fix: add provenance

Author: stipsan

.github/workflows/format-if-needed.yml

@@ -0,0 +1,41 @@
+---
+name: Auto format
+
+on:
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  run:
+    name: Can the code be formatted? 🤔
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+      - run: corepack enable && pnpm --version
+      - run: pnpm install --ignore-scripts
+      - run: pnpm format
+      - run: git restore .github/workflows
+      - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.ECOSCRIPT_APP_ID }}
+          private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }}
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5
+        with:
+          author: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
+          body: I ran `pnpm format` 🧑‍💻
+          branch: actions/format
+          commit-message: 'chore(format): 🤖 ✨'
+          labels: 🤖 bot
+          title: 'chore(format): 🤖 ✨'
+          token: ${{ steps.generate-token.outputs.token }}

.github/workflows/test.yml .github/workflows/main.yml

@@ -8,18 +8,39 @@ on:
       - beta
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # for checkout
+
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Lint & Build
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+      - run: corepack enable && pnpm --version
+      - run: pnpm install
+      - run: pnpm type-check
+      - run: pnpm lint
+      - run: pnpm build
+
   test:
     runs-on: ${{ matrix.platform }}
     name: Node.js ${{ matrix.node-version }} / ${{ matrix.platform }}
     strategy:
       fail-fast: false
       matrix:
-        platform: [ubuntu-latest]
-        node-version: [lts/*, current]
+        platform: [macos-latest, ubuntu-latest, windows-latest]
+        node-version: [lts/*]
         include:
-          - platform: macos-latest
-            node-version: lts/*
+          - platform: ubuntu-latest
+            node-version: current
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
@@ -28,11 +49,15 @@ jobs:
       - run: corepack enable && pnpm --version
       - run: pnpm install
       - run: pnpm test
-      - run: pnpm lint
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     name: 'Semantic release'
-    needs: test
+    needs: [build, test]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -53,8 +78,13 @@ jobs:
       # Build docs
       - run: npm run docs:build
       # Deploy docs
+      - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.ECOSCRIPT_APP_ID }}
+          private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }}
       - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         if: ${{ github.ref == 'refs/heads/main' }}
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.generate-token.outputs.token }}
           publish_dir: ./docs

package.json

@@ -148,6 +148,7 @@
     "node": "^14.13.1 || >=16.0.0"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }