@bounded-systems/mint 0.4.3 → 0.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,10 @@
1
+ {
2
+ "$schema": "https://json.schemastore.org/package.json",
3
+ "_comment": "Declarative record of the npm trusted publisher configuration for @bounded-systems/mint. Apply manually at https://www.npmjs.com/package/@bounded-systems/mint/access until npm exposes a public API for this.",
4
+ "provider": "github-actions",
5
+ "organization": "bounded-systems",
6
+ "repository": "mint",
7
+ "workflow": "release.yml",
8
+ "environment": null,
9
+ "permissions": ["npm publish"]
10
+ }
@@ -1,14 +1,16 @@
1
1
  name: release
2
2
 
3
3
  # On a vX.Y.Z tag (pushed by `mint release`):
4
- # release — test, pack, SLSA-attest the tarball, emit + keyless-sign the
5
- # in-toto release Statement (tag → version plan → commit), publish
6
- # the GitHub release (notes from the tag annotation mint wrote) with
7
- # the statement + its Sigstore bundle attached.
8
- # publish stage on npm via OIDC trusted publishing (no tokens, ever) and
9
- # publish to JSR. The npm package is staged, not live: a maintainer
10
- # must approve it with 2FA before it appears on the registry.
11
- # See job summary for the stage ID + approval instructions.
4
+ # release — test, pack, SLSA-attest the tarball, emit + keyless-sign the
5
+ # in-toto release Statement (tag → version plan → commit), publish
6
+ # the GitHub release (notes from the tag annotation mint wrote) with
7
+ # the statement + its Sigstore bundle attached.
8
+ # approve gated by the `npm-publish` GitHub Environment (required reviewer).
9
+ # No-op job: a maintainer approves in the Actions UI, which unblocks
10
+ # all deploy jobs below. Add new deploy targets as separate jobs with
11
+ # needs: [release, approve].
12
+ # npm — publish to npm via OIDC trusted publishing (no token).
13
+ # jsr — publish to JSR via OIDC (no token).
12
14
  #
13
15
  # This workflow covers: npm (staged) + JSR + GitHub release.
14
16
  # Out of scope here — triggered separately on the same tag:
@@ -40,7 +42,7 @@ jobs:
40
42
  id: pack
41
43
  run: echo "tgz=$(npm pack | tail -1)" >> "$GITHUB_OUTPUT"
42
44
  - name: Attest build provenance (SLSA)
43
- uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
45
+ uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
44
46
  with:
45
47
  subject-path: ${{ steps.pack.outputs.tgz }}
46
48
  # Release provenance: the deterministic in-toto Statement binding this tag to
@@ -66,60 +68,34 @@ jobs:
66
68
  mint-release.intoto.json \
67
69
  mint-release.intoto.sigstore.json
68
70
 
