fix: add provenance publish notice

[bdehamer]

Adds a notice in libnpmpublish which let's the user know that a provenance statement was published for their package.

End result will look something like this:

npm notice 
npm notice 📦  @ps-testing/dummy-provenance@1.0.0-4420104616.1
npm notice === Tarball Contents === 
npm notice 1.1kB LICENSE     
npm notice 711B  README.md   
npm notice 28B   index.js    
npm notice 487B  package.json
npm notice === Tarball Details === 
npm notice name:          @ps-testing/dummy-provenance                      
npm notice version:       1.0.0-4420104616.1                                
npm notice filename:      ps-testing-dummy-provenance-1.0.0-4420104616.1.tgz
npm notice package size:  1.4 kB                                            
npm notice unpacked size: 2.3 kB                                            
npm notice shasum:        63c71e9871ff36942[78](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:79)f3e3a5c[83](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:84)e4bd66f9018c          
npm notice integrity:     sha512-ynvxGJyOxZAA3[...]fzrPMYTLtj6DQ==          
npm notice total files:   4                                                 
npm notice 
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=15428[84](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:85)4

[bdehamer]

@feelepxyz it seems unlikely that we're gonna have our tlog UI stood-up in time to get this into the CLI. Should we just omit the URL?

[feelepxyz]

Yeah we won't have this UI stood up in time. Maybe ok to link to the API entry for now, e.g. https://rekor.sigstore.dev/api/v1/log/entries?logIndex=1 - loading it up is not user friendly but at least shows where we've published it to.

Maybe we could also say something about generating/signing it with metadata from GHA?

Signed provenance statement with source and build information from GitHub Actions
Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=xx

@steiza @MylesBorins thoughts on what we should say in the CLI output when publishing with provenance?

[steiza]

👍 What @feelepxyz suggests sounds good to me!

As we add support for other CI/CD providers, will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

[feelepxyz]

will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

I think so as we'll need to detect the CI system in order to figure out if it's supported.

[Larry260194]

create-node-pr.yml

[feelepxyz]

🎉