ci: add check-provenance workflow

Author: Rel1cx

.github/workflows/check-provenance.yml

@@ -0,0 +1,30 @@
+name: Check Provenance
+on:
+  push:
+    branches:
+      - main
+      - "2.0.0"
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+    branches:
+      - main
+      - "2.0.0"
+permissions:
+  contents: read
+jobs:
+  check-provenance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check provenance downgrades
+        uses: danielroe/provenance-action@main
+        id: check
+        with:
+          fail-on-provenance-change: true # optional, default: false
+          lockfile: pnpm-lock.yaml # optional
+          #   base-ref: origin/main         # optional, default: origin/main
+          fail-on-downgrade: true # optional, default: true
+      - name: Print result
+        run: "echo 'Downgraded: ${{ steps.check.outputs.downgraded }}'"

.github/workflows/check.yml

@@ -2,7 +2,7 @@ name: Check
 on:
   push:
     branches:
-      - main
+      - "**"
   pull_request:
     types: [opened, edited, reopened, synchronize]
     branches:

.github/workflows/publish.yml

@@ -4,8 +4,6 @@ on:
     branches:
       - main
       - "2.0.0"
-      - "2.0.0-beta"
-      - "2.0.0-next"
     tags-ignore:
       - "**"
     paths-ignore:

.github/workflows/test.yml

@@ -3,7 +3,7 @@ on:
   push:
     branches:
       - main
-      - "2.0.0-next"
+      - "2.0.0"
   pull_request:
     types: [opened, edited, reopened, synchronize]
     branches: