## Description
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
Following the recent Lottie-Player supply chain attack, it's crucial to
enhance package security. NPM provenance provides cryptographic proof
that this package was built from this repository using GitHub Actions,
making supply chain attacks significantly harder. More info in my blog
post
https://medium.com/exaforce/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries-b50107927008
## Specific Changes proposed
Changes the workflow github to publish provenance attestation on
https://www.npmjs.com/package/video.js
## Requirements Checklist
- [x] Feature implemented in CI/CD
- [ ] If necessary, more likely in a feature request than a bug fix
- [ ] Change has been verified in an actual browser (Chrome, Firefox,
IE)
- [x] Unit Tests updated or fixed
- [ ] Docs/guides updated
- [ ] Example created ([starter template on
JSBin](https://codepen.io/gkatsev/pen/GwZegv?editors=1000#0))
- [ x Has no DOM changes which impact accessiblilty or trigger warnings
(e.g. Chrome issues tab)
- [x] Has no changes to JSDoc which cause `npm run docs:api` to error
- [ ] Reviewed by Two Core Contributors
Sync needs extra permissions, like ListObject, to function, but the keys
we have are the most minimal that are possible. Instead, we should copy
local files unconditionally.
The release job will do an npm publish and a github-release.
It's based on videojs/.github/github-release.yml.
The new version is published as `next` and requires to be promoted to
latest manually.
The deploy job, should do an aws s3 sync to upload the files to S3 for
us. It uses a Github Environment secrets. This is so that we can require
a user to approve the CDN upload.
