ci: add danielroe/provenance-action

[lachlancollins]

🎯 Changes

See here: https://github.com/danielroe/provenance-action

✅ Checklist

• I have followed the steps in the Contributing guide.
• I have tested this code locally with pnpm test:pr.

🚀 Release Impact

• This change affects published code, and I have generated a changeset.
• This change is docs/CI/dev-only (no release).

Summary by CodeRabbit

• Chores
  • Implemented provenance verification in the PR preview workflow to validate bundle integrity and fail on version downgrades.
  • Introduced an external dependency to support provenance checks.
  • No changes to application features, behavior, or tests; existing tasks remain unaffected.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5d69345

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds a provenance verification step to the GitHub PR workflow’s Preview job using danielroe/[email protected] with fail-on-downgrade enabled. No other workflow tasks or tests are modified.

Changes

Cohort / File(s)	Summary
CI Workflow: PR provenance verification .github/workflows/pr.yml	Adds a provenance block in the Preview job invoking danielroe/[email protected] to verify PR bundle provenance with fail-on-downgrade enabled; no other tasks changed.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub Actions (PR Workflow)
    participant Prev as Preview Job
    participant Prov as danielroe/[email protected]

    Dev->>GH: Open/Update PR
    GH->>Prev: Run Preview job
    rect rgba(200,230,255,0.3)
      note right of Prev: New provenance verification step
      Prev->>Prov: Verify bundle provenance (fail-on-downgrade)
      Prov-->>Prev: Result (ok / downgrade detected)
    end
    alt Provenance OK
      Prev-->>GH: Continue remaining steps
    else Downgrade detected
      Prev-->>GH: Fail Preview job
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A bunny taps the CI keys,
Checks the trail with verifiers’ breeze.
If versions dip, it thumps—“No go!”
Else hops along the preview flow.
Carrots cached, supply chain tight—
Merge burrow gleams in morning light. 🥕✨

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch provenance-action

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89be189 and 5d69345.

📒 Files selected for processing (1)

• .github/workflows/pr.yml (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 5d69345

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	✅ Succeeded	33s	View ↗
nx run-many --target=build --exclude=examples/*...	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-26 12:54:42 UTC

[github-actions]

Sizes for commit 5d69345:

Branch	Bundle Size
Main
This PR