fix(ci): add npm provenance to release publish

SavioBS629 · claude · SavioBS629 · commit ce76c82b651f · 2026-05-29T15:51:17.000+05:30
Adds --provenance to the npm publish step and the required id-token: write
permission. Attaches a signed attestation to the published package so
consumers can verify it was built by this exact workflow on this repo.
Defends against trojaned releases via a compromised maintainer machine
or NPM_TOKEN.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   publish:
@@ -99,7 +100,7 @@ jobs:
         run: git push origin ${{ steps.get_version.outputs.version }}
 
       - name: "Publish to NPM"
-        run: npm publish --access public
+        run: npm publish --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
