We now benefit from attestation, so that the published package can be verified and checked if it was actually built on a GitHub Runner, came from this repository and not on somebody's local machine. This is a great improvement for the trust relationship with users downloading the package and to increase supply-chain security for ziggy with little effort.
To do so, we also specify the permissions and allow the action to mint an unique ID token for the attestation, as described in the docs 0.
Additionally, we also constrain the general permissions to the least possible.
Hey, thanks for the amazing package and recent update!
In this PR, we add provenance statements to package releases using npm. Find out about provenance here: https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance
We now benefit from attestation, so that the published package can be verified and checked if it was actually built on a GitHub Runner, came from this repository and not on somebody's local machine. This is a great improvement for the trust relationship with users downloading the package and to increase supply-chain security for ziggy with little effort.
To do so, we also specify the permissions and allow the action to mint an unique ID token for the attestation, as described in the docs 0.
Additionally, we also constrain the general permissions to the least possible.
Also fixed two yamllint indentation issues.
Thank you!