chore: use npm provenance

Configures the npm provenance mechanism for the Github release workflow. The npm provenance assures consumers of JSON Forms that the libraries available on npmjs were actually produced by the JSON Forms project.
eclipsesource · Jan 10, 2024 · fce6b1e · fce6b1e
1 parent d7c15f0
commit fce6b1e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -24,6 +24,7 @@ jobs:
   publish:
     permissions:
       contents: "write"
+      id-token: "write"
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v4"
@@ -81,6 +82,7 @@ jobs:
         run: "pnpm publish --recursive ${{  github.event.inputs.stable_release == 'true' && ' ' || '--tag next' }}"
         env:
           NODE_AUTH_TOKEN: "${{ secrets.NPM_TOKEN }}"
+          NPM_CONFIG_PROVENANCE: "true"
 
       - name: "push"
         if: "github.event.inputs.skip_push == 'false'"