You can support provenance in publishing without changing the @changesets/cli.

As described in Using third-party package publishing tools, simply add "provenance": true to the publishConfig in package.json.

sigstore/sigstore-js supports provenance in this way.
ref: package.json

Seconded

Hello. Can someone confirm that the provenance flag works with adjusting the package.json? I tried it with https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow but it leads to permission denied error on the repo.

It works for me:

• example #1
• example #2

update: sorted out my issue

the problem was due to using node 18.14.0, which doesn't provide an npm version that supports provenance.

Hey. The problem still exists in our repo. So we also use node 18.x. Maybe that's the problem. I will try it again if we do a update.

I'd like to support this but nobody has provided a PR implementing this that I could review. Unfortunately, my life is currently packed with other things and I just don't feel drawn to Changesets enough to work on it in my free time for free. Don't take me wrong - I love the project. There are just so many hours in a day though and I have to pick up my priorities.

I'd be willing to work on this but the work would have to get sponsored.

Here's an example PR showing how to do it: sveltejs/kit#12567

One thing that would be nice is if changesets let you set provenance for the whole repo in an easier fashion vs having to set "publishConfig": { "provenance": true } on every individual package

Actually, it seems there is an easier way to setup this up: sveltejs/kit#12570