feat: add npm package provenance

Ref: https://github.blog/2023-04-19-introducing-npm-package-provenance/
2025-09-09 19:39:29 +02:00 · 2023-05-13 16:05:01 +02:00
parent c65607bcc3
commit cbc6042bd5
3 changed files with 13 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,11 @@ on:
 jobs:
  release:
    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write'
+      issues: 'write'
+      pull-requests: 'write'
+      id-token: 'write'
    steps:
      - uses: 'actions/checkout@v3.5.2'
        with:
@@ -22,6 +27,9 @@ jobs:
      - name: 'Install dependencies'
        run: 'npm clean-install'

+      - name: 'Verify the integrity of provenance attestations and registry signatures for installed dependencies'
+        run: 'npm audit signatures'
+
      - name: 'Release'
        run: 'npm run release'
        env:
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,2 @@
 save-exact=true
+provenance=true
--- a/package.json
+++ b/package.json
@@ -21,6 +21,10 @@
  "files": [
    "src"
  ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
  "engines": {
    "node": ">=16.0.0",
    "npm": ">=9.0.0"