69
- publish:
71
+ approve:
70
72
  needs: release
71
73
  runs-on: ubuntu-latest
74
+ environment: npm-publish # required reviewer — approving here unblocks all deploys
75
+ steps:
76
+ - run: echo "Approved."
77
+
78
+ npm:
79
+ needs: [release, approve]
80
+ runs-on: ubuntu-latest
72
81
  steps:
73
82
  - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
74
83
  - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
75
84
  with:
76
- node-version: "24" # npm 11.15.0+ required for staged publishing
85
+ node-version: "24"
77
86
  registry-url: "https://registry.npmjs.org"
78
87
  - run: npm ci --no-audit --no-fund
79
- - name: Publish or stage on npm (OIDC trusted publishing — no token)
80
- id: stage
81
- continue-on-error: true # JSR is the source of truth; npm failure must not block it
82
- run: |
83
- npm install -g npm@latest # ensure npm 11.15.0+ for staged publishing
84
- echo "npm version: $(npm --version)"
85
- PKG=$(node -p "require('./package.json').name")
86
- # npm stage publish requires the package to already exist on the registry.
87
- # On first publish, fall back to npm publish to seed it; all subsequent
88
- # releases go through the staged flow (human 2FA approval required).
89
- if npm view "$PKG" version 2>/dev/null; then
90
- echo "package exists using npm stage publish"
91
- npm stage publish --access public --provenance 2>&1 | tee /tmp/stage-out.txt || true
92
- else
93
- echo "first publish — seeding with npm publish (staged publishing requires existing package)"
94
- npm publish --access public --provenance 2>&1 | tee /tmp/stage-out.txt || true
95
- fi
96
- STAGE_OUT=$(cat /tmp/stage-out.txt)
97
- STAGE_ID=$(echo "$STAGE_OUT" | grep -oE '[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}' | head -1 || true)
98
- echo "stage_id=${STAGE_ID}" >> "$GITHUB_OUTPUT"
99
- - name: Surface approval instructions
100
- env:
101
- STAGE_ID: ${{ steps.stage.outputs.stage_id }}
102
- PKG: ${{ github.repository }}
103
- run: |
104
- {
105
- echo "## npm package staged — human approval required"
106
- echo ""
107
- echo "The package is in the staging area, **not yet live on the registry**."
108
- echo "A maintainer must approve it with 2FA before it becomes publicly available."
109
- echo ""
110
- if [ -n "$STAGE_ID" ]; then
111
- echo "**Stage ID:** \`${STAGE_ID}\`"
112
- echo ""
113
- echo "**Approve via CLI (2FA required):**"
114
- echo '```'
115
- echo "npm stage approve ${STAGE_ID}"
116
- echo '```'
117
- else
118
- echo "> Could not parse stage ID from npm output."
119
- echo "> Run \`npm stage list @bounded-systems/mint\` to find it."
120
- fi
121
- echo ""
122
- echo "**Or approve on npmjs.com:** open the [Staged Packages](https://www.npmjs.com/settings/~/packages/staged) tab."
123
- } >> "$GITHUB_STEP_SUMMARY"
88
+ - name: Publish to npm (OIDC trusted publishing — no token)
89
+ run: npm publish --access public --provenance
90
+
91
+ jsr:
92
+ needs: [release, approve]
93
+ runs-on: ubuntu-latest
94
+ steps:
95
+ - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
96
+ - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
97
+ with:
98
+ node-version: "24"
99
+ - run: npm ci --no-audit --no-fund
124
100
  - name: Publish to JSR (OIDC — no token)
125
101
  run: npx jsr publish --allow-slow-types
package/CHANGELOG.md CHANGED
@@ -1,5 +1,77 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.4.15 — 2026-06-29
4
+
5
+ ### Patch
6
+
7
+ - add repository field to package.json — required by npm provenance verification to match the GitHub repo URL in the OIDC claims
8
+
9
+ ## 0.4.14 — 2026-06-29
10
+
11
+ ### Patch
12
+
13
+ - revert _authToken strip — the empty NODE_AUTH_TOKEN reference in .npmrc is what triggers npm's OIDC exchange; stripping it causes ENEEDAUTH; trusted publisher config (no environment, publish allowed) is the real fix
14
+
15
+ ## 0.4.13 — 2026-06-29
16
+
17
+ ### Patch
18
+
19
+ - fix npm OIDC auth — restore registry-url and strip the injected empty _authToken before publishing so npm can fall through to its OIDC trusted-publishing exchange
20
+
21
+ ## 0.4.12 — 2026-06-29
22
+
23
+ ### Patch
24
+
25
+ - remove registry-url from npm job setup-node — injected NODE_AUTH_TOKEN conflicts with OIDC trusted publishing auth exchange
26
+
27
+ ## 0.4.11 — 2026-06-29
28
+
29
+ ### Patch
30
+
31
+ - split publish into approve (gate) + npm + jsr as independent parallel jobs — one approval unblocks all deploys, each target has its own job log and can be retried independently
32
+
33
+ ## 0.4.10 — 2026-06-29
34
+
35
+ ### Patch
36
+
37
+ - unify npm + JSR behind a single publish job gated by the npm-publish GitHub Environment — one approval deploys to all registries
38
+
39
+ ## 0.4.9 — 2026-06-29
40
+
41
+ ### Patch
42
+
43
+ - replace npm staged publishing with direct npm publish gated behind the GitHub Environment approval — same human gate, no dependency on unfinished npm staging OIDC support
44
+
45
+ ## 0.4.8 — 2026-06-29
46
+
47
+ ### Patch
48
+
49
+ - fix npm stage publish OIDC scope — move npm stage publish into the npm-approve job (environment: npm-publish) so the OIDC token carries the environment claim required by the trusted publisher
50
+
51
+ ## 0.4.7 — 2026-06-29
52
+
53
+ ### Patch
54
+
55
+ - retry staged npm publish — trusted publisher now has stage action + environment scoped to npm-publish
56
+
57
+ ## 0.4.6 — 2026-06-29
58
+
59
+ ### Patch
60
+
61
+ - bump actions/attest-build-provenance to v4.1.1 (Node 24, clears deprecation warnings); add npm-publish GitHub Environment gate with required reviewer before surfacing the npm stage approve command
62
+
63
+ ## 0.4.5 — 2026-06-29
64
+
65
+ ### Patch
66
+
67
+ - fix registry existence check — use curl instead of `npm view` (NODE_AUTH_TOKEN in .npmrc was causing the lookup to fail, always falling through to first-publish path)
68
+
69
+ ## 0.4.4 — 2026-06-29
70
+
71
+ ### Patch
72
+
73
+ - first staged npm release — package now seeded, all future releases go through `npm stage publish` with human 2FA approval
74
+
3
75
  ## 0.4.3 — 2026-06-29
4
76
 
