Support publishing packages with provenance (#1161)

By enabling the `--provenance` flag during `npm publish`, our package
now includes a verifiable record of its build process, enhancing supply
chain security. This helps others confirm the authenticity and integrity
of the package, ensuring greater trustworthiness in the ecosystem.

See
-
https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
-
https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/

Author: Yang-33

.github/workflows/release.yml

@@ -10,6 +10,11 @@ on:
 
 jobs:
   release-package:
+    permissions:
+      contents: read
+      id-token: write
+      issues: write
+
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

package.json

@@ -46,7 +46,7 @@
     "docs:build": "vitepress build docs",
     "docs:preview": "vitepress preview docs",
     "apidocs": "typedoc --excludePrivate --plugin typedoc-plugin-markdown --out docs/apidocs lib/index.ts",
-    "release": "npm run build && npm publish --access public"
+    "release": "npm run build && npm publish --provenance --access public"
   },
   "repository": {
     "type": "git",