From e1b156d4a3d346f374e84e6e76ed8c9623963072 Mon Sep 17 00:00:00 2001
From: Jakub Pavlik <pavlk.jakub@gmail.com>
Date: Thu, 14 Nov 2024 13:28:48 +0100
Subject: [PATCH] Enable supply chain security through npm provenance
 attestation

- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
---
 .github/workflows/publish.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 6dab32a..d91fc0a 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -7,6 +7,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write      # Required for provenance
+  packages: write      # Required for publishing
 
 jobs:
   test:
@@ -28,6 +30,6 @@ jobs:
         with:
           node-version: 22.x
           registry-url: https://registry.npmjs.org/
-      - run: npm publish
+      - run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}