feat: enable npm provenance on published packages

[BethGriggs]

Hey, I just made a Pull Request!

Opened this to attempt to enable provenance so that we can get references back to the commit and GitHub actions flow that published the package.

I am unsure if this will just work as we're publishing via yarn workspaces foreach <command>.

Note: At this time, yarn is not a supported tool for publishing your packages with provenance.

I'll try and test locally and confirm.

:heavy_check_mark: Checklist

• [ ] A changeset describing the change and affected packages. (more info)
• [ ] Tests for new functionality and regression tests for bug fixes
• [ ] Screenshots attached (for UI changes)
• [ ] All your commits have a Signed-off-by line in the message. (more info)

[BethGriggs]

Oh boo, this will not just work because:

yarn workspaces foreach will run a yarn command, not execute a CLI*. That means that this runs yarn npm publish in every package and not npm publish. This is crucial, because yarn npm publish is it's own separate CLI that doesn't support the --provenance flag https://github.com/storybookjs/storybook/pull/23917#issuecomment-1696934808

One option is to yarn pack and then npm publish. Thoughts? I do think enabling provenance would be useful as a means to track a build/publish to a specific commit in this repository.

[github-actions[bot]]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!