feat: add npm package provenance

Ref: https://github.blog/2023-04-19-introducing-npm-package-provenance/
theoludwig · May 13, 2023 · ef56353 · ef56353 · vercel · May 13, 2023
1 parent 882416c
commit ef56353
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,11 @@ on:
 jobs:
   build:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write'
+      issues: 'write'
+      pull-requests: 'write'
+      id-token: 'write'
     steps:
       - uses: 'actions/checkout@v3.5.2'
 
@@ -22,6 +27,9 @@ jobs:
       - name: 'Build Package'
         run: 'npm run build'
 
+      - name: 'Verify the integrity of provenance attestations and registry signatures for installed dependencies'
+        run: 'npm audit signatures'
+
       - name: 'Release'
         run: 'npm run release'
         env:

diff --git a/.npmrc b/.npmrc
@@ -1 +1,2 @@
 save-exact=true
+provenance=true
diff --git a/package.json b/package.json
@@ -23,6 +23,10 @@
   "files": [
     "dist"
   ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "scripts": {
     "build": "tsup",
     "test": "jest",