From 84363b2a7797056d7b9531740a0774247ee39614 Mon Sep 17 00:00:00 2001
From: coderrob <rob@coderrob.com>
Date: Thu, 2 Apr 2026 18:42:05 -0500
Subject: [PATCH] docs: update CONTRIBUTING.md and README.md with npm
 provenance details and additional badges

---
 CONTRIBUTING.md |  4 ++++
 README.md       | 19 ++++++++++++++++++-
 package.json    |  2 +-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c9f471f..d7c149a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -73,6 +73,10 @@ Changesets can be published with:
 npm run release:changesets
 ```
 
+The GitHub release workflow publishes with npm provenance enabled. The local
+`npm run publish:package` command does not force provenance, because npm only
+supports automatic provenance generation in supported CI providers.
+
 ## Packaging Notes
 
 - The package publishes built files from `dist/`.
diff --git a/README.md b/README.md
index cbe1be4..65f12ac 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,23 @@
   <img src="public/img/typescript-type-guard-logo.png" alt="typescript-type-guards logo" />
 </p>
 
+<p align="center">
+  <a href="https://www.npmjs.com/package/@coderrob/typescript-type-guards">
+    <img src="https://img.shields.io/npm/v/%40coderrob%2Ftypescript-type-guards?logo=npm&logoColor=white" alt="npm version" />
+  </a>
+  <a href="https://www.npmjs.com/package/@coderrob/typescript-type-guards">
+    <img src="https://img.shields.io/npm/dm/%40coderrob%2Ftypescript-type-guards?logo=npm&logoColor=white" alt="npm downloads" />
+  </a>
+  <a href="https://github.com/Coderrob/typescript-type-guards/actions/workflows/ci.yml">
+    <img src="https://img.shields.io/github/actions/workflow/status/Coderrob/typescript-type-guards/ci.yml?branch=main&label=ci" alt="CI status" />
+  </a>
+  <img src="https://img.shields.io/badge/coverage-100%25-brightgreen" alt="Coverage 100%" />
+  <a href="LICENSE">
+    <img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="Apache 2.0 license" />
+  </a>
+  <img src="https://img.shields.io/badge/node-20%20%7C%2022%20%7C%2024-339933?logo=node.js&logoColor=white" alt="Node.js 20, 22, and 24" />
+</p>
+
 Reusable TypeScript type guards for narrowing `unknown` values in application and library code.
 
 ## Installation
@@ -157,6 +174,6 @@ npm run test:coverage
 
 - `npm run changeset` creates a release note entry for a package change.
 - `npm run release:version` applies pending changesets and updates the changelog.
-- `npm run release:changesets` runs the full verification stack, coverage, and then publishes through Changesets.
+- `npm run release:changesets` runs the full verification stack, coverage, and then publishes through Changesets. In GitHub Actions, this release path also publishes with provenance.
 - `npm run publish:package` performs a direct npm publish with a dry-run pack check first.
 - `.github/workflows/release.yml` is a manual `workflow_dispatch` workflow for optional release publishing.
diff --git a/package.json b/package.json
index 567a050..38cc6b4 100644
--- a/package.json
+++ b/package.json
@@ -82,7 +82,7 @@
     "package:quality": "npm run check:publint && npm run check:types:package",
     "prepack": "npm run clean && npm run build && npm run test:package && npm run typecheck",
     "prepublishOnly": "npm run verify && npm run test:coverage",
-    "publish:package": "npm pack --dry-run && npm publish --access public --provenance",
+    "publish:package": "npm pack --dry-run && npm publish --access public",
     "release:changesets": "npm run verify && npm run test:coverage && changeset publish",
     "release:version": "changeset version",
     "test": "vitest run --root . src/__tests__/runtime.test.ts --pool=threads --fileParallelism=false",