From cf4c99bf2869709a1ba7e5154239e6ff2cd631a2 Mon Sep 17 00:00:00 2001
From: Michael Sun <47126816+MichaelSun90@users.noreply.github.com>
Date: Sat, 17 Aug 2024 04:31:09 -0700
Subject: [PATCH] feat: enable release attestation through GitHub Actions
 (#1651)

---
 .github/workflows/release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20655fad5..5bad83fcf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,11 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
     - uses: actions/checkout@v4.1.7
 
@@ -16,7 +21,8 @@ jobs:
       with:
         node-version: 18
         cache: 'npm'
-
+    - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+      run: npm audit signatures
     - name: Tag latest release
       run: |
         echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc