Skip to content

Publish to npm on tag — Sigstore/OIDC provenance + latest-confirmation gate #3

Description

@styk-tv

Wire npm publish --provenance --access public into the tag-triggered release workflow, after the OCI attestation gate, reusing the job's id-token: write (same Sigstore/OIDC identity as the OCI attestation). Add a confirmation step asserting the published version is live, dist-tags.latest resolves to it, and provenance is attached. Idempotent; hard-fails if package.json version != tag. No effect until a tag is pushed. LATEST.md advertises the npm channel.

State: workflow implemented, staged for the v1.5.3 commit. Activation depends on npm auth (see go-live issue).

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Priority 1 — this releaseenhancementNew feature or request

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions