ci(dependencies): audited signatures and provenance attestations of installed packages

Author: travi

.github/workflows/release.yml

@@ -23,7 +23,8 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -36,6 +36,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: npm
       - run: npm clean-install
+      - run: npm audit signatures
       - name: Ensure dependencies are compatible with the version of node
         run: npx ls-engines
       - run: npm run test:ci