fix: update package configuration to publish provenance data (#1652)

* fix: update package configuration to publish provenance data

* Move signature audit and permission configuration to the correct job.

Author: arthurschreiber

.github/workflows/nodejs.yml

@@ -380,6 +380,12 @@ jobs:
     if: ${{ github.event_name == 'push' }}
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+
     steps:
     - uses: actions/[email protected]
 
@@ -391,6 +397,9 @@ jobs:
 
     - run: npm ci
 
+    - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+      run: npm audit signatures
+
     - env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release.yml

@@ -8,11 +8,6 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    permissions:
-      contents: write # to be able to publish a GitHub release
-      issues: write # to be able to comment on released issues
-      pull-requests: write # to be able to comment on released pull requests
-      id-token: write # to enable use of OIDC for npm provenance
     steps:
     - uses: actions/[email protected]
 
@@ -21,8 +16,6 @@ jobs:
       with:
         node-version: 18
         cache: 'npm'
-    - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
-      run: npm audit signatures
     - name: Tag latest release
       run: |
         echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

package.json

@@ -38,7 +38,8 @@
     "node": ">=18"
   },
   "publishConfig": {
-    "tag": "next"
+    "tag": "next",
+    "provenance": true
   },
   "dependencies": {
     "@azure/core-auth": "^1.7.2",