Sign published packages with sigstore

[JamieMagee]

There's currently an RFC open on improving the npm ecosystem's security by signing packages using sigstore. I'd like to suggest that semantic-release opt into this functionality whenever npm finalizes their implementation.

Sources:

• https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/
• RFC for linking packages to their source and build npm/rfcs#626
• https://github.com/sigstore/sigstore-js

[travi]

Thanks for starting this thread. We are already watching the proposal closely and intend to embrace it. Please don't hesitate to capture more details here about how semantic-release needs to adjust as they become more clear.