update to support npm provenance attestation

[KingOfTac]

Pull Request

Description

This PR updates packages and the publish pipeline to support NPM's package signing capabilities.

This may not work due to beachball not supporting the --provenance flag yet, however npm provides alternative methods for enabling the feature here that I ended up using.

This is necessary to build and maintain trust with users as supply chain attacks become more prevalent in the ecosystem. We already use scoped packages which mitigates the risk, this just adds an extra layer.

Issues

Reviewer Notes

Test Plan

After the next release, check each publish package on npm to see if the provenance statement has been generated.

Checklist

General

• I have included a change request file using $ npm run change
• I have added tests for my changes.
• I have tested my changes.
• I have updated the project documentation to reflect my changes.
• I have read the CONTRIBUTING documentation for this project.

Component-specific

• I have added a new component
• I have modified an existing component

⏭ Next Steps