npm checkmark

1. In package.json, make sure repository.url is set to your repository’s URL.

     "repository": {
       "url": "git+https://github.com/dtinth/-.-"
     }

2. Update your GitHub Actions workflow job.

   • Make sure it has the id-token: write permission.
   • Set environment variable NPM_CONFIG_PROVENANCE=true.

   jobs:
     release:
       name: Release
       runs-on: ubuntu-latest
       permissions:
         id-token: write
         contents: write
         packages: write
         pull-requests: write
         issues: read
       env:
         NPM_CONFIG_PROVENANCE: true

Further reading

• Brian DeHamer, Philip Harrison (2023). “Introducing npm package provenance.” GitHub Blog.
• “Generating provenance statements.” npm Docs.