build(pkg): generate provenance statements

- https://docs.npmjs.com/generating-provenance-statements
- https://github.blog/changelog/2023-09-26-npm-provenance-general-availability

Signed-off-by: Lexus Drumgold <[email protected]>

Author: unicornware

.github/workflows/publish.yml

@@ -12,6 +12,7 @@
 # - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#release
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
+# - https://docs.npmjs.com/generating-provenance-statements
 # - https://github.com/actions/checkout
 # - https://github.com/actions/setup-node
 # - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
@@ -67,10 +68,12 @@ jobs:
         env:
           ARTIFACT: ${{ steps.artifact.outputs.result }}
           FLAGS: ${{ steps.dist-tag.outputs.flag }}
-        run: echo "result=npm publish $ARTIFACT $FLAGS" >>$GITHUB_OUTPUT
+        run: echo "result=npm publish --provenance $FLAGS $ARTIFACT" >>$GITHUB_OUTPUT
   gpr:
     needs: preflight
     permissions:
+      contents: read
+      id-token: write
       packages: write
     runs-on: ubuntu-latest
     environment:
@@ -108,6 +111,8 @@ jobs:
       - gpr
       - preflight
     permissions:
+      contents: read
+      id-token: write
       packages: write
     runs-on: ubuntu-latest
     environment:

package.json

@@ -31,7 +31,8 @@
   },
   "publishConfig": {
     "access": "public",
-    "directory": "./"
+    "directory": "./",
+    "provenance": true
   },
   "type": "module",
   "files": [