Add npm provenance

ai · ai · commit 7abe1fdd1b88 · 2025-09-06T20:18:48.000Z
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -12,6 +12,16 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+            *.sigstore.dev:443
       - name: Checkout the repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install pnpm
@@ -23,7 +33,6 @@ jobs:
         with:
           node-version: 24
           registry-url: 'https://registry.npmjs.org'
-          scope: caniuse-lite
       - name: Check caniuse-db version
         id: caniuse
         run: node ./check.js
@@ -52,9 +61,9 @@ jobs:
         run: node ./commit.js
       - name: Publish
         if: steps.caniuse.outputs.newVersion
-        run: ./node_modules/.bin/clean-publish &> publish.log
+        run: ./node_modules/.bin/clean-publish -- --provenance &> publish.log
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Check npm log
         if: steps.caniuse.outputs.newVersion
         run: node ./log.js
