oss-signal 0.8.0 → 0.8.2

package/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## Unreleased
 
+## 0.8.2
+
+- Updated generated trial workflows, dogfood workflows, and documentation examples to `actions/upload-artifact@v5`.
+
+## 0.8.1
+
+- Moved the GitHub Action runtime to `node24` so new workflow runs avoid the GitHub-hosted runner Node.js 20 deprecation warning.
+- Updated SARIF upload documentation examples to `github/codeql-action/upload-sarif@v4`.
+
 ## 0.8.0
 
 - Added `--format workflow` for generating a no-fail GitHub Actions trial workflow.

package/README.md

@@ -26,8 +26,8 @@ It checks the files and automation that reduce maintainer load: README, license,
 Public evidence for the maintainer workflow is collected in [docs/index.md](docs/index.md), [docs/evidence-ledger.md](docs/evidence-ledger.md), [docs/trust-center.md](docs/trust-center.md), [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/adoption-kit.md](docs/adoption-kit.md), [docs/maintainer-trial.md](docs/maintainer-trial.md), [docs/maintainer-feedback.md](docs/maintainer-feedback.md), [docs/social-launch.md](docs/social-launch.md), [docs/architecture.md](docs/architecture.md), [docs/security-model.md](docs/security-model.md), [docs/json-output.md](docs/json-output.md), [docs/plan-output.md](docs/plan-output.md), [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md), [docs/roadmap.md](docs/roadmap.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
 
 - Landing page: https://salmonplays.github.io/oss-signal/
-- Published package: [`oss-signal@0.8.0`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.8.0`.
-- Published GitHub Action: [`SalmonPlays/oss-signal@v0.8.0`](https://github.com/SalmonPlays/oss-signal/tree/v0.8.0).
+- Published package: [`oss-signal@0.8.2`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.8.2`.
+- Published GitHub Action: [`SalmonPlays/oss-signal@v0.8.2`](https://github.com/SalmonPlays/oss-signal/tree/v0.8.2).
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - Trust center: [docs/trust-center.md](docs/trust-center.md)
 - Evidence ledger: [docs/evidence-ledger.md](docs/evidence-ledger.md)
@@ -41,7 +41,7 @@ Public evidence for the maintainer workflow is collected in [docs/index.md](docs
 - Maintainer plan output: [docs/plan-output.md](docs/plan-output.md)
 - SARIF Code Scanning walkthrough: [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md)
 - Roadmap: [docs/roadmap.md](docs/roadmap.md)
-- Post-submission version note: the application may reference earlier evidence; `0.8.0` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
+- Post-submission version note: the application may reference earlier evidence; `0.8.2` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
 - Public checks: CI, Repository health, and CodeQL are passing on `main`.
 - Security posture: OpenSSF Scorecard is scheduled, CodeQL is active, secret scanning push protection is enabled, Dependabot alerts/security updates/malware alerts are enabled, and private vulnerability reporting is enabled.
 - Branch posture: `main` has branch protection to prevent force pushes and deletions while keeping direct maintainer maintenance possible.
@@ -193,7 +193,7 @@ Summary:
 
 See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, [docs/examples/github-plan.md](docs/examples/github-plan.md) for plan output, [docs/examples/maintainer-trial-workflow.yml](docs/examples/maintainer-trial-workflow.yml) for workflow output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
 
-The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.8.0`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.8.2`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
 
 ## Field Audits
 
@@ -244,7 +244,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   id: oss-signal
   with:
     fail-under: "80"
@@ -260,7 +260,7 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 Run an inventory from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -272,7 +272,7 @@ Run an inventory from CI:
 Generate an editable Issue body from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   with:
     format: issue
     output: maintainer-follow-up.md
@@ -294,13 +294,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: oss-signal-report
           path: oss-signal-report.md
@@ -317,7 +317,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v5
-  - uses: SalmonPlays/oss-signal@v0.8.0
+  - uses: SalmonPlays/oss-signal@v0.8.2
     with:
       format: sarif
       output: oss-signal.sarif
@@ -327,7 +327,7 @@ steps:
       sarif_file: oss-signal.sarif
 ```
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.8.0` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.8.2` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 

package/action.yml

@@ -44,5 +44,5 @@ outputs:
   report-path:
     description: Path to the generated report file, when output is enabled.
 runs:
-  using: node20
+  using: node24
   main: src/action.js

package/docs/adoption-evidence.md

@@ -8,9 +8,9 @@ Last verified: 2026-06-05T09:57:04Z
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - GitHub Pages landing page: https://salmonplays.github.io/oss-signal/
-- npm package: https://www.npmjs.com/package/oss-signal (`0.8.0` latest)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- npm package: https://www.npmjs.com/package/oss-signal (`0.8.2` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.2
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
@@ -69,7 +69,7 @@ The [post-submission update](post-submission-update.md) records why the current
 
 ## Published Package Verification
 
-The npm package is publicly available as `oss-signal@0.8.0` with `latest` pointing at `0.8.0`.
+The npm package is publicly available as `oss-signal@0.8.2` with `latest` pointing at `0.8.2`.
 
 The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-05. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
 
@@ -77,7 +77,7 @@ Clean-directory execution against the public GitHub repository returned:
 
 ```json
 {
-  "version": "0.8.0",
+  "version": "0.8.2",
   "score": 100,
   "grade": "A",
   "source": "github"
@@ -93,7 +93,7 @@ Current public workflow status:
 - OpenSSF Scorecard: configured on `main` pushes and a weekly schedule, with JSON artifact output and public Scorecard publishing
 - Release: passing
 - GitHub Pages deployment: passing, with the repository homepage set to https://salmonplays.github.io/oss-signal/
-- GitHub Marketplace listing: published, with `v0.8.0` available as the current Action tag
+- GitHub Marketplace listing: published, with `v0.8.2` available as the current Action tag
 - GitHub issue forms: adoption report, trial feedback, and maintainer audit report forms are available for structured public evidence intake
 - GitHub citation metadata: `CITATION.cff` is present for the repository citation UI
 - Automation contract: JSON schema and fixture are documented for `--format json`
@@ -102,7 +102,7 @@ Current public workflow status:
 - Maintainer workflow Discussion: published
 - Separate public workflow demo: passing
 
-The npm registry returned `0.8.0` for both the package version and `latest` dist-tag on 2026-06-05T09:57:04Z. A clean install smoke test returned version `0.8.0`, score `100`, grade `A`, and source `github`. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
+The npm registry returned `0.8.2` for both the package version and `latest` dist-tag on 2026-06-05T09:57:04Z. A clean install smoke test returned version `0.8.2`, score `100`, grade `A`, and source `github`. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
 
 ## Separate Public Workflow Evidence
 
@@ -165,10 +165,10 @@ npm run audit:github
 node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
 node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
 node src/cli.js platformatic/massimo --format json
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.8.0` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.8.0` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.8.2` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.8.2` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
 
 Public CI evidence:
 

package/docs/adoption-kit.md

@@ -9,7 +9,7 @@ For a first trial, use the no-fail workflow in [maintainer-trial.md](maintainer-
 Run against a public repository without cloning:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
 ```
 
 Run against the current checkout:
@@ -50,13 +50,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: oss-signal-report
           path: oss-signal-report.md
@@ -71,12 +71,12 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.8.0
+  - uses: SalmonPlays/oss-signal@v0.8.2
     with:
       format: sarif
       output: oss-signal.sarif
       summary: "false"
-  - uses: github/codeql-action/upload-sarif@v3
+  - uses: github/codeql-action/upload-sarif@v4
     with:
       sarif_file: oss-signal.sarif
 ```
@@ -87,7 +87,7 @@ Full walkthrough: [sarif-code-scanning.md](sarif-code-scanning.md)
 
 Useful adoption evidence is concrete and public:
 
-- A workflow run that uses `SalmonPlays/oss-signal@v0.8.0`.
+- A workflow run that uses `SalmonPlays/oss-signal@v0.8.2`.
 - A Markdown report attached as a workflow artifact.
 - A SARIF upload that appears in Code Scanning.
 - A focused issue or pull request created from an audit finding.

package/docs/assets/code-scanning-results.svg

@@ -6,7 +6,7 @@
   <rect x="0" y="0" width="920" height="58" rx="18" fill="#f6f8fa"/>
   <text x="32" y="37" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="18" font-weight="700">GitHub Code Scanning</text>
   <text x="32" y="98" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="28" font-weight="700">oss-signal maintainer-readiness findings</text>
-  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.8.0</text>
+  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.8.2</text>
   <rect x="32" y="162" width="856" height="72" rx="10" fill="#fffbdd" stroke="#d4a72c"/>
   <circle cx="65" cy="198" r="10" fill="#bf8700"/>
   <text x="88" y="194" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="17" font-weight="700">oss-signal/security</text>

package/docs/assets/oss-signal-banner.svg

@@ -34,7 +34,7 @@
     <rect x="334" y="266" width="144" height="42" rx="21" fill="#dcfce7"/>
     <text x="359" y="293" fill="#166534">100/100 A</text>
     <rect x="494" y="266" width="142" height="42" rx="21" fill="#dbeafe"/>
-    <text x="521" y="293" fill="#1e40af">npm 0.8.0</text>
+    <text x="521" y="293" fill="#1e40af">npm 0.8.2</text>
     <rect x="652" y="266" width="178" height="42" rx="21" fill="#e0f2fe"/>
     <text x="681" y="293" fill="#075985">GitHub Action</text>
     <rect x="846" y="266" width="168" height="42" rx="21" fill="#fef9c3"/>

package/docs/codex-for-oss-application.md

@@ -9,8 +9,8 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - Display name: OSS Maintainer Signal
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.2
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Repository inventory workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml
@@ -53,18 +53,18 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package with `0.8.0` as the latest release.
+- A published npm package with `0.8.2` as the latest release.
 - A post-submission update page explaining why the current npm package and Action tag may be newer than the originally submitted evidence.
 - npm download API evidence showing 356 last-week and last-month downloads on 2026-06-05.
-- A published GitHub Release for v0.8.0 with maintainer plan output, CI usage guidance, and release notes.
+- A published GitHub Release for v0.8.2 with maintainer plan output, CI usage guidance, and release notes.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
 - A repository inventory mode for organization-level maintainer-readiness triage, available in both CLI and GitHub Action form.
-- A clean npm smoke test of `oss-signal@0.8.0` returning version `0.8.0`, score `100`, grade `A`, and source `github`.
+- A clean npm smoke test of `oss-signal@0.8.2` returning version `0.8.2`, score `100`, grade `A`, and source `github`.
 - SARIF output for GitHub Code Scanning integration.
-- A v0.8.0 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
+- A v0.8.2 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
 - A workflow output mode that renders a no-fail GitHub Actions trial workflow for external maintainers.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.8.0` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
-- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.8.0` against a repository target list and uploads an inventory artifact.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.8.2` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.8.2` against a repository target list and uploads an inventory artifact.
 - A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.7.0` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
 - A no-fail maintainer trial workflow that external maintainers can copy before enabling CI gates.
 - A trial feedback path for neutral or negative maintainer responses, so third-party feedback does not have to be overstated as adoption.
@@ -72,7 +72,7 @@ The repository currently has:
 - A release process and tag-triggered release workflow that verify package contents and publish to npm through Trusted Publishing.
 - CI, Repository health, CodeQL, and Release workflows passing publicly.
 - A local self-audit score of 100/100.
-- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
 - Public reports, issues, and PRs created from real repository audits, including six posted field-audit issues and five follow-up PRs.
 - One accepted external documentation PR, with a public maintainer merge comment, recorded in [evidence-ledger.md](evidence-ledger.md).
 
@@ -113,5 +113,5 @@ Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-
 ## Next Evidence To Collect
 
 - More merged external PRs or maintainer replies on field-audit PRs.
-- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.8.0`, ideally with SARIF or inventory upload enabled.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.8.2`, ideally with SARIF or inventory upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.

package/docs/codex-for-oss-form-answers.md

@@ -50,7 +50,7 @@ Primary maintainer
 ## Why This Repository Qualifies
 
 ```text
-oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.8.0 and GitHub Action SalmonPlays/oss-signal@v0.8.0, supports Markdown/JSON/SARIF/Issue/Plan/Inventory/Workflow output, passes CI/CodeQL/Release, has a 100/100 self-audit, no-fail maintainer trial and feedback paths, six public field-audit issues, five public field-audit PRs, and one merged external Codex Action documentation PR.
+oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.8.2 and GitHub Action SalmonPlays/oss-signal@v0.8.2, supports Markdown/JSON/SARIF/Issue/Plan/Inventory/Workflow output, passes CI/CodeQL/Release, has a 100/100 self-audit, no-fail maintainer trial and feedback paths, six public field-audit issues, five public field-audit PRs, and one merged external Codex Action documentation PR.
 ```
 
