fix: add npm provenance and fix core peer dependency version

Add --provenance flag to npm publish for supply chain security. Add id-token: write permission to release workflow for OIDC-based provenance attestation. Fix MIN_CORE_VERSION to dynamically use current version instead of hardcoded ^8.0.2.
2026-05-02 00:07:23 +08:00 · 2026-03-21 16:04:30 -07:00
parent d45a4f766c
commit 6453f2ab78
2 changed files with 6 additions and 2 deletions
@@ -9,6 +9,7 @@ permissions:
  contents: write
  pull-requests: write
  issues: write
+  id-token: write

 jobs:
  release-please:
@@ -30,6 +31,9 @@ jobs:
    runs-on: ubuntu-latest
    needs: release-please
    if: ${{ needs.release-please.outputs.release_created }}
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@v4.3.1