Enable Publish Attestation

Enable provenance on the NPM publish command so that attestation data is available in the NPM public registry to reduce the risk of a supply chain attack.
gajus · Sep 18, 2024 · 239d69a · 239d69a
1 parent e7ab475
commit 239d69a
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,8 +1,20 @@
+name: Build and release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  # Grant Permissions to the GH Token to capture attestation information from the GH agent
+  id-token: write
+
 jobs:
   release:
+    name: Release
     runs-on: ubuntu-latest
     environment: release
-    name: Release
+
     steps:
       - uses: pnpm/action-setup@v4
         with:
@@ -21,8 +33,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-name: Build and release
-on:
-  push:
-    branches:
-      - main
+          NPM_CONFIG_PROVENANCE: true
+