ci: add npm provenance

.github/workflows/algolia.yml

@@ -10,19 +10,14 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
-          cache: "pnpm"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Update Algolia Index
-        run: pnpm run algolia
+        run: bun run algolia
         env:
           ALGOLIA_ADMIN_KEY: ${{ secrets.ALGOLIA_ADMIN_KEY }}

.github/workflows/cron-run.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions:
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -12,16 +15,12 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Fetch API # Calls Google Font Metadata to fetch the latest data from Google's Developer API
         run: npx gfm generate $GOOGLE_API_KEY
@@ -35,29 +34,29 @@ jobs:
         run: npx fontsource build
 
       - name: Remove Duplicates
-        run: pnpm run check-duplicates
+        run: bun run check-duplicates
 
       - name: Generate fontlist
-        run: pnpm run fontlist
+        run: bun run fontlist
 
       - name: Save GFM metadata
-        run: pnpm run gfm-metadata
+        run: bun run gfm-metadata
 
       - name: Save Fontsource metadata
-        run: pnpm run metadata
+        run: bun run metadata
 
       - name: Setup Git Config
         run: |
           git config --global user.email "83556432+fontsource-bot@users.noreply.github.com"
           git config --global user.name "fontsource-bot"
 
       - name: Publish to NPM
-        run: "pnpm run ci:publish"
+        run: "bun run ci:publish"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Update Algolia Index
-        run: pnpm run algolia
+        run: bun run algolia
         env:
           ALGOLIA_ADMIN_KEY: ${{ secrets.ALGOLIA_ADMIN_KEY }}

.github/workflows/manual-run-force.yml

@@ -2,6 +2,9 @@ name: Build and Release [Force Rebuild No Deploy] [Manual]
 
 on: [workflow_dispatch]
 
+permissions:
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -10,16 +13,12 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Fetch API # Calls Google Font Metadata to fetch the latest data from Google's Developer API
         run: npx gfm generate $GOOGLE_API_KEY
@@ -33,13 +32,13 @@ jobs:
         run: npx fontsource build --force
 
       - name: Generate fontlist
-        run: pnpm run fontlist
+        run: bun run fontlist
 
       - name: Save GFM metadata
-        run: pnpm run gfm-metadata
+        run: bun run gfm-metadata
 
       - name: Save Fontsource metadata
-        run: pnpm run metadata
+        run: bun run metadata
 
       - name: Stage, commit and push files
         uses: stefanzweifel/git-auto-commit-action@v4

.github/workflows/manual-run.yml

@@ -2,6 +2,9 @@ name: Build and Release [Manual]
 
 on: [workflow_dispatch]
 
+permissions:
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -10,16 +13,12 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Fetch API # Calls Google Font Metadata to fetch the latest data from Google's Developer API
         run: npx gfm generate $GOOGLE_API_KEY
@@ -33,29 +32,29 @@ jobs:
         run: npx fontsource build
 
       - name: Remove Duplicates
-        run: pnpm run check-duplicates
+        run: bun run check-duplicates
 
       - name: Generate fontlist
-        run: pnpm run fontlist
+        run: bun run fontlist
 
       - name: Save GFM metadata
-        run: pnpm run gfm-metadata
+        run: bun run gfm-metadata
 
       - name: Save Fontsource metadata
-        run: pnpm run metadata
+        run: bun run metadata
 
       - name: Setup Git Config
         run: |
           git config --global user.email "83556432+fontsource-bot@users.noreply.github.com"
           git config --global user.name "fontsource-bot"
 
       - name: Publish to NPM
-        run: "pnpm run ci:publish"
+        run: "bun run ci:publish"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Update Algolia Index
-        run: pnpm run algolia
+        run: bun run algolia
         env:
           ALGOLIA_ADMIN_KEY: ${{ secrets.ALGOLIA_ADMIN_KEY }}

.github/workflows/tests.yml

@@ -8,17 +8,12 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
-          cache: "pnpm"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Run Tests
-        run: pnpm test
+        run: bun run test

.github/workflows/update-deps.yml

@@ -12,20 +12,15 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: Enable PNPM
-        uses: pnpm/action-setup@v4
-
-      - name: Set node version to 20
-        uses: actions/setup-node@v4
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
-          cache: "pnpm"
+          bun-version: latest
 
       - name: Install
-        run: pnpm install --frozen-lockfile
+        run: bun install --frozen-lockfile
 
       - name: Update
-        run: pnpm up --latest
+        run: bun upgrade --latest
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v5

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "font-files",
-	"version": "5.0.0",
+	"version": "5.1.0",
 	"description": "1500+ open-source fonts bundled into neat packages.",
 	"type": "module",
 	"packageManager": "pnpm@8.3.1",
@@ -12,13 +12,13 @@
 		"gfm-metadata": "tsx scripts/gfm-metadata.ts",
 		"metadata": "tsx scripts/metadata.ts",
 		"test": "fontsource create-verify --all",
-		"ci:publish": "npx @fontsource-utils/publish publish patch --yes"
+		"ci:publish": "npx @fontsource-utils/publish publish patch --yes --provenance"
 	},
 	"author": "Ayuhito <hello@ayuhito.com>",
 	"license": "MIT",
 	"dependencies": {
 		"@fontsource-utils/cli": "0.4.2",
-		"@fontsource-utils/publish": "^0.2.8",
+		"@fontsource-utils/publish": "^0.3.0",
 		"@types/node": "^20.12.7",
 		"algoliasearch": "^4.23.3",
 		"consola": "^3.2.3",