The publish workflow requires id-token: write for npm provenance.
When called via workflow_call, permissions are inherited from the
caller, so id-token must be declared in release-please.yml.
Split publish into a separate reusable workflow (publish.yml) that can
be triggered manually via workflow_dispatch or called from release-
please. This allows re-running publish independently when a release
already exists but publishing failed.
Add --provenance flag to npm publish for supply chain security.
Add id-token: write permission to release workflow for OIDC-based
provenance attestation. Fix MIN_CORE_VERSION to dynamically use
current version instead of hardcoded ^8.0.2.
Update CI workflow: restrict triggers to master+PRs, add concurrency
groups and npm cache. Update release-please and stale workflows to
latest action versions. Replace single ISSUE_TEMPLATE.md with YAML-
based templates (bug report, feature request, config). Rewrite
CONTRIBUTING.md for awesome-cordova-plugins.
Daniel Sogl