feat: add npm provenance statements for enhanced supply chain security

[bkrem]

Summary

This PR implements npm provenance statements across all publishable packages in the AppKit monorepo to enhance supply chain security.

Changes Made

• ✅ 25 package.json files updated with publishConfig.provenance: true

  • All packages in /packages/ directory (19 packages)
  • All adapter packages in /packages/adapters/ (5 packages)
  • Main @reown/appkit package
  • Correctly skipped private packages (polkadot adapter, root package.json)

• ✅ 3 GitHub Actions workflows updated with required permissions:

  • release-publish.yml - Added attestations: write
  • publish-prerelease.yml - Added attestations: write
  • release-canary.yml - Added full permissions block with id-token: write and attestations: write

Security Benefits

• 🔐 Cryptographic proof that packages were built from this specific GitHub repository
• 📋 SLSA-compliant provenance attestations using Sigstore signatures
• 🛡️ Enhanced supply chain security for all published packages
• ✅ No breaking changes to existing publishing workflow

Technical Details

• Uses npm's built-in provenance feature (requires npm 9.5.0+, satisfied by Node 22.x)
• Leverages GitHub's OIDC tokens for Sigstore certificate generation
• Provides verifiable build attestations that consumers can validate
• Compatible with existing Changesets-based publishing workflow

Test Plan

• Verified JSON syntax with successful pnpm typecheck
• Confirmed build process works with pnpm build
• All package.json files maintain valid structure
• GitHub Actions workflows pass syntax validation

What happens next

When packages are published via GitHub Actions, they will automatically include provenance statements that show exactly where and how they were built, enhancing trust and security for all AppKit consumers.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6978320

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-html	Ready	Preview	Comment	Sep 12, 2025 4:29pm
appkit-demo	Ready	Preview	Comment	Sep 12, 2025 4:29pm
appkit-gallery	Ready	Preview	Comment	Sep 12, 2025 4:29pm
appkit-laboratory	Ready	Preview	Comment	Sep 12, 2025 4:29pm

10 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-example	Ignored			Sep 12, 2025 4:29pm
appkit-basic-sign-client-example	Ignored			Sep 12, 2025 4:29pm
appkit-basic-up-example	Ignored			Sep 12, 2025 4:29pm
appkit-ethers5-bera	Ignored			Sep 12, 2025 4:29pm
appkit-nansen-demo	Ignored			Sep 12, 2025 4:29pm
appkit-vue-solana	Ignored			Sep 12, 2025 4:29pm
appkit-wagmi-cdn-example	Ignored			Sep 12, 2025 4:29pm
ethereum-provider-wagmi-example	Ignored			Sep 12, 2025 4:29pm
next-wagmi-solana-bitcoin-example	Ignored			Sep 12, 2025 4:29pm
vue-wagmi-example	Ignored			Sep 12, 2025 4:29pm

[Copilot]

Pull Request Overview

This PR implements npm provenance statements across all publishable packages in the AppKit monorepo to enhance supply chain security by adding cryptographic proof that packages were built from this specific GitHub repository.

• Adds publishConfig.provenance: true to 25 package.json files for all publishable packages
• Updates GitHub Actions workflows with required permissions for provenance generation
• Provides SLSA-compliant attestations using Sigstore signatures without breaking existing workflows

Reviewed Changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated no comments.

File	Description
packages/*/package.json	Added provenance configuration to 25 publishable packages
.github/workflows/release-publish.yml	Added attestations write permission for provenance
.github/workflows/publish-prerelease.yml	Added attestations write permission for provenance
.github/workflows/release-canary.yml	Added full permissions block with id-token and attestations write

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

	Warnings
⚠️	Changes were made to one or more package.json(s), but not to pnpm-lock.yaml
⚠️	Workflow file .github/workflows/publish-prerelease.yml has been modified
⚠️	Workflow file .github/workflows/release-canary.yml has been modified
⚠️	Workflow file .github/workflows/release-publish.yml has been modified

Generated by 🚫 dangerJS against 6978320

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	78.18%	35526 / 45438
🔵	Statements	78.18%	35526 / 45438
🔵	Functions	75.92%	3897 / 5133
🔵	Branches	86.52%	8419 / 9730

File Coverage

No changed files found.

Generated in workflow #15057 for commit 6978320 by the Vitest Coverage Report Action