chore: provenance

[lishaduck]

I decided to look at the diff for 314aba7 and noticed it touched automated publishing. This is minor improvement to that flow that allows consumers to verify that the code did come from github actions, and wasn't created locally with a backdoor. This can prevent certain very specific supply-chain attacks.
I don't know why anyone would care, but someone probably will eventually complain, so it's better to do it now than latter. Although, in all seriousness, there are much better vectors for breaking into builds, and this doesn't help much without SHA pinning (I can do as well that if you'd like). Nevertheless, It doesn't hurt anything and I already had the the tab open 🙃

[PKief]

Great, thank you for the explanation and the fix 😃 I'm not too experienced with SHA pinning. If you could add it to improve the security of my automated pipelines, I would be very grateful for it!

[lishaduck]

Great, thank you for the explanation and the fix 😃 I'm not too experienced with SHA pinning. If you could add it to improve the security of my automated pipelines, I would be very grateful for it!

I should be able to get to it in a few hours! :)

[lishaduck]

You're officially secure 😉
I've done as much to your actions as I know 🕵️‍♂️

[lishaduck]

Oh, just FYI: I'm going on vacation for a ~week, so while I'm happy to help fix it if something broke, I won't be around until next Thursday. From experience, "resource not accessible from integration" errors can be rather annoying. 🤞 it works, but still 🤷‍♂️
To be clear: everything except the last commit should be fine. I tested the Bun scripting locally, and everything else is trivial enough it should be fine, but it is CI/CD... 🙃 The permissions key is pretty hard to get right though.

[github-actions]

Merge Successful

Thanks for your contribution! 🎉

The changes will be part of the upcoming update on the marketplace.

[lishaduck]

Yay! It works!