chore: Publish to NPM with provenance (#2276)

* chore: Publish to NPM with provenance

The release process in this repository is already automated via
GitHub Actions, which is a great first step toward creating trust in the
supply chain. Recently, NPM has started to support publishing with the
`--provenance` flag. This flag creates a link between the GitHub Actions
run that created the release and the final artifact on NPM. This linkage
further ensures that package installs can be traced back to a specific
code revision.

For more information on publishing with provenance, please refer to:
https://github.blog/2023-04-19-introducing-npm-package-provenance/

* chore: Use Node.js 18 for publishing to support provenance

Author: meyfa

.github/workflows/npm-publish.yml

@@ -5,20 +5,23 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      id-token: write
     steps:
-    - name: Setup Node.js 14
-      uses: actions/setup-node@v2-beta
+    - name: Setup Node.js 18
+      uses: actions/setup-node@v3
       with:
-        node-version: 14
+        node-version: 18
         check-latest: true
         registry-url: https://registry.npmjs.org/
     - name: Checkout Repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Install Dependencies
       run: npm install
     - name: Run Tests
       run: npm test
     - name: Publish Package to NPM Registry
-      run: npm publish
+      run: npm publish --provenance
       env:
         NODE_AUTH_TOKEN: ${{secrets.NPM_SECRET}}