 ## Interest
@@ -81,13 +81,13 @@ Use Codex/API credits to run repeatable public repository audits, draft focused
 ## Anything Else
 
 ```text
-The project is early, so I am not overstating adoption. Current evidence includes npm 0.8.0 latest, 356 npm downloads reported by the registry API on 2026-06-05, a published v0.8.0 release, a reusable GitHub Action with inventory and workflow output, no-fail maintainer trial and feedback paths, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, six field-audit issues, five field-audit PRs, and a separate public workflow demo with artifacts.
+The project is early, so I am not overstating adoption. Current evidence includes npm 0.8.2 latest, 356 npm downloads reported by the registry API on 2026-06-05, a published v0.8.2 release, a reusable GitHub Action with inventory and workflow output, no-fail maintainer trial and feedback paths, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, six field-audit issues, five field-audit PRs, and a separate public workflow demo with artifacts.
 ```
 
 ## Evidence Links
 
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release v0.8.0: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
+- GitHub Release v0.8.2: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.2
 - Main repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Separate workflow demo repository: https://github.com/SalmonPlays/oss-signal-adoption-demo
 - Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878

package/docs/evidence-ledger.md

@@ -8,13 +8,13 @@ This ledger keeps the strongest public `oss-signal` evidence in one reviewer-fri
 
 | Signal | Evidence | Status | Reviewer note |
 | --- | --- | --- | --- |
-| Installable CLI | https://www.npmjs.com/package/oss-signal | `0.8.0` is `latest` | Reviewers can run `npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json`. |
+| Installable CLI | https://www.npmjs.com/package/oss-signal | `0.8.2` is `latest` | Reviewers can run `npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json`. |
 | npm download API | 356 downloads for last-week and last-month windows | Checked 2026-06-05T09:57:04Z | Supporting distribution signal only; not claimed as broad adoption. |
-| GitHub Action release | https://github.com/SalmonPlays/oss-signal/tree/v0.8.0 | Published tag | Public Action tag used by repository workflows; the separate demo is refreshed after release publication. |
+| GitHub Action release | https://github.com/SalmonPlays/oss-signal/tree/v0.8.2 | Published tag | Public Action tag used by repository workflows; the separate demo is refreshed after release publication. |
 | GitHub Marketplace | https://github.com/marketplace/actions/oss-signal | Published listing | Free Action listing under Code quality. |
 | Maintainer trial path | [maintainer-trial.md](maintainer-trial.md) | Published | External maintainers can try the Action without failing CI, then share a workflow run or adoption report. |
 | Maintainer feedback path | [maintainer-feedback.md](maintainer-feedback.md) | Published | External maintainers can leave useful public feedback even when the tool is not adopted. |
-| Main repository dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml | Passing | Runs `SalmonPlays/oss-signal@v0.8.0` against this repository. |
+| Main repository dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml | Passing | Runs `SalmonPlays/oss-signal@v0.8.2` against this repository. |
 | Inventory dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml | Passing | Exercises multi-repository inventory mode. |
 | Separate public workflow demo | https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878 | Passing | Separate public repository runs `SalmonPlays/oss-signal@v0.7.0` and uploads Markdown, SARIF, and issue-ready artifacts. |
 | Accepted external contribution | https://github.com/icoretech/codex-action/pull/24 | Merged 2026-06-04 | External maintainer merged the focused Codex Action documentation safety fix and left a merge comment. |

package/docs/examples/github-action-workflow.yml

@@ -10,13 +10,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: oss-signal-report
           path: oss-signal-report.md

package/docs/examples/github-code-scanning-workflow.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         with:
           format: sarif
           output: oss-signal.sarif
@@ -30,7 +30,7 @@ jobs:
         if: github.event_name != 'pull_request'
         with:
           sarif_file: oss-signal.sarif
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: oss-signal-report
           path: |

package/docs/examples/github-inventory-workflow.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -21,7 +21,7 @@ jobs:
           inventory: docs/examples/inventory-targets.txt
           output: inventory-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: oss-signal-inventory-report
           path: inventory-report.md

package/docs/examples/github-url-report.json

@@ -1,6 +1,6 @@
 {
   "tool": "oss-signal",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "root": "https://github.com/SalmonPlays/oss-signal",
   "source": {
     "type": "github",

package/docs/examples/maintainer-trial-workflow.yml

@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: oss-signal-report

package/docs/examples/self-audit.sarif

@@ -6,7 +6,7 @@
       "tool": {
         "driver": {
           "name": "oss-signal",
-          "semanticVersion": "0.8.0",
+          "semanticVersion": "0.8.2",
           "informationUri": "https://github.com/SalmonPlays/oss-signal",
           "rules": [
             {
@@ -400,7 +400,7 @@
         "score": 100,
         "grade": "A",
         "source": "local",
-        "generatedAt": "2026-06-05T15:23:36.951Z"
+        "generatedAt": "2026-06-05T15:43:10.337Z"
       }
     }
   ]

package/docs/index.md

@@ -13,7 +13,7 @@ npx oss-signal SalmonPlays/oss-signal
 Run as a GitHub Action:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   id: oss-signal
   with:
     path: "."
@@ -55,6 +55,6 @@ Run as a GitHub Action:
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - Maintainer workflow discussion: https://github.com/SalmonPlays/oss-signal/discussions/5

package/docs/maintainer-playbook.md

@@ -83,7 +83,7 @@ See [plan-output.md](plan-output.md) and [examples/github-plan.md](examples/gith
 Add the GitHub Action to keep the signal visible:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   id: oss-signal
   with:
     fail-under: "80"
@@ -96,7 +96,7 @@ The Action writes `score`, `grade`, `failed`, and `report-path` outputs, and wri
 For a repository inventory, commit a newline-delimited target list and pass it through the Action:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -116,12 +116,12 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.8.0
+  - uses: SalmonPlays/oss-signal@v0.8.2
     with:
       format: sarif
       output: oss-signal.sarif
       summary: "false"
-  - uses: github/codeql-action/upload-sarif@v3
+  - uses: github/codeql-action/upload-sarif@v4
     with:
       sarif_file: oss-signal.sarif
 ```
@@ -134,7 +134,7 @@ See [docs/sarif-code-scanning.md](sarif-code-scanning.md) for the permissions, e
 
 Useful evidence for maintainers and reviewers:
 
-- A public workflow run that uses `SalmonPlays/oss-signal@v0.8.0`.
+- A public workflow run that uses `SalmonPlays/oss-signal@v0.8.2`.
 - A generated Markdown report attached as an artifact.
 - A SARIF upload in Code Scanning.
 - A small issue or PR that follows from an audit finding.

package/docs/maintainer-trial.md

@@ -23,12 +23,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: oss-signal-report
@@ -51,32 +51,32 @@ The same workflow is available as [examples/maintainer-trial-workflow.yml](examp
 Run against a public repository without cloning:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
 ```
 
 Generate an issue-ready draft for human review:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format issue --output maintainer-follow-up.md
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal owner/repo --format issue --output maintainer-follow-up.md
 ```
 
 Generate a PR-sized plan before opening a pull request:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format plan --output maintainer-plan.md
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal owner/repo --format plan --output maintainer-plan.md
 ```
 
 Generate the no-fail trial workflow:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml
 ```
 
 ## Evidence To Share
 
 Useful public evidence is concrete:
 
-- a workflow run that uses `SalmonPlays/oss-signal@v0.8.0`
+- a workflow run that uses `SalmonPlays/oss-signal@v0.8.2`
 - a linked `oss-signal-report.md` artifact
 - a maintainer reply saying the report was useful, not useful, or intentionally out of scope
 - a merged issue-template, security-policy, CI, or documentation PR informed by the report

package/docs/marketplace.md

@@ -7,13 +7,13 @@ This checklist records the Marketplace publishing state for `oss-signal`.
 - Repository is public.
 - Action metadata exists at the repository root: [../action.yml](../action.yml).
 - The Action metadata uses a unique name: `oss-signal`.
-- The repository has a released Action tag: `v0.8.0`.
+- The repository has a released Action tag: `v0.8.2`.
 - The README contains install, CLI, GitHub Action, SARIF, inventory, workflow-trial, and maintainer workflow examples.
 - The repository has public CI, CodeQL, OpenSSF Scorecard, repository health, repository inventory, and release workflows.
 - The repository includes an MIT [LICENSE](../LICENSE) that should be used as the Action EULA for Marketplace users.
 - GitHub Marketplace Developer Agreement has been reviewed by the repository owner.
 - The GitHub Marketplace listing is published: https://github.com/marketplace/actions/oss-signal
-- The current Action tag is `v0.8.0`: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- The current Action tag is `v0.8.2`: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 
 ## Marketplace Categories
 
@@ -26,7 +26,7 @@ Secondary category: `Code quality`
 Title:
 
 ```text
-oss-signal v0.8.0
+oss-signal v0.8.2
 ```
 
 Description:

package/docs/post-submission-update.md

@@ -23,12 +23,14 @@ The older submission evidence remains valid. The current `latest` npm version si
 | `v0.6.4` | npm package, GitHub Release, Action tag | Published OSS Maintainer Signal brand assets and npm/GitHub metadata polish. |
 | `v0.7.0` | npm package, GitHub Release, Action tag | Added maintainer plan output for PR-sized outreach planning. |
 | `v0.8.0` | npm package, GitHub Release, Action tag | Added no-fail workflow output and trial feedback intake for external maintainers. |
+| `v0.8.1` | npm package, GitHub Release, Action tag | Moved the GitHub Action runtime to Node.js 24 and refreshed SARIF upload examples. |
+| `v0.8.2` | npm package, GitHub Release, Action tag | Updated generated workflows and dogfood workflows to `actions/upload-artifact@v5`. |
 
 ## Current Evidence
 
-- npm package: https://www.npmjs.com/package/oss-signal (`0.8.0` latest after release)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- npm package: https://www.npmjs.com/package/oss-signal (`0.8.2` latest after release)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.2
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 - Release workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/release.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - GitHub repository profile: description, npm homepage, eight maintainer-focused topics, social preview image, and profile pin are live.
@@ -43,7 +45,7 @@ The older submission evidence remains valid. The current `latest` npm version si
 
 ## Clean Verification
 
-The public registry should return `0.8.0` for both package version and `latest` dist-tag after the no-fail workflow release.
+The public registry should return `0.8.2` for both package version and `latest` dist-tag after the workflow dependency refresh release.
 
 ```bash
 npm view oss-signal version dist-tags --json
@@ -53,17 +55,17 @@ Expected result:
 
 ```json
 {
-  "version": "0.8.0",
+  "version": "0.8.2",
   "dist-tags": {
-    "latest": "0.8.0"
+    "latest": "0.8.2"
   }
 }
 ```
 
-A clean npm execution against the public GitHub repository should return version `0.8.0`, score `100`, grade `A`, and source `github`.
+A clean npm execution against the public GitHub repository should return version `0.8.2`, score `100`, grade `A`, and source `github`.
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
 ## Review Impact
@@ -71,7 +73,7 @@ npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal -
 This version difference should be read as post-submission maintenance progress, not as a mismatch. It strengthens the evidence in three ways:
 
 - The package now has a successful npm Trusted Publishing release from GitHub Actions.
-- The GitHub Action tag, npm package, release notes, and documentation all point to `0.8.0`.
+- The GitHub Action tag, npm package, release notes, and documentation all point to `0.8.2`.
 - The repository has public CI, Repository health, Repository inventory, CodeQL, OpenSSF Scorecard, Release workflow evidence, social preview branding, profile pinning, Discussions, CODEOWNERS, and issue routing.
 - The current release includes `--format plan`, which turns audit findings into PR-sized outreach plans before external posting.
 - The current release includes `--format workflow`, which renders a no-fail GitHub Actions trial workflow for external maintainers.

package/docs/release-notes/v0.8.1.md

@@ -0,0 +1,19 @@
+# oss-signal v0.8.1
+
+`oss-signal` v0.8.1 moves the GitHub Action runtime to Node.js 24 and refreshes SARIF upload examples.
+
+## Changed
+
+- `action.yml` now uses `node24`, avoiding the GitHub-hosted runner warning for JavaScript actions still pinned to Node.js 20.
+- SARIF documentation examples now use `github/codeql-action/upload-sarif@v4`.
+- Current-release documentation, generated workflow examples, and reviewer evidence links now point to `v0.8.1`.
+
+## Verification
+
+```bash
+npm run check
+npm publish --dry-run
+node src/cli.js . --format workflow --output docs/examples/maintainer-trial-workflow.yml
+```
+
+The release is intentionally compatibility-focused. CLI behavior and report formats are unchanged from v0.8.0.

package/docs/release-notes/v0.8.2.md

@@ -0,0 +1,19 @@
+# oss-signal v0.8.2
+
+`oss-signal` v0.8.2 updates generated and dogfood workflows to `actions/upload-artifact@v5`.
+
+## Changed
+
+- Generated no-fail trial workflows now upload artifacts with `actions/upload-artifact@v5`.
+- Repository CI, health, inventory, and Scorecard workflows now use `actions/upload-artifact@v5`.
+- Documentation examples now match the current GitHub-hosted runner action versions.
+
+## Verification
+
+```bash
+npm run check
+npm publish --dry-run
+node src/cli.js . --format workflow --output docs/examples/maintainer-trial-workflow.yml
+```
+
+The release is compatibility-focused and keeps the v0.8 workflow output contract unchanged.

package/docs/reviewer-evidence.md

@@ -6,7 +6,7 @@ This page gives reviewers a short path to verify that `oss-signal` is a real OSS
 
 ## Application Version Note
 
-The Codex for Open Source application was submitted on 2026-06-03. The npm package and Action tag continued to move after submission as normal OSS maintenance. If any submitted field references older evidence, treat `0.8.0` as the current maintained release and see [post-submission-update.md](post-submission-update.md).
+The Codex for Open Source application was submitted on 2026-06-03. The npm package and Action tag continued to move after submission as normal OSS maintenance. If any submitted field references older evidence, treat `0.8.2` as the current maintained release and see [post-submission-update.md](post-submission-update.md).
 
 ## Five-Minute Verification
 
@@ -16,12 +16,12 @@ The Codex for Open Source application was submitted on 2026-06-03. The npm packa
 npm view oss-signal version dist-tags --json
 ```
 
-Expected result: `version` is `0.8.0`, and `dist-tags.latest` is `0.8.0`.
+Expected result: `version` is `0.8.2`, and `dist-tags.latest` is `0.8.2`.
 
 2. Run the published package against the public repository:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
 Expected result: score `100`, grade `A`, source `github`.
@@ -64,8 +64,8 @@ Expected result: a Markdown table with one row per repository, average score, sc
 
 5. Inspect the public Action tag:
 
-- Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
-- Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
+- Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
+- Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.2
 - Action metadata: [../action.yml](../action.yml)
 
 6. Inspect field-audit evidence:

package/docs/roadmap.md

@@ -12,7 +12,7 @@ This roadmap focuses on the next maintainer workflows that would make `oss-signa
 
 | Area | Goal | Evidence target |
 | --- | --- | --- |
-| Adoption | Help one external maintainer run `SalmonPlays/oss-signal@v0.8.0` in a public workflow or leave concrete trial feedback. | [Issue #8](https://github.com/SalmonPlays/oss-signal/issues/8), [maintainer-trial.md](maintainer-trial.md), [maintainer-feedback.md](maintainer-feedback.md), then linked workflow run or maintainer reply in [adoption-evidence.md](adoption-evidence.md). |
+| Adoption | Help one external maintainer run `SalmonPlays/oss-signal@v0.8.2` in a public workflow or leave concrete trial feedback. | [Issue #8](https://github.com/SalmonPlays/oss-signal/issues/8), [maintainer-trial.md](maintainer-trial.md), [maintainer-feedback.md](maintainer-feedback.md), then linked workflow run or maintainer reply in [adoption-evidence.md](adoption-evidence.md). |
 | Automation | Document a stable JSON schema for consumers that parse `--format json`. | Completed in [Issue #9](https://github.com/SalmonPlays/oss-signal/issues/9), [json-output.md](json-output.md), [schema](schema/json-output.schema.json), and [fixture](examples/github-url-report.json). |
 | Code Scanning | Add a complete screenshot-backed SARIF walkthrough. | Completed in [Issue #10](https://github.com/SalmonPlays/oss-signal/issues/10), [sarif-code-scanning.md](sarif-code-scanning.md), and [output example](assets/code-scanning-results.svg). |
 | Outreach | Convert audit findings into PR-sized maintainer plans before posting externally. | Implemented in `--format plan`, [plan-output.md](plan-output.md), and [examples/github-plan.md](examples/github-plan.md). |

package/docs/sarif-code-scanning.md

@@ -23,12 +23,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         with:
           format: sarif
           output: oss-signal.sarif
           summary: "false"
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v4
         if: github.event_name != 'pull_request'
         with:
           sarif_file: oss-signal.sarif

package/docs/security-model.md

@@ -46,7 +46,7 @@ SARIF output reports maintainer-readiness findings at warning level. These findi
 ## Supply Chain
 
 - The npm package is published publicly as `oss-signal`.
-- The GitHub Action is pinned by release tag, for example `SalmonPlays/oss-signal@v0.8.0`.
+- The GitHub Action is pinned by release tag, for example `SalmonPlays/oss-signal@v0.8.2`.
 - The release workflow checks the package version against the release tag before publishing.
 - The repository runs CI, CodeQL, OpenSSF Scorecard, repository health, and repository inventory workflows on `main`.
 

package/docs/self-audit.md

@@ -2,7 +2,7 @@
 
 Repository: `/Users/amon/Documents/Codex/2026-06-01/openai-s/outputs/oss-signal`
 Source: local
-Generated: 2026-06-04T23:24:40.858Z
+Generated: 2026-06-05T15:43:10.350Z
 
 Score: **100/100** (A)
 

package/docs/social-launch.md

@@ -85,7 +85,7 @@ https://github.com/SalmonPlays/oss-signal
 ## GitHub Discussion Announcement
 
