ci: enable npm provenance attestation on publish

[mbrakken]

What

Enables npm provenance attestation for our published packages.

The repo already publishes via Trusted Publishing (OIDC) in release.yml, with id-token: write and a GitHub-hosted runner — the prerequisites for provenance. The missing piece was telling npm to generate provenance, since changeset publish wraps npm publish (a third-party publishing tool).

Per the npm docs' guidance for third-party publishing tools, this adds publishConfig.provenance: true to each publishable package:

• @vercel/blob
• @vercel/edge-config
• @vercel/edge-config-fs

"publishConfig": {
  "provenance": true
}

A comment block in release.yml documents how provenance is wired up.

Notes

• All three packages already have a public, case-matching repository field with directory set — required for provenance.
• No workflow changes needed beyond the doc comment; id-token: write and the GitHub-hosted runner are already in place.
• The snapshot release path also generates provenance (same workflow, same OIDC setup). This is harmless and arguably more correct.
• Verify after a release with npm audit signatures.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8db7108

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
vercel-storage-next-integration-test-suite	Ready	Preview	Jun 18, 2026 5:29pm