 @@ jobs:
           NODE_AUTH_TOKEN: ${{ github.token }}
           NPM_REGISTRY_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          #yarn publish
+          yarn publish
           npm set "//registry.npmjs.org/:_authToken=${NPM_REGISTRY_TOKEN}"
           npm publish --provenance --access public --ignore-scripts --@linc-technologies:registry='https://registry.npmjs.org'

From b83dc2dd8d2867dc528615c6c9be1bec722bd91e Mon Sep 17 00:00:00 2001
From: Matthew Hartstonge <matt@mykro.co.nz>
Date: Wed, 9 Oct 2024 13:06:53 +1300
Subject: [PATCH 2/4] ci(.github/workflows): migrate to internal publish
 config.

---
 .github/workflows/publish.yml | 99 -----------------------------------
 .github/workflows/release.yml |  7 ++-
 2 files changed, 5 insertions(+), 101 deletions(-)
 delete mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index dee3e08..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,99 +0,0 @@
-name: "Package"
-
-on:
-  workflow_dispatch:
-    inputs:
-      prerelease:
-        type: boolean
-        default: false
-        required: false
-        description: |
-          Whether this release is a prerelease. If true, then the npm publish command will have the prerelease tag
-          passed in in order to override it being tagged as `latest`."
-      backport:
-        type: boolean
-        default: false
-        required: false
-        description: Whether this release is a backport.
-  workflow_call:
-    inputs:
-      prerelease:
-        type: boolean
-        default: false
-        required: false
-        description: |
-          Whether this release is a prerelease. If true, then the npm publish command will have the prerelease tag
-          passed in in order to override it being tagged as `latest`."
-          https://gist.github.com/tfennelly/f1d573d935f4e9e9b4d1ee1b0ab6c04c
-      backport:
-        type: boolean
-        default: false
-        required: false
-        description: Whether this release is a backport.
-  release:
-    types: [created]
-
-env:
-  node_version: '14.21'
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    env:
-      NODE_AUTH_TOKEN: ${{github.token}}
-    steps:
-      - name: "Checkout"
-        uses: actions/checkout@v4
-
-      - name: "Setup Node ${{ env.node_version }}"
-        id: setup_node_yarn
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.node_version }}
-          cache: 'yarn'
-          cache-dependency-path: yarn.lock
-          registry-url: "https://npm.pkg.github.com"
-
-      - name: "Install Dependencies"
-        id: install_dependencies_yarn
-        env:
-          NODE_AUTH_TOKEN: ${{ github.token }}
-        run: yarn run ci
-
-      - name: "Publish Pre-release"
-        id: publish_prerelease_yarn
-        if: ${{ inputs.prerelease }}
-        env:
-          NODE_AUTH_TOKEN: ${{ github.token }}
-          NPM_REGISTRY_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          TAG=$(cat package.json | jq '.version' | sed -e 's/".*-\(.*\)"/\1/g')
-          yarn publish --tag=$TAG
-          npm set "//registry.npmjs.org/:_authToken=${NPM_REGISTRY_TOKEN}"
-          npm publish --tag=$TAG --provenance --access public --ignore-scripts --@linc-technologies:registry='https://registry.npmjs.org'
-
-      - name: "Publish Backport"
-        id: publish_backport_yarn
-        if: ${{ inputs.backport }}
-        env:
-          NODE_AUTH_TOKEN: ${{ github.token }}
-          NPM_REGISTRY_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          TAG=$(cat package.json| jq -r .version)
-          yarn publish --new-version=$TAG
-          npm set "//registry.npmjs.org/:_authToken=${NPM_REGISTRY_TOKEN}"
-          npm publish --new-version=$TAG --provenance --access public --ignore-scripts --@linc-technologies:registry='https://registry.npmjs.org'
-
-      - name: "Publish"
-        id: publish_yarn
-        if: ${{ steps.publish_prerelease_yarn.outcome == 'skipped' && steps.publish_backport_yarn.outcome == 'skipped' }}
-        env:
-          NODE_AUTH_TOKEN: ${{ github.token }}
-          NPM_REGISTRY_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          yarn publish
-          npm set "//registry.npmjs.org/:_authToken=${NPM_REGISTRY_TOKEN}"
-          npm publish --provenance --access public --ignore-scripts --@linc-technologies:registry='https://registry.npmjs.org'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d39f211..8afee62 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,9 +28,12 @@ jobs:
     name: "Publish"
     needs: [release]
     if: ${{needs.release.outputs.releases_created}}
+    uses: linc-technologies/github/.github/workflows/ember_publish.yml@main
     permissions:
       contents: read
       id-token: write
       packages: write
-    uses: ./.github/workflows/publish.yml
-    secrets: inherit
+    secrets:
+      npm_token: ${{ secrets.NPM_TOKEN }}
+    with:
+      public: true

From 08db0b7767bbfc00e89431d4c2b62e613be61438 Mon Sep 17 00:00:00 2001
From: Matthew Hartstonge <matt@mykro.co.nz>
Date: Wed, 9 Oct 2024 13:31:55 +1300
Subject: [PATCH 3/4] ci(.github/workflows): removes defined permissions,
 leveraging upstream requests.

---
 .github/workflows/release.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8afee62..1a2bc75 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,6 @@ on:
 permissions:
   checks: write
   contents: write
-  id-token: write
   pull-requests: write
 
 jobs:
@@ -29,10 +28,6 @@ jobs:
     needs: [release]
     if: ${{needs.release.outputs.releases_created}}
     uses: linc-technologies/github/.github/workflows/ember_publish.yml@main
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
     secrets:
       npm_token: ${{ secrets.NPM_TOKEN }}
     with:

From 367f88966f4d3b95ab54286f0cd2aad0f3c7ebbf Mon Sep 17 00:00:00 2001
From: Matthew Hartstonge <matt@mykro.co.nz>
Date: Wed, 9 Oct 2024 14:05:48 +1300
Subject: [PATCH 4/4] chore(.github/workflows/release): limits permissions to
 the release step.

---
 .github/workflows/release.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1a2bc75..82bedc5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,17 +6,16 @@ on:
     branches:
       - main
 
-permissions:
-  checks: write
-  contents: write
-  pull-requests: write
-
 jobs:
   release:
     name: "Release"
     runs-on: ubuntu-latest
     outputs:
       releases_created: ${{steps.release-please.outputs.releases_created}}
+    permissions:
+      checks: write
+      contents: write
+      pull-requests: write
     steps:
       - uses: googleapis/release-please-action@v4
         id: release-please