ci: enable npm provenance (TanStack#7716)

* ci: enable npm provenance

* Update @tanstack/config

Author: lachlancollins

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
         description: override release tag
         required: false
   push:
-    branches: ['main', 'alpha', 'beta', 'rc', 'v4']
+    branches: [main, alpha, beta, rc, v4]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@@ -16,6 +16,10 @@ concurrency:
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   test-and-publish:
     name: Test & Publish
@@ -42,7 +46,7 @@ jobs:
           npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
           pnpm run cipublish
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           TAG: ${{ inputs.tag }}
       - name: Upload coverage to Codecov

.github/workflows/pr.yml

@@ -12,6 +12,9 @@ concurrency:
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
@@ -28,8 +31,8 @@ jobs:
       - name: Get base and head commits for `nx affected`
         uses: nrwl/nx-set-shas@v4
         with:
-          main-branch-name: 'main'
-      - name: Run Tests
+          main-branch-name: main
+      - name: Run Checks
         run: pnpm run test:pr --parallel=3
       - name: Stop Nx Agents
         if: ${{ always() }}

.npmrc

@@ -1,2 +1,3 @@
 link-workspace-packages=true
 prefer-workspace-packages=true
+provenance=true

.nvmrc

@@ -1 +1 @@
-v22.2.0
+22.4.0

package.json

@@ -42,7 +42,7 @@
     "@cspell/eslint-plugin": "^8.9.1",
     "@eslint-react/eslint-plugin": "^1.5.16",
     "@solidjs/testing-library": "^0.8.8",
-    "@tanstack/config": "^0.9.0",
+    "@tanstack/config": "^0.9.6",
     "@testing-library/jest-dom": "^6.4.5",
     "@testing-library/react": "^15.0.7",
     "@types/node": "^20.12.12",