From a453172459434f6152cebcf3809b615f54a11157 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Mon, 13 Apr 2026 12:08:33 -0400
Subject: [PATCH] fix: add set -euo pipefail to provenance workflow shell steps

Add strict error handling to setup-script, publish-script, and
access-script steps so failures are caught instead of silently
continuing to the next step.
---
 .github/workflows/provenance.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 8c8e21d3..7d66361c 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -137,6 +137,7 @@ jobs:
         env:
           SETUP_SCRIPT: ${{ inputs.setup-script }}
         run: |
+          set -euo pipefail
           # Trim whitespace
           SETUP_SCRIPT=$(echo "$SETUP_SCRIPT" | xargs)
 
@@ -171,6 +172,7 @@ jobs:
           FORCE_REGISTRY: ${{ inputs.force-registry }}
           SKIP_NPM_PACKAGES: ${{ inputs.skip-npm-packages }}
         run: |
+          set -euo pipefail
           # Trim whitespace
           PUBLISH_SCRIPT=$(echo "$PUBLISH_SCRIPT" | xargs)
 
@@ -210,6 +212,7 @@ jobs:
         env:
           ACCESS_SCRIPT: ${{ inputs.access-script }}
         run: |
+          set -euo pipefail
           # Trim whitespace
           ACCESS_SCRIPT=$(echo "$ACCESS_SCRIPT" | xargs)