Conversation
Auths Commit Verification
Result: ❌ 1/9 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
- require a pinned auths-version; never resolve releases/latest (throw if unset and auths not on PATH) - fail closed when a release .sha256 is absent/unfetchable instead of warning and running an unverified binary - treat checksum/integrity errors as fatal instead of masking them as 'binary not found' - document the pin requirement in action.yml input + README quickstart/inputs - rebuild dist/ Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
The input carries public identity-bundle data, not a secret; 'token' collided with the GITHUB_TOKEN mental model. Renamed across action.yml, main.ts (live read + doc strings), README usage/table/prose, and Jest input mocks; left github-token and the 'CI token' format strings intact. Rebuilt dist/. Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
LICENSE is Apache-2.0 and the README already states it; package.json declared MIT. Sync package.json + the package-lock root self-entry. Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
The action fails closed when auths-version is empty and auths isn't on PATH, so unpinned copy-paste examples would hard-fail on a clean runner. Add the pin to every usage snippet (with a with: block where missing). Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
- CHANGELOG.md (Keep a Changelog) documenting the breaking token -> identity-bundle rename, KEL-native verification, supply-chain hardening, and the license fix under [Unreleased] - .github-template/workflows/verify.yml starter template (least-privilege permissions, fetch-depth: 0, pinned auths-version) that sync-to-dedicated-repo.sh now ships to the public repo Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
Replace the hardcoded static badge with an endpoint badge backed by a committed endpoint.json, and sync endpoint.json to the dedicated repo. Live pass/fail wiring is tracked as a follow-up (needs hosting/branch infra that conflicts with the signed-commit gate). Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
The marketplace/public repo needs LICENSE (Apache-2.0) and the CHANGELOG; the sync script copied neither. Add them so a release ships a complete repo. Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
Prepare the release commit: bump package.json + lockfile to 1.4.0 and promote CHANGELOG [Unreleased] -> [1.4.0]. The tag + floating-v1 move is cut from main post-merge via 'just release 1.4.0' (needs signing). Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
…_signers + static badge - pin auths-version 0.0.1-rc.12 in verify-commits/sign-commits/release workflows (fail-closed installer requires it) - commit .auths/ci-bundle.json and pass it via identity-bundle (runners have no local identity store) - drop .auths/allowed_signers (retired model) and the static endpoint.json badge - README: document artifacts-verified/artifact-results outputs - package.json: auths-dev org name/author, refresh keywords Auths-Id: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac Auths-Device: did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
Auths Commit Verification
Result: ✅ 9/9 commits verified |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stream F —
verifyAction go-to-market hardeningPre-launch polish so the action is correct, consistent, and credible for its first public Marketplace release. Tracked as Flow epic fn-2 (roadmap Stream F).
What landed
token→identity-bundle(it carries public identity data, not a secret). Updatedaction.yml,main.ts(live read + doc strings), all README usage/table/prose, and Jest mocks; rebuiltdist/.github-tokenand the "CI token" format strings are untouched.package.json(+ lockfile root) nowApache-2.0, matchingLICENSEand the README.auths-versionin all 11 README examples (the action fails closed without it on a clean runner).CHANGELOG.md(Keep a Changelog; documents the breaking rename) and a.github-template/workflows/verify.ymlstarter template (least-privilegepermissions,fetch-depth: 0, pinned version) thatsync-to-dedicated-repo.shnow ships.endpoint.json(now also synced to the dedicated repo).auths-versionpinning + fail-closed SHA256 checksum verification of the downloaded CLI (never resolveslatest).sync-to-dedicated-repo.shnow also shipsLICENSEandCHANGELOG.mdto the public/marketplace repo (it shipped neither before).Not in this PR (handed off)
v1tag) — deliberately not automated. It needs interactive Secure-Enclave signing (signed commit + signed tag) and an outward-facing publish, plus a decision: movev1(if zero external@v1consumers — the rename is breaking) or cutv2. Note:package.jsonis1.0.2but tags already reachv1.3.0, so bump above that. All prerequisites are ready (just cigreen,dist/committed,branding:present).Corrections vs. the original brief
branding:already existed inaction.yml— nothing to add for Marketplace.sign/README.md:3is a separate sibling repo, out of scope here.These commits were authored without the Secure-Enclave signature, so the
verify-commitscheck will fail until re-signed:Verification
just ci(test + build + check-dist) green · 59/59 tests pass ·dist/committed and in sync.