provenance 2

.github/workflows/release.yml

@@ -13,6 +13,10 @@ jobs:
 
     continue-on-error: true
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -33,19 +37,21 @@ jobs:
 
       - name: set git tag version
         run: |
+          # https://docs.npmjs.com/generating-provenance-statements
+          # This may not work properly. dynamic versioning may cause a problem.
           git config user.email "dummy@dummy"
           git config user.name "dummy"
           pnpm version from-git --allow-same-version --no-git-tag-version -ws || true
           pnpm format
 
       - name: deploy
-        run: pnpm publish --access=public --no-git-checks --recursive
+        run: NPM_CONFIG_PROVENANCE=true pnpm publish --access=public --no-git-checks --recursive
         if: github.event_name == 'release' && !github.event.release.prerelease
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: deploy (dry-run)
-        run: pnpm publish --access=public --no-git-checks --dry-run --recursive
+        run: NPM_CONFIG_PROVENANCE=true pnpm publish --access=public --no-git-checks --dry-run --recursive
         if: github.event_name != 'release' || github.event.release.prerelease
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}