From b35e8d4c19a0713682d3fe8f08e2d58dd88c986d Mon Sep 17 00:00:00 2001
From: Jakub Pavlik <pavlk.jakub@gmail.com>
Date: Thu, 7 Nov 2024 09:58:14 +0100
Subject: [PATCH] Enable supply chain security through npm provenance
 attestation

- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
---
 .github/workflows/deploy.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 886b2d3ab9..e2c9907164 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -12,6 +12,8 @@ env:
 
 permissions:
   contents: read
+  id-token: write      # Required for provenance
+  packages: write      # Required for publishing
 
 jobs:
   build:
@@ -61,6 +63,6 @@ jobs:
           registry-url: "https://registry.npmjs.org"
 
       - name: Publish on npm
-        run: npm publish
+        run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}