Merge pull request #16 from openfetch-js/pr/supply-chain-metadata

Pr/supply chain metadata

Author: hamdymohamedak

.github/SECURITY.md

@@ -0,0 +1,12 @@
+# Security policy
+
+The full threat model, SSRF/cache/retry guidance, and local security checks live in [`SECURITY.md`](../SECURITY.md) at the repository root (also shipped on npm).
+
+## Reporting a vulnerability
+
+Please do **not** open a public issue for undisclosed security defects.
+
+- Prefer a [GitHub private security advisory](https://github.com/openfetch-js/OpenFetch/security/advisories/new) for this repository, or
+- Contact the maintainer privately if you cannot use GitHub advisories.
+
+Include enough detail to reproduce or reason about impact. We aim to acknowledge valid reports and coordinate disclosure after a fix is available.

.github/workflows/publish.yml

@@ -0,0 +1,34 @@
+# Publishes to npm using trusted publishing (OIDC). On npmjs.com, trusted publisher must
+# reference this repo: https://github.com/openfetch-js/OpenFetch and workflow file: publish.yml
+# Requires: npm CLI >= 11.5.1, Node >= 22.14 (see https://docs.npmjs.com/trusted-publishers )
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Upgrade npm for trusted publishing
+        run: npm install -g npm@^11.5.1
+
+      - run: npm ci
+      - run: npm test
+
+      # No NODE_AUTH_TOKEN: authentication is OIDC when trusted publishing is enabled.
+      # Provenance is generated automatically for trusted publishing from GitHub Actions.
+      - run: npm publish

package.json

@@ -41,17 +41,46 @@
   "keywords": [
     "fetch",
     "http",
+    "http-client",
+    "https",
+    "rest",
+    "rest-client",
+    "api-client",
     "middleware",
+    "interceptors",
+    "retry",
+    "timeout",
+    "cache",
+    "typescript",
+    "esm",
     "rsc",
     "react-server-components",
-    "universal"
+    "nextjs",
+    "nodejs",
+    "bun",
+    "deno",
+    "cloudflare-workers",
+    "edge",
+    "browser",
+    "isomorphic",
+    "universal",
+    "zero-dependencies",
+    "fluent",
+    "abortcontroller",
+    "axios-alternative",
+    "ky-alternative",
+    "openfetch"
   ],
   "license": "MIT",
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/openfetch-js/OpenFetch.git"
   },
-  "homepage": "https://hamdymohamedak.github.io/openfetch-docs/",
+  "homepage": "https://openfetch-js.github.io/openfetch-docs/",
   "bugs": {
     "url": "https://github.com/openfetch-js/OpenFetch/issues"
   },