feat: enable release attestation through GitHub Actions (#1651)

tediousjs · Aug 17, 2024 · cf4c99b · cf4c99b
1 parent f405eab
commit cf4c99b
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,11 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
     - uses: actions/checkout@v4.1.7
 
@@ -16,7 +21,8 @@ jobs:
       with:
         node-version: 18
         cache: 'npm'
-
+    - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+      run: npm audit signatures
     - name: Tag latest release
       run: |
         echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc