npm - tsp-verify - Versions diffs - 0.1.0 → 0.1.1 - Mend

tsp-verify 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +17 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -63,3 +63,20 @@ fixtures (ADR-0008: the spec owns the truth).
 Verification only: this package holds no private keys and signs nothing. Part of
 the `tsp-verify` family alongside the Python, Rust, and Go ports.
+## Releasing
+Publishing is automated and runs **with npm provenance** (a signed attestation
+tying the published tarball to this repo and the exact CI run — apt for a
+provenance project). To cut a release:
+1. Bump `version` in `package.json` (e.g. `0.1.1`) and commit to `main`.
+2. Tag and push: `git tag v0.1.1 && git push origin v0.1.1`.
+The `Release (npm)` workflow then runs the test + conformance suites, verifies
+the tag matches `package.json`, and runs `npm publish --provenance --access public`.
+One-time setup: add a repo secret **`NPM_TOKEN`** (npm Automation or
+Granular-Access token with publish rights for `tsp-verify`) under
+*Settings → Secrets and variables → Actions*. npm versions are immutable, so
+each release needs a new version number.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "tsp-verify",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "JavaScript port of the Trust Standard Protocol (TSP) verifier core: RFC 8785 canonicalization, trust envelope + manifest validation, Ed25519 local verification, and offline license-artifact verification (tsp.license.v1). Zero dependencies.",
   "type": "module",
   "main": "src/index.js",