 ```markdown
-`oss-signal` v0.8.0 is live on npm and GitHub Marketplace.
+`oss-signal` v0.8.2 is live on npm and GitHub Marketplace.
 
 The tool is built for OSS maintainers and contributors who want a small, repeatable way to check maintainer-readiness signals before opening cleanup issues or PRs.
 

package/docs/trust-center.md

@@ -11,7 +11,7 @@ This page collects the strongest public signals for reviewers, maintainers, and
 What it does have is a complete, public maintainer workflow:
 
 - Public npm package: https://www.npmjs.com/package/oss-signal
-- Public GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
+- Public GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.2
 - Public GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - Public GitHub Pages landing page: https://salmonplays.github.io/oss-signal/
 - Public no-fail maintainer trial workflow: [maintainer-trial.md](maintainer-trial.md)
@@ -27,7 +27,7 @@ What it does have is a complete, public maintainer workflow:
 
 | Signal | Public evidence | Why it matters |
 | --- | --- | --- |
-| Installable CLI | `npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json` | Reviewers can run the package without cloning this repository. |
+| Installable CLI | `npm exec --yes --package=oss-signal@0.8.2 -- oss-signal SalmonPlays/oss-signal --format json` | Reviewers can run the package without cloning this repository. |
 | Marketplace Action | https://github.com/marketplace/actions/oss-signal | Users can discover and copy the Action through GitHub Marketplace. |
 | Maintainer trial | [maintainer-trial](maintainer-trial.md) | External maintainers can try the Action without failing CI first. |
 | Maintainer feedback | [maintainer-feedback](maintainer-feedback.md) | Neutral or negative maintainer responses can still improve rules and count as real third-party feedback. |
@@ -48,7 +48,7 @@ What it does have is a complete, public maintainer workflow:
 The GitHub Marketplace listing is a discovery page for the Action. It lets users find `oss-signal`, inspect the Action metadata and README, and copy a workflow snippet using:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.0
+- uses: SalmonPlays/oss-signal@v0.8.2
 ```
 
 The listing is not a paid product. It is a free Action listing. Running GitHub Actions has separate GitHub Actions billing rules, but standard GitHub-hosted runners are free for public repositories.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oss-signal",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Maintainer-readiness CLI and GitHub Action for OSS triage, CI evidence, inventory reports, SARIF, issue-ready cleanup, and workflow trials.",
   "type": "module",
   "bin": {

package/src/index.js

@@ -2,7 +2,7 @@ import { promises as fs } from "node:fs";
 import https from "node:https";
 import path from "node:path";
 
-export const VERSION = "0.8.0";
+export const VERSION = "0.8.2";
 
 const SARIF_RULE_LOCATIONS = {
   readme: "README.md",
@@ -401,12 +401,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.0
+      - uses: SalmonPlays/oss-signal@v0.8.2
         id: oss-signal
         with:
           output: oss-signal-report.md
           summary: "true"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: oss-signal-report