chore: use npm provenance

Configures the npm provenance mechanism for the Github release workflow. The npm provenance assures consumers of JSON Forms that the libraries available on npmjs were actually produced by the JSON Forms project.
eclipsesource · Jan 9, 2024 · 41076e5 · 41076e5
1 parent c8d3ecf
commit 41076e5
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -24,6 +24,7 @@ jobs:
   publish:
     permissions:
       contents: "write"
+      id-token: "write"
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v4"
@@ -81,6 +82,7 @@ jobs:
         run: "pnpm publish --recursive ${{  github.event.inputs.stable_release == 'true' && ' ' || '--tag next' }}"
         env:
           NODE_AUTH_TOKEN: "${{ secrets.NPM_TOKEN }}"
+          NPM_CONFIG_PROVENANCE: "true"
 
       - name: "push"
         if: "github.event.inputs.skip_push == 'false'"