From 2253a771546e616554851723de5d59172319b3ca Mon Sep 17 00:00:00 2001
From: Fabian Meyer <3982806+meyfa@users.noreply.github.com>
Date: Sat, 27 Apr 2024 16:05:25 +0200
Subject: [PATCH] chore: Publish to NPM with provenance (#2276)

* chore: Publish to NPM with provenance

The release process in this repository is already automated via
GitHub Actions, which is a great first step toward creating trust in the
supply chain. Recently, NPM has started to support publishing with the
`--provenance` flag. This flag creates a link between the GitHub Actions
run that created the release and the final artifact on NPM. This linkage
further ensures that package installs can be traced back to a specific
code revision.

For more information on publishing with provenance, please refer to:
https://github.blog/2023-04-19-introducing-npm-package-provenance/

* chore: Use Node.js 18 for publishing to support provenance
---
 .github/workflows/npm-publish.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index b4b62f1b9..ccc202ca2 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -5,20 +5,23 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      id-token: write
     steps:
-    - name: Setup Node.js 14
-      uses: actions/setup-node@v2-beta
+    - name: Setup Node.js 18
+      uses: actions/setup-node@v3
       with:
-        node-version: 14
+        node-version: 18
         check-latest: true
         registry-url: https://registry.npmjs.org/
     - name: Checkout Repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Install Dependencies
       run: npm install
     - name: Run Tests
       run: npm test
     - name: Publish Package to NPM Registry
-      run: npm publish
+      run: npm publish --provenance
       env:
         NODE_AUTH_TOKEN: ${{secrets.NPM_SECRET}}