Removes Git credentials/SSH keys after checkout as a security precaution by setting persist-credentials to false. They are not used after the initial checkout, and this stops them from accidentally leaking through a script
Declares the minimum permissions for the workflows to run at the job level, following principle of least privilege; see related GitHub security post
Removes the cache-dependency-path param from the actions/setup-node action, as if cache is declared then it will use the default path anyway
Updates npm publish script to publish with provenance to provide assurance that published package was generated from this repo
This PR:
persist-credentials
to false. They are not used after the initial checkout, and this stops them from accidentally leaking through a scriptcache-dependency-path
param from theactions/setup-node
action, as ifcache
is declared then it will use the default path anywaynpm publish
script to publish with provenance to provide assurance that published package was generated from this repo