Setup NPM provenance statements

.github/workflows/changesets.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'shopify'
     name: Changelog PR or Release
+    permissions:
+      id-token: write
     outputs:
       published: ${{ steps.changesets.outputs.published }}
       # A JSON array to present the published packages. The format is [{"name": "@xx/xx", "version": "1.2.0"}, {"name": "@xx/xy", "version": "0.8.9"}]
@@ -63,6 +65,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
   compile:
     needs: changelog

.github/workflows/next-release.yml

@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     # don't run if a commit message with [ci] release is present. The release workflow will do the release
     if: github.repository_owner == 'shopify' && !startsWith(github.event.head_commit.message, '[ci] release')
+    permissions:
+      id-token: write
     outputs:
       NEXT_VERSION: ${{ steps.version.outputs.NEXT_VERSION }}
     steps:
@@ -60,6 +62,7 @@ jobs:
           npm run version:post
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: 🏗 Build
         if: steps.version.outputs.NEXT_VERSION

.github/workflows/snapit.yml

@@ -10,6 +10,8 @@ jobs:
     name: Snapit
     if: ${{ github.event.issue.pull_request && github.event.comment.body == '/snapit' }}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       # WARNING: DO NOT RUN ANY CUSTOM LOCAL SCRIPT BEFORE RUNNING THE SNAPIT ACTION
       # This action can be executed by 3rd party users and it should not be able to run arbitrary code from a PR.
@@ -29,3 +31,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true