Wire npm publish --provenance --access public into the tag-triggered release workflow, after the OCI attestation gate, reusing the job's id-token: write (same Sigstore/OIDC identity as the OCI attestation). Add a confirmation step asserting the published version is live, dist-tags.latest resolves to it, and provenance is attached. Idempotent; hard-fails if package.json version != tag. No effect until a tag is pushed. LATEST.md advertises the npm channel.
State: workflow implemented, staged for the v1.5.3 commit. Activation depends on npm auth (see go-live issue).
Wire
npm publish --provenance --access publicinto the tag-triggered release workflow, after the OCI attestation gate, reusing the job'sid-token: write(same Sigstore/OIDC identity as the OCI attestation). Add a confirmation step asserting the published version is live,dist-tags.latestresolves to it, and provenance is attached. Idempotent; hard-fails if package.json version != tag. No effect until a tag is pushed. LATEST.md advertises the npm channel.State: workflow implemented, staged for the v1.5.3 commit. Activation depends on npm auth (see go-live issue).