From eab0512a801a58f98f2c719cfbbb369462af6611 Mon Sep 17 00:00:00 2001
From: Matt Travi <programmer@travi.org>
Date: Fri, 28 Apr 2023 16:50:56 -0500
Subject: [PATCH] ci(signatures): audited provenance and signatures of
 installed packages

---
 .github/workflows/release.yml | 3 ++-
 .github/workflows/test.yml    | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0560604..cf6a4e0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,8 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f56c1ba..2b8ae36 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,7 +30,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
-      - run: npm ci
+      - run: npm clean-install
       - run: npm run test:ci
 
   # separate job to set as required in branch protection,
@@ -45,6 +45,7 @@ jobs:
           node-version: "lts/*"
           cache: npm
       - run: npm clean-install
+      - run: npm audit signatures
       - name: Ensure dependencies are compatible with the version of node
         run: npx ls-engines
       - run: npm run lint