Unless the Chrome web store integrates with this, it puts the onus on users to continuously scan extension updates for hash mismatches with the public extension builds, which isn’t standardized. And even then this would be after an update is unpacked, which may not run in time to prevent initial execution. Nor does it prevent a supply chain attack on the code running in the GitHub Action for the build, especially if dependencies aren’t pinned. There’s no free lunch here.

key word "encourages"

when someone uses `npm install/add/whatever-verb` does it default to only using trusted publishing sources? and the dependency graph?

either 100% enforcement or it won't stick and these attack vulnerabilities are still there.

pypi also added this last year [1] and encouraging people to use trusted publishing as well.

[1] https://docs.pypi.org/trusted-publishers/