The npm publish command does not include the --provenance flag. Provenance attestation cryptographically links the published package to a specific source commit and workflow run, allowing consumers to verify where and how the package was built.
Add --provenance to the npm publish command. This requires the workflow to have id-token: write permission and to run in a GitHub Actions environment.
- name: Publish
run: npm publishpermissions:
id-token: write
- name: Publish
run: npm publish --provenance- npm Docs: Generating provenance statements.
- GitHub Blog: Introducing npm package provenance.