Add NPM provenance publishing support

[yoavain]

User description

• Add registry-url to setup-node step to enable authenticated npm publishing
• Add --provenance flag to npm publish command for package provenance attestation

---

PR Type

Enhancement

---

Description

• Add registry-url configuration to setup-node for authenticated npm publishing

• Enable package provenance attestation with --provenance flag

---

Diagram Walkthrough

flowchart LR
  A["setup-node action"] -->|"add registry-url"| B["Authenticated npm registry"]
  C["npm publish command"] -->|"add --provenance flag"| D["Package provenance attestation"]

Loading

File Walkthrough

	Relevant files
Configuration changes	nodejs.yml Configure npm registry authentication and provenance          .github/workflows/nodejs.yml Added registry-url: 'https://registry.npmjs.org' to setup-node action configuration for authenticated npm publishing Modified npm publish command to include --provenance flag for package provenance attestation +2/-1

---

[yoavain]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add missing permissions for provenance Add permissions: id-token: write to the workflow. This is required for npm publish --provenance to mint OIDC tokens and will prevent the publish step from failing. .github/workflows/nodejs.yml [106-107] -- name: Publish - run: npm publish --provenance +# In your workflow file, add the permissions block at the top level: +permissions: + id-token: write +# The rest of the workflow remains, including the publish step: +# ... + - name: Publish + run: npm publish --provenance +# ... + [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that using npm publish --provenance requires id-token: write permissions for the job, which is missing in the workflow and would cause the publish step to fail.	High
More

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.04%. Comparing base (81339b3) to head (f10f964).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2367   +/-   ##
=======================================
  Coverage   94.04%   94.04%           
=======================================
  Files          19       19           
  Lines         336      336           
  Branches       51       52    +1     
=======================================
  Hits          316      316           
  Misses         20       20           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.