ci(npm): build + provenance in npm-publish workflow

Author: mahatmamahardhikach

.github/workflows/npm-publish.yml

@@ -11,6 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write
+
+    env:
+      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     steps:
       - name: Checkout repository
@@ -22,10 +26,14 @@ jobs:
           node-version: "20"
           cache: "npm"
           registry-url: https://registry.npmjs.org
+          scope: "@programinglive"
 
       - name: Install dependencies
         run: npm ci
 
+      - name: Build package
+        run: npm run build
+
       - name: Verify tag matches package version
         run: |
           EXPECTED_TAG="${GITHUB_REF#refs/tags/}"
@@ -36,6 +44,4 @@ jobs:
           fi
 
       - name: Publish to npm
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance

README.md

@@ -295,6 +295,8 @@ This repository ships with `.github/workflows/npm-publish.yml`, which publishes
 1. Create an npm automation token with publish rights (`npm token create --read-only false`).
 2. In the repository settings, add a secret named **`NPM_TOKEN`** containing that token.
 3. Ensure your release process pushes tags after running `npm run release:<type>` so the workflow triggers.
+4. Confirm `npm run build` succeeds locally; the workflow runs the build before publishing so broken bundles block the release.
+5. GitHub provenance is enabled via `npm publish --provenance`. Leave GitHub Actions' default OIDC permissions enabled so the job can request an ID token.
 
 The workflow verifies that the tag version matches `package.json` before publishing and fails fast if they diverge.