chore(ci): enable npm package provenance (#5004)

ltm · web-flow · commit 0a037e1ec4f3 · 2023-04-27T16:42:42.000-04:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -5,33 +5,35 @@ on:
     branches:
       - stable
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   build:
     name: Build, Test, and Deploy
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 16.x
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Restore Dependency Cache
-        uses: actions/cache@v3
+      - uses: actions/setup-node@v3
         with:
-          path: ~/.npm
-          key: ${{ runner.OS }}-dependency-cache-${{ hashFiles('**/package.json') }}
+          node-version: 16
+          registry-url: https://registry.npmjs.org/
+          cache: npm
+          cache-dependency-path: '**/package.json'
       - run: npm install
       - run: npm run bootstrap
-      - run: npm run publish:ci -- --yes
+      - run: npm run publish:ci
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
           GIT_AUTHOR_NAME: Ionitron
           GIT_AUTHOR_EMAIL: hi@ionicframework.com
           GIT_COMMITTER_NAME: Ionitron
           GIT_COMMITTER_EMAIL: hi@ionicframework.com
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Sleep while npm takes its time
         run: sleep 20
       - name: GitHub Container Registry Login
diff --git a/package.json b/package.json
@@ -14,7 +14,7 @@
     "docs": "node packages/cli-scripts/bin/ionic-cli-scripts docs",
     "docs:watch": "chokidar 'packages/cli-scripts/dist/docs/**/*.js' -c 'npm run docs'",
     "publish:testing": "lerna publish prerelease --preid=testing --exact --no-git-tag-version --no-push --dist-tag=testing",
-    "publish:ci": "lerna publish -m 'chore(release): publish [skip ci]' --exact --conventional-commits --no-verify-access"
+    "publish:ci": "lerna version -m 'chore(release): publish [skip ci]' --exact --conventional-commits --yes && lerna exec --since HEAD~ -- npm publish --provenance"
   },
   "devDependencies": {
     "chokidar-cli": "^2.0.0",
