Add npm package provenance support (#256)

Enable supply chain security through npm provenance attestation.
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

.github/workflows/release.yml

@@ -8,6 +8,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
+      id-token: write      # Required for provenance
+      packages: write      # Required for publishing
 
     strategy:
       matrix:
@@ -67,7 +71,7 @@ jobs:
         run: yarn build
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - run: npm publish --access public
+      - run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}