ci: publish workflow using semantic-release, with provenance

.github/workflows/publish.yml

@@ -0,0 +1,41 @@
+name: Publish
+on:
+  workflow_dispatch:
+    branches:
+      - main
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+
+      # semantic-release uses npm to do final prepare + package + publish
+      # npm will not tolerate node_modules directories installed via yarn
+      # so yarn must not be used in this workflow
+      # there will be errors related to pod-install but we can ignore them
+      - name: Install dependencies using NPM
+        run: npm i
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release

packages/react-native/package.json

@@ -54,7 +54,8 @@
     "onesignal"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "README.md",