RT npm
starting today, developers building npm projects on @github Actions can request a provenance statement to be published alongside their package, giving consumers a verifiable way to link a package back to its source repository and build instructions.
https://github.blog/2023-04-19-introducing-npm-package-provenance/

https://twitter.com/npmjs/status/1648727724704268293