ci: publish with npm provenance

.github/workflows/ci.yml

@@ -70,6 +70,9 @@ jobs:
       !contains(github.event.head_commit.message, 'skip release')
     runs-on: ubuntu-latest
     needs: [unit-test, lint-and-test-dts]
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -88,6 +91,7 @@ jobs:
       - run: pnpm release --vapor --skip-tests
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: 'true'
 
   # benchmarks:
   #   runs-on: ubuntu-latest