From 27c56adf8a21910036a271bf82902beb1b969bb7 Mon Sep 17 00:00:00 2001 From: bordumb Date: Tue, 9 Jun 2026 21:35:20 +0100 Subject: [PATCH 1/3] chore: bump pinned auths-version to 0.1.1 Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG --- .github/workflows/release.yml | 4 ++-- .github/workflows/sign-commits.yml | 2 +- .github/workflows/verify-commits.yml | 2 +- README.md | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 485607b..6477eef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: note: 'GitHub Actions release — ${{ github.ref_name }}' # The hardened installer never resolves `latest`; an unpinned version # aborts the release on a runner without `auths` on PATH. - auths-version: '0.0.1-rc.12' + auths-version: '0.1.1' - name: Generate SHA256 checksums run: | @@ -67,7 +67,7 @@ jobs: ```yaml - uses: auths-dev/sign@v1 with: - auths-version: '0.0.1-rc.12' # pin — the action never resolves `latest` + auths-version: '0.1.1' # pin — the action never resolves `latest` files: 'dist/index.js' ``` diff --git a/.github/workflows/sign-commits.yml b/.github/workflows/sign-commits.yml index 981ae4e..7dd647f 100644 --- a/.github/workflows/sign-commits.yml +++ b/.github/workflows/sign-commits.yml @@ -23,4 +23,4 @@ jobs: with: commits: 'HEAD~1..HEAD' # The hardened installer never resolves `latest`; unpinned would throw. - auths-version: '0.0.1-rc.12' + auths-version: '0.1.1' diff --git a/.github/workflows/verify-commits.yml b/.github/workflows/verify-commits.yml index 4d5ac19..15ffa56 100644 --- a/.github/workflows/verify-commits.yml +++ b/.github/workflows/verify-commits.yml @@ -18,7 +18,7 @@ jobs: - uses: auths-dev/verify@v1 with: - auths-version: '0.0.1-rc.12' + auths-version: '0.1.1' identity-bundle: .auths/ci-bundle.json fail-on-unsigned: true post-pr-comment: 'true' diff --git a/README.md b/README.md index c373b68..c22fad3 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ jobs: - uses: auths-dev/sign@v1 with: - auths-version: "0.0.1-rc.12" # pin the CLI — the action never resolves `latest` + auths-version: "0.1.1" # pin the CLI — the action never resolves `latest` files: | dist/*.tar.gz dist/*.zip @@ -73,7 +73,7 @@ No tokens. No secrets. The action generates a throwaway key per run, signs your | `commits` | No | | Git revision range to sign | | `commit-sha` | No | `$GITHUB_SHA` | Commit SHA to anchor attestation to | | `note` | No | | Note to include in the attestation | -| `auths-version` | Yes (unless on PATH) | | Auths CLI version to **pin** (e.g. `0.0.1-rc.12`); the action never resolves `latest` and fails closed without a verifiable `.sha256` | +| `auths-version` | Yes (unless on PATH) | | Auths CLI version to **pin** (e.g. `0.1.1`); the action never resolves `latest` and fails closed without a verifiable `.sha256` | | `fail-on-unanchored` | No | `false` | Fail (instead of warn) when no `.auths/roots` trust root is present | At least one of `files` or `commits` must be provided. From 8d31778067f777a3dda6dd4bc18b380ce798d088 Mon Sep 17 00:00:00 2001 From: bordumb Date: Wed, 10 Jun 2026 01:03:03 +0100 Subject: [PATCH 2/3] chore: refresh CI identity bundle for the current maintainer identity Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG --- .auths/ci-bundle.json | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/.auths/ci-bundle.json b/.auths/ci-bundle.json index 90e1913..0226a8f 100644 --- a/.auths/ci-bundle.json +++ b/.auths/ci-bundle.json @@ -1,23 +1,46 @@ { - "identity_did": "did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac", - "public_key_hex": "025587d93658ed5be7be14027e3dae1f7312c968011faa45302abdf677a0c74b2a", + "identity_did": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "public_key_hex": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0", "curve": "p256", "attestation_chain": [ { "version": 1, "rid": ".auths", - "issuer": "did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac", - "subject": "did:key:zDnaeWBqqznf8xyJhTAfc1RU4VFzUoRmw85G3hVdVS9mpLemP", + "issuer": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "subject": "did:key:zDnaeh7NXw4vXWstkivGmQaBGZkoG4Fwp6uRAh6Khe5hXmUSj", "device_public_key": { "curve": "p256", - "key": "025587d93658ed5be7be14027e3dae1f7312c968011faa45302abdf677a0c74b2a" + "key": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0" }, - "identity_signature": "d6776a5182df46bb646938d8416ed7ce3a2a9f55a841900c360d1e7190d3af7a5a5d8832dfad1bd43540cfeaba43df3f96c7a8f95ff8b970f6bdf71c878989c9", - "device_signature": "49d8c6dc15ad8d79f91bce2b9cb3533dd8cf4d3e12305641f0765f5624655812c549dcac07ad6a52f07e9fc41a3827db55f68069f9bd1bcc74feeb85197665c1", - "timestamp": "2026-06-03T17:32:34.460661Z", + "identity_signature": "b6fa3436b0fd03462ceb835f5184837f8f462ae96b91c30d0b5dcada0d99c5af6632567fe1af79264a96f9ae3fb2aa9f2dd56cb31329c8f79d0afe05d0afef36", + "device_signature": "7be8c0f9a26dd33d38b88e1911ad9b59b071c5eee02c3d0dd8b3faf6dd462f62fa17dd0bf8f6ad707e3818cbec8ae264af053a70f562d69036cf4a3873574f06", + "timestamp": "2026-06-09T22:01:42.838518Z", "note": "Linked by auths-sdk setup" + }, + { + "version": 1, + "rid": "sha256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2", + "issuer": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "subject": "did:key:zDnaeh7NXw4vXWstkivGmQaBGZkoG4Fwp6uRAh6Khe5hXmUSj", + "device_public_key": { + "curve": "p256", + "key": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0" + }, + "identity_signature": "695e52d4641d6e1f86009bc89665d8e218e375b5a7402959909fb637c2c5e48b1268e718b5161301009b72100ba3c4ea5e4c1a3293c699a6860bb0edb31d94df", + "device_signature": "991ce277ffc5e57bd5ac7c274a871273cc8a6a8d6a3bcb867fb697d839ac8be1af76cf47ca0dc687feb8c06b354740edd7cd343da65ff3d871c2bb1974471754", + "timestamp": "2026-06-09T23:10:38.598909Z", + "payload": { + "artifact_type": "file", + "digest": { + "algorithm": "sha256", + "hex": "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2" + }, + "name": "relprobe.txt", + "size": 5 + }, + "commit_sha": "d4443cd81077f396ec1a1366bc0356cc19b3bbf5" } ], - "bundle_timestamp": "2026-06-09T19:49:11.207253Z", + "bundle_timestamp": "2026-06-10T00:02:16.144780Z", "max_valid_for_secs": 31536000 } \ No newline at end of file From d170ce6ef8adc27658d4e4c1ed510ac09c3899c9 Mon Sep 17 00:00:00 2001 From: bordumb Date: Wed, 10 Jun 2026 01:48:52 +0100 Subject: [PATCH 3/3] chore: pin 0.1.2; KEL-carrying CI bundle (stateless verification) Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG --- .auths/ci-bundle.json | 49 +++++++++++++++++++++++++++- .github/workflows/release.yml | 4 +-- .github/workflows/sign-commits.yml | 2 +- .github/workflows/verify-commits.yml | 2 +- README.md | 4 +-- 5 files changed, 54 insertions(+), 7 deletions(-) diff --git a/.auths/ci-bundle.json b/.auths/ci-bundle.json index 0226a8f..fcccc08 100644 --- a/.auths/ci-bundle.json +++ b/.auths/ci-bundle.json @@ -41,6 +41,53 @@ "commit_sha": "d4443cd81077f396ec1a1366bc0356cc19b3bbf5" } ], - "bundle_timestamp": "2026-06-10T00:02:16.144780Z", + "kel": [ + { + "v": "KERI10JSON00012f_", + "t": "icp", + "d": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "s": "0", + "kt": "1", + "k": [ + "1AAJAvfTM0XIQXakgoZTmn50ze8cJm6zjjiXEe2xKfzHk43g" + ], + "nt": "1", + "n": [ + "EGdbaV-wPaf-_ipeasSHuXwmb0YtEt7FaMk68HLxD4mn" + ], + "bt": "0", + "b": [], + "c": [], + "a": [] + }, + { + "v": "KERI10JSON0000ff_", + "t": "ixn", + "d": "EDxwuXyK6UzdhpDUJOggQGHTdWpc0APpPHihmiUcye6y", + "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "s": "1", + "p": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "a": [ + { + "d": "EBZ9C975VziWzzdir1SctdzUDmqZMCKgG7J6zU9m8aES" + } + ] + }, + { + "v": "KERI10JSON0000ff_", + "t": "ixn", + "d": "EIrQ9Hly1PL1MkNynKgrQ_X9Mjspm5lxupzyOMasbZQu", + "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG", + "s": "2", + "p": "EDxwuXyK6UzdhpDUJOggQGHTdWpc0APpPHihmiUcye6y", + "a": [ + { + "d": "EBSIjdFY0dh2tv8BsfpPIBQ-QkA7Ay8d7G3vG18vrkwS" + } + ] + } + ], + "bundle_timestamp": "2026-06-10T00:32:04.746971Z", "max_valid_for_secs": 31536000 } \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6477eef..1e0da61 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: note: 'GitHub Actions release — ${{ github.ref_name }}' # The hardened installer never resolves `latest`; an unpinned version # aborts the release on a runner without `auths` on PATH. - auths-version: '0.1.1' + auths-version: '0.1.2' - name: Generate SHA256 checksums run: | @@ -67,7 +67,7 @@ jobs: ```yaml - uses: auths-dev/sign@v1 with: - auths-version: '0.1.1' # pin — the action never resolves `latest` + auths-version: '0.1.2' # pin — the action never resolves `latest` files: 'dist/index.js' ``` diff --git a/.github/workflows/sign-commits.yml b/.github/workflows/sign-commits.yml index 7dd647f..0d835ca 100644 --- a/.github/workflows/sign-commits.yml +++ b/.github/workflows/sign-commits.yml @@ -23,4 +23,4 @@ jobs: with: commits: 'HEAD~1..HEAD' # The hardened installer never resolves `latest`; unpinned would throw. - auths-version: '0.1.1' + auths-version: '0.1.2' diff --git a/.github/workflows/verify-commits.yml b/.github/workflows/verify-commits.yml index 15ffa56..23ae761 100644 --- a/.github/workflows/verify-commits.yml +++ b/.github/workflows/verify-commits.yml @@ -18,7 +18,7 @@ jobs: - uses: auths-dev/verify@v1 with: - auths-version: '0.1.1' + auths-version: '0.1.2' identity-bundle: .auths/ci-bundle.json fail-on-unsigned: true post-pr-comment: 'true' diff --git a/README.md b/README.md index c22fad3..1fccec7 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ jobs: - uses: auths-dev/sign@v1 with: - auths-version: "0.1.1" # pin the CLI — the action never resolves `latest` + auths-version: "0.1.2" # pin the CLI — the action never resolves `latest` files: | dist/*.tar.gz dist/*.zip @@ -73,7 +73,7 @@ No tokens. No secrets. The action generates a throwaway key per run, signs your | `commits` | No | | Git revision range to sign | | `commit-sha` | No | `$GITHUB_SHA` | Commit SHA to anchor attestation to | | `note` | No | | Note to include in the attestation | -| `auths-version` | Yes (unless on PATH) | | Auths CLI version to **pin** (e.g. `0.1.1`); the action never resolves `latest` and fails closed without a verifiable `.sha256` | +| `auths-version` | Yes (unless on PATH) | | Auths CLI version to **pin** (e.g. `0.1.2`); the action never resolves `latest` and fails closed without a verifiable `.sha256` | | `fail-on-unanchored` | No | `false` | Fail (instead of warn) when no `.auths/roots` trust root is present | At least one of `files` or `commits` must be provided.