This is likely the reason behind the recent push of "Trusted Publishing" from NPM. They are trying to make people consider GitHub (and GitLab) in its own higher tier with regards to supply-chain security by decree.

If you rely on "Trusted Publishing" you are assisting Microsoft in making a moat for their CI platform.

Use cryptographic signatures, not implicit trust in a hosted platform.