From 18c1183e94fa0c4b01639163384dbc6c1ec10c56 Mon Sep 17 00:00:00 2001
From: Jakub Pavlik <pavlk.jakub@gmail.com>
Date: Thu, 7 Nov 2024 17:05:45 +0100
Subject: [PATCH] Enable supply chain security through npm provenance
 attestation

- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
---
 .github/workflows/release.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 70d4f2a991..3247b47b7d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,10 @@ jobs:
     env:
       NETLIFY_BASE: 'videojs-preview.netlify.app'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write      # Required for provenance
+      packages: write      # Required for publishing
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -37,7 +41,7 @@ jobs:
 
       # publish runs build for us via a prepublishOnly script
       - name: npm release
-        run: npm publish --tag next
+        run: npm publish --provenance --tag next
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}