From e23ff621571c85dabd4e8be6029fd4cdcf489ae8 Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Thu, 26 Oct 2023 18:20:38 +0200
Subject: [PATCH] ci: Enable provenance for npm package

This change adds the --provenance flag to npm publish.
We now benefit from attestation, that the published package on npm
was actually build on a GitHub Runner and not on somebodys local machine.
This is a great improvement for the trust relationship with users downloading the package and to increase supply-chain security for ziggy.

To do so, we also specify the permissions and allow the action to mint an unique ID token for the attestation, as described in the docs [0].

Additionally we also constrain the general permissions to the least possible.

Also fixed two yamllint indentation issues.

[0]: https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
---
 .github/workflows/release.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9cdb8169..a1b744d1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       # Set up .npmrc file to publish to npm
@@ -23,14 +26,14 @@ jobs:
         if: format('v{0}', steps.package-json-version.outputs.version) != github.event.release.tag_name
         uses: actions/github-script@v3
         with:
-            script: core.setFailed('Release tag does not match package.json version!')
+          script: core.setFailed('Release tag does not match package.json version!')
       # Abort if this is a pre-release and the version in the package.json file doesn't contain a '-' to indicate that (e.g. v2.0.0-beta.1), or vice-versa
       - name: Check package.json version against pre-release
         if: contains(steps.package-json-version.outputs.version, '-') != github.event.release.prerelease
         uses: actions/github-script@v3
         with:
-            script: core.setFailed('Stability of release tag does not match package.json version!')
+          script: core.setFailed('Stability of release tag does not match package.json version!')
       # If this is a pre-release, publish it to NPM under the 'next' tag (default is 'latest')
-      - run: npm publish ${{ github.event.release.prerelease && '--tag next' || '' }}
+      - run: npm publish --provenance ${{ github.event.release.prerelease && '--tag next' || '' }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}