chore: generate provenance statements for npm package (#10477)

* chore: generate provenance statements for npm package

See also https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow

* also add --provenance for covector publishes

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>

.changes/config.json

@@ -113,8 +113,8 @@
           "pipe": true
         },
         {
-          "command": "yarn publish --access public --loglevel silly --tag next",
+          "command": "yarn publish --access public --loglevel silly --tag next --provenance",
-          "dryRunCommand": "npm publish --dry-run --access public",
+          "dryRunCommand": "npm publish --dry-run --access public --provenance",
           "pipe": true
         },
         {

.github/workflows/publish-cli-js.yml

@@ -390,7 +390,7 @@ jobs:
       - name: Publish
         run: |
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-          npm publish --tag next
+          npm publish --tag next --provenance
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}