chore(ci): publish with provenance (#67)

Author: AugustinMauroy

.github/workflows/publish.yml

@@ -5,15 +5,17 @@ on:
     branches: [main]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 env:
   YARN_ENABLE_GLOBAL_CACHE: false
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       release_tag: ${{ steps.release.outputs.tag_name }}
@@ -27,6 +29,9 @@ jobs:
     needs: release-please
     if: ${{ needs.release-please.outputs.release_created }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
@@ -55,6 +60,6 @@ jobs:
         run: |
           corepack yarn install --immutable
           corepack yarn build
-          corepack yarn workspaces foreach --all --no-private npm publish --access public
+          corepack yarn workspaces foreach --all --no-private npm publish --provenance --access public
         env:
           YARN_NPM_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}