5
77
  ### Patch
package/README.md CHANGED
@@ -106,16 +106,15 @@ mint ships from `release.yml` on each `v*` tag via **OIDC trusted publishing**
106
106
  no `NPM_TOKEN`, no JSR token, ever. The package manifests are kept in lockstep by
107
107
  `mint version` (it bumps `package.json`, `package-lock.json`, **and** `jsr.json`).
108
108
 
109
- **npm uses staged publishing** — `npm stage publish` submits the package to a
110
- staging area rather than making it live immediately. A maintainer must approve it
111
- with 2FA before it appears on the registry:
109
+ **npm uses a GitHub Environment gate** — the `npm-approve` job is blocked by the
110
+ `npm-publish` environment, which requires a designated reviewer to approve in the
111
+ GitHub Actions UI before `npm publish` runs. Approve at:
112
112
 
113
- ```sh
114
- npm stage approve <stage-id> # CLI, 2FA required
115
- # or: npmjs.com → Staged Packages tab → Approve
113
+ ```
114
+ https://github.com/bounded-systems/mint/actions
116
115
  ```
117
116
 
118
- The stage ID is surfaced in the GitHub Actions job summary after each release run.
117
+ Once approved, the package publishes immediately via OIDC trusted publishing (no token).
119
118
 
120
119
  **JSR publishes immediately** on the same tag (no staging concept on JSR).
121
120
 
@@ -167,7 +166,7 @@ releaseStatement({
167
166
  - [x] `mint release` — signed tag + in-toto release provenance, keyless-signed in CI (cosign/Sigstore; anchored-chain-shaped)
168
167
  - [ ] verbspec-typed CLI + MCP surface
169
168
  - [x] Reusable `workflow_call` Action (`version.yml` + `release-provenance.yml`)
170
- - [x] Publish to npm (staged, human 2FA approval gate) + JSR
169
+ - [x] Publish to npm (GitHub Environment approval gate) + JSR
171
170
 
172
171
  Tracking: [bounded-systems/string-audit#43](https://github.com/bounded-systems/string-audit/issues/43).
173
172
 
package/jsr.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bounded-systems/mint",
3
- "version": "0.4.3",
3
+ "version": "0.4.15",
4
4
  "license": "PolyForm-Noncommercial-1.0.0",
5
5
  "exports": {
6
6
  ".": "./plan.mjs",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bounded-systems/mint",
3
- "version": "0.4.3",
3
+ "version": "0.4.15",
4
4
  "description": "Deterministic versioning capability — intent files in, signed release out. A seam over semver: own the flow, delegate the arithmetic.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -15,6 +15,10 @@
15
15
  "test": "node --test",
16
16
  "plan": "node mint.mjs plan"
17
17
  },
18
+ "repository": {
19
+ "type": "git",
20
+ "url": "https://github.com/bounded-systems/mint.git"
21
+ },
18
22
  "license": "PolyForm-Noncommercial-1.0.0",
19
23
  "dependencies": {
20
24
  "semver": "^7.6.0",