From 932dd12c79192a13e6c9905d7b2d88e4f3874ebb Mon Sep 17 00:00:00 2001
From: Alexander Schueren <sha@amazon.com>
Date: Tue, 22 Oct 2024 15:25:59 +0200
Subject: [PATCH 1/2] add release workflow for single package

---
 .github/workflows/publish-package.yml | 49 +++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 .github/workflows/publish-package.yml

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
new file mode 100644
index 0000000000..b08a8c32ca
--- /dev/null
+++ b/.github/workflows/publish-package.yml
@@ -0,0 +1,49 @@
+name: Publish Package
+
+# This workflow publishes a single package to NPM
+
+on:
+  workflow_dispatch:
+    inputs:
+      package:
+        description: 'The package to publish'
+        required: true
+        options:
+          - packages/batch
+          - packages/commons
+          - packages/idempotency
+          - packages/jmespath
+          - packages/logger
+          - packages/metrics
+          - packages/tracer
+          - packages/parameters
+          - packages/parser
+
+
+jobs:
+  run-unit-tests:
+    uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
+  publish-npm:
+    needs: run-unit-tests
+    permissions:
+        id-token: write
+    environment: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
+        with:
+          ref: ${{ github.sha }}
+      - name: Setup NodeJS
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: "20"
+          cache: "npm"
+      - name: Setup auth tokens
+        run: |
+          npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@d406bac5563f1d8c793519a3eedfe620f6a14872
+      - name: Publish to npm
+        run: |
+          NPM_CONFIG_PROVENANCE=true npx lerna publish from-package --force-publish ${{ github.event.input.package }} --git-head ${{ github.sha }} --yes
\ No newline at end of file

From 84e41ae3e3de3163b82ed9e46fe7a5c328d80bcf Mon Sep 17 00:00:00 2001
From: Alexander Schueren <sha@amazon.com>
Date: Tue, 22 Oct 2024 15:30:19 +0200
Subject: [PATCH 2/2] add permission contents read as default

---
 .github/workflows/publish-package.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index b08a8c32ca..cc1bdf54a7 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -19,6 +19,9 @@ on:
           - packages/parameters
           - packages/parser
 
+permissions:
+  contents: read
+
 
 jobs:
   run-unit-tests: