Investigation Results

Tool: Using lerna-lite (v4.7.2) for versioning and publishing
Package Manager: pnpm v10.15.0
Publishing Command: lerna publish from-package with NPM_TOKEN
Monorepo Structure: ~40 packages under packages/* and packages/@secretlint/*

Current packages have NO provenance: Checked packages (e.g., @secretlint/secretlint-rule-github) show attestations: null
No OIDC configuration: Currently using traditional NPM_TOKEN in secrets
npm CLI compatibility: Need npm CLI 11.5.1+ for trusted publishing

OIDC authentication eliminates need for NPM_TOKEN
Automatic provenance generation when using trusted publishing
Provenance can be verified via:
- npm audit signatures command
- npm view <package> dist.attestations field
- npmjs.com UI (green checkmark)

Option 1: pnpm + Changesets (Recommended)

Option 2: pnpm Native Commands

For the CI check requirement, we can:

Would you like me to proceed with implementing the changesets approach and the provenance verification system?

npm Trusted Publisher #1207