more secure npm publish

Author: dmattia

.github/workflows/ci.yml

@@ -1,6 +1,11 @@
 name: ci
 on: push
 
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+
 jobs:
   build-and-upload-artifacts:
     runs-on: ubuntu-latest
@@ -17,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Use Node.js 14.x
-        uses: actions/setup-node@v1
+      - name: Use Node.js 22.x
+        uses: actions/setup-node@v6
         with:
-          node-version: 14.x
+          node-version: 22.x
       - run: yarn pnpify depcheck
 
   run-pre-commits:
@@ -30,11 +35,11 @@ jobs:
         with:
           fetch-depth: 100 # need the history to do a changed files check below (source, origin)
       - uses: actions/setup-python@v2
-      - name: Use Node.js 14.x
-        uses: actions/setup-node@v1
+      - name: Use Node.js 22.x
+        uses: actions/setup-node@v6
         with:
-          node-version: 14.x
-      - uses: pre-commit/action@v2.0.2
+          node-version: 22.x
+      - uses: pre-commit/action@v3.0.0
         with:
           extra_args: --source ${{ github.event.pull_request.base.sha || 'HEAD~1' }} --origin ${{ github.event.pull_request.head.sha || 'HEAD' }}
 
@@ -50,13 +55,13 @@ jobs:
         uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: '14.x'
+          node-version: '22.x'
       - name: Configure NPM authentication
         run: |
           yarn config set npmAlwaysAuth true
           yarn config set npmAuthToken ${{ secrets.NPM_TOKEN }}
       - name: Publish to yarn/npm
-        run: yarn npm publish
+        run: yarn npm publish --provenance
 
   build-to-github-packages:
     if: github.ref == 'refs/heads/main'