chore: generate and verify provenance statements

[sjinks]

Description

Provenance data give consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it. This can increase supply-chain security for our packages. We can also use provenance attestations to reduce the risk of supply chain attacks targetted at us.

The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.

Publish attestations are generated by the registry when a package is published by an authorized user. When an npm package is published with provenance, it is signed by Sigstore public good servers and logged in a public transparency ledger, where users can view this information.

Ref: https://github.blog/2023-04-19-introducing-npm-package-provenance/
Ref: https://docs.npmjs.com/generating-provenance-statements
Ref: https://github.blog/changelog/2023-09-26-npm-provenance-general-availability/

Steps to Test

Provenance generation: N/A - no testable changes.
Provenance verification:

$ npm audit signatures
audited 1117 packages in 10s

1117 packages have verified registry signatures

7 packages have verified attestations