NPM Provenance - a build signature badge

[vmasek]

As an user, I want to be assured that all released packages are coming from notable source, to be able to trust the package I'm adopting into my project.

Setup an NPM provenance for CI that will mark all of our release packages as "✅ Build & signed on GitHub Actions".

https://www.npmjs.com/package/sigstore#provenance

[vmasek]

Blocked until we move all our releases to GitHub Actions