fix: setup provenance

Author: stipsan

.github/workflows/main.yml

@@ -8,6 +8,9 @@ on:
       - beta
       - main
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   test:
     runs-on: ${{ matrix.platform }}
@@ -31,6 +34,11 @@ jobs:
       - run: pnpm lint
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     name: 'Semantic release'
     needs: test
     runs-on: ubuntu-latest
@@ -51,10 +59,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       # Build docs
-      - run: npm run docs:build
+      - run: pnpm docs:build
+      - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.ECOSCRIPT_APP_ID }}
+          private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }}
       # Deploy docs
       - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         if: ${{ github.ref == 'refs/heads/main' }}
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.generate-token.outputs.token }}
           publish_dir: ./docs

package.json

@@ -145,6 +145,7 @@
     "node": "^14.13.1 || >=16.0.0"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }