Bump pinned auths-version to 0.1.1 + refresh CI bundle

.auths/ci-bundle.json

@@ -1,23 +1,93 @@
 {
-  "identity_did": "did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac",
-  "public_key_hex": "025587d93658ed5be7be14027e3dae1f7312c968011faa45302abdf677a0c74b2a",
+  "identity_did": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+  "public_key_hex": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0",
   "curve": "p256",
   "attestation_chain": [
     {
       "version": 1,
       "rid": ".auths",
-      "issuer": "did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac",
-      "subject": "did:key:zDnaeWBqqznf8xyJhTAfc1RU4VFzUoRmw85G3hVdVS9mpLemP",
+      "issuer": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "subject": "did:key:zDnaeh7NXw4vXWstkivGmQaBGZkoG4Fwp6uRAh6Khe5hXmUSj",
       "device_public_key": {
         "curve": "p256",
-        "key": "025587d93658ed5be7be14027e3dae1f7312c968011faa45302abdf677a0c74b2a"
+        "key": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0"
       },
-      "identity_signature": "d6776a5182df46bb646938d8416ed7ce3a2a9f55a841900c360d1e7190d3af7a5a5d8832dfad1bd43540cfeaba43df3f96c7a8f95ff8b970f6bdf71c878989c9",
-      "device_signature": "49d8c6dc15ad8d79f91bce2b9cb3533dd8cf4d3e12305641f0765f5624655812c549dcac07ad6a52f07e9fc41a3827db55f68069f9bd1bcc74feeb85197665c1",
-      "timestamp": "2026-06-03T17:32:34.460661Z",
+      "identity_signature": "b6fa3436b0fd03462ceb835f5184837f8f462ae96b91c30d0b5dcada0d99c5af6632567fe1af79264a96f9ae3fb2aa9f2dd56cb31329c8f79d0afe05d0afef36",
+      "device_signature": "7be8c0f9a26dd33d38b88e1911ad9b59b071c5eee02c3d0dd8b3faf6dd462f62fa17dd0bf8f6ad707e3818cbec8ae264af053a70f562d69036cf4a3873574f06",
+      "timestamp": "2026-06-09T22:01:42.838518Z",
       "note": "Linked by auths-sdk setup"
+    },
+    {
+      "version": 1,
+      "rid": "sha256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2",
+      "issuer": "did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "subject": "did:key:zDnaeh7NXw4vXWstkivGmQaBGZkoG4Fwp6uRAh6Khe5hXmUSj",
+      "device_public_key": {
+        "curve": "p256",
+        "key": "02f7d33345c84176a48286539a7e74cdef1c266eb38e389711edb129fcc7938de0"
+      },
+      "identity_signature": "695e52d4641d6e1f86009bc89665d8e218e375b5a7402959909fb637c2c5e48b1268e718b5161301009b72100ba3c4ea5e4c1a3293c699a6860bb0edb31d94df",
+      "device_signature": "991ce277ffc5e57bd5ac7c274a871273cc8a6a8d6a3bcb867fb697d839ac8be1af76cf47ca0dc687feb8c06b354740edd7cd343da65ff3d871c2bb1974471754",
+      "timestamp": "2026-06-09T23:10:38.598909Z",
+      "payload": {
+        "artifact_type": "file",
+        "digest": {
+          "algorithm": "sha256",
+          "hex": "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2"
+        },
+        "name": "relprobe.txt",
+        "size": 5
+      },
+      "commit_sha": "d4443cd81077f396ec1a1366bc0356cc19b3bbf5"
+    }
+  ],
+  "kel": [
+    {
+      "v": "KERI10JSON00012f_",
+      "t": "icp",
+      "d": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "s": "0",
+      "kt": "1",
+      "k": [
+        "1AAJAvfTM0XIQXakgoZTmn50ze8cJm6zjjiXEe2xKfzHk43g"
+      ],
+      "nt": "1",
+      "n": [
+        "EGdbaV-wPaf-_ipeasSHuXwmb0YtEt7FaMk68HLxD4mn"
+      ],
+      "bt": "0",
+      "b": [],
+      "c": [],
+      "a": []
+    },
+    {
+      "v": "KERI10JSON0000ff_",
+      "t": "ixn",
+      "d": "EDxwuXyK6UzdhpDUJOggQGHTdWpc0APpPHihmiUcye6y",
+      "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "s": "1",
+      "p": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "a": [
+        {
+          "d": "EBZ9C975VziWzzdir1SctdzUDmqZMCKgG7J6zU9m8aES"
+        }
+      ]
+    },
+    {
+      "v": "KERI10JSON0000ff_",
+      "t": "ixn",
+      "d": "EIrQ9Hly1PL1MkNynKgrQ_X9Mjspm5lxupzyOMasbZQu",
+      "i": "ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG",
+      "s": "2",
+      "p": "EDxwuXyK6UzdhpDUJOggQGHTdWpc0APpPHihmiUcye6y",
+      "a": [
+        {
+          "d": "EBSIjdFY0dh2tv8BsfpPIBQ-QkA7Ay8d7G3vG18vrkwS"
+        }
+      ]
     }
   ],
-  "bundle_timestamp": "2026-06-09T19:49:11.207253Z",
+  "bundle_timestamp": "2026-06-10T00:32:04.746971Z",
   "max_valid_for_secs": 31536000
 }

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
         with:
           files: 'dist/index.js'
           note: 'GitHub Actions release — ${{ github.ref_name }}'
-          auths-version: '0.0.1-rc.12'
+          auths-version: '0.1.2'
 
       - name: Generate SHA256 checksums
         run: |

.github/workflows/sign-commits.yml

@@ -22,4 +22,4 @@ jobs:
       - uses: auths-dev/sign@v1
         with:
           commits: 'HEAD~1..HEAD'
-          auths-version: '0.0.1-rc.12'
+          auths-version: '0.1.2'

.github/workflows/verify-commits.yml

@@ -18,7 +18,7 @@ jobs:
 
       - uses: ./
         with:
-          auths-version: '0.0.1-rc.12'
+          auths-version: '0.1.2'
           identity-bundle: .auths/ci-bundle.json
           fail-on-unsigned: true
           post-pr-comment: 'true'

README.md

@@ -16,7 +16,7 @@ steps:
       fetch-depth: 0
   - uses: auths-dev/verify@v1
     with:
-      auths-version: "0.0.1-rc.12"   # pin the CLI — the action never resolves `latest`
+      auths-version: "0.1.2"   # pin the CLI — the action never resolves `latest`
 ```
 
 That's it. The action auto-detects the commit range from the GitHub event (PR or push), downloads the **pinned** `auths` CLI (SHA256-checksum verified — it **fails closed** if the release has no checksum), and verifies each commit with `auths verify`. Verification is **KEL-native**: the signer is read from each commit's `Auths-Id`/`Auths-Device` trailers and checked against its key history (KEL). For stateless CI, pass an identity bundle via the `identity-bundle` input.
@@ -40,11 +40,11 @@ jobs:
           fetch-depth: 0
       - uses: auths-dev/verify@v1
         with:
-          auths-version: "0.0.1-rc.12"   # pin the CLI version (required)
+          auths-version: "0.1.2"   # pin the CLI version (required)
           fail-on-unsigned: true
 ```
 
-> **Pin the CLI.** `auths-version` must be set to a released version that publishes a `.sha256` (e.g. `0.0.1-rc.12`). The action refuses to resolve `latest` and fails closed if the binary cannot be checksum-verified — supply-chain hardening for a tool whose entire job is trust. (If `auths` is already on `PATH`, the version is not needed.)
+> **Pin the CLI.** `auths-version` must be set to a released version that publishes a `.sha256` (e.g. `0.1.2`). The action refuses to resolve `latest` and fails closed if the binary cannot be checksum-verified — supply-chain hardening for a tool whose entire job is trust. (If `auths` is already on `PATH`, the version is not needed.)
 
 That's it for verifying against the local identity store. For stateless CI (no `~/.auths` on the runner), commit an identity bundle and point the `identity-bundle` input at it — see [Identity Bundle](#identity-bundle-stateless-ci) below.
 
@@ -67,7 +67,7 @@ That's it for verifying against the local identity store. For stateless CI (no `
 |-------|-------------|----------|---------|
 | `identity-bundle` | Identity bundle for stateless verification. Accepts: CI token JSON, identity bundle JSON, or a file path to a bundle. Empty → KEL-native verification against the local identity store | No | `''` (KEL-native) |
 | `commits` | Git commit range to verify (e.g. `HEAD~5..HEAD`) | No | Auto-detected from event |
-| `auths-version` | Auths CLI version to **pin** (e.g. `0.0.1-rc.12`). Required unless `auths` is on `PATH`; the action never resolves `latest` and fails closed without a verifiable `.sha256` | Yes (unless on PATH) | `''` |
+| `auths-version` | Auths CLI version to **pin** (e.g. `0.1.2`). Required unless `auths` is on `PATH`; the action never resolves `latest` and fails closed without a verifiable `.sha256` | Yes (unless on PATH) | `''` |
 | `fail-on-unsigned` | Whether to fail the action if unsigned commits are found | No | `true` |
 | `skip-merge-commits` | Whether to skip merge commits during verification | No | `true` |
 | `post-pr-comment` | Post a PR comment with results and fix instructions (requires `pull-requests: write`) | No | `false` |
@@ -99,7 +99,7 @@ With an empty `identity-bundle`, the action runs `auths verify` against the loca
 ```yaml
 - uses: auths-dev/verify@v1
   with:
-    auths-version: "0.0.1-rc.12"   # pin the CLI (required on clean runners)
+    auths-version: "0.1.2"   # pin the CLI (required on clean runners)
 ```
 
 ### Identity Bundle (stateless CI)
@@ -115,7 +115,7 @@ Commit the bundle (it contains only public data) and reference the file:
 ```yaml
 - uses: auths-dev/verify@v1
   with:
-    auths-version: "0.0.1-rc.12"
+    auths-version: "0.1.2"
     identity-bundle: '.auths/ci-bundle.json'
 ```
 
@@ -128,7 +128,7 @@ gh secret set AUTHS_IDENTITY_BUNDLE < .auths/ci-bundle.json
 ```yaml
 - uses: auths-dev/verify@v1
   with:
-    auths-version: "0.0.1-rc.12"
+    auths-version: "0.1.2"
     identity-bundle: ${{ secrets.AUTHS_IDENTITY_BUNDLE }}
 ```
 
@@ -155,7 +155,7 @@ jobs:
 
       - uses: auths-dev/verify@v1
         with:
-          auths-version: "0.0.1-rc.12"
+          auths-version: "0.1.2"
 ```
 
 ### Identity Bundle with Secret
@@ -174,7 +174,7 @@ jobs:
 
       - uses: auths-dev/verify@v1
         with:
-          auths-version: "0.0.1-rc.12"
+          auths-version: "0.1.2"
           identity-bundle: ${{ secrets.AUTHS_IDENTITY_BUNDLE }}
 ```
 
@@ -183,7 +183,7 @@ jobs:
 ```yaml
 - uses: auths-dev/verify@v1
   with:
-    auths-version: "0.0.1-rc.12"
+    auths-version: "0.1.2"
     fail-on-unsigned: 'false'
 ```
 
@@ -205,7 +205,7 @@ jobs:
 
       - uses: auths-dev/verify@v1
         with:
-          auths-version: "0.0.1-rc.12"
+          auths-version: "0.1.2"
           post-pr-comment: 'true'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
@@ -217,7 +217,7 @@ jobs:
   id: verify
   uses: auths-dev/verify@v1
   with:
-    auths-version: "0.0.1-rc.12"
+    auths-version: "0.1.2"
     fail-on-unsigned: 'false'
 
 - name: Gate a downstream step on verification
@@ -252,7 +252,7 @@ jobs:
 
       - uses: auths-dev/verify@v1
         with:
-          auths-version: "0.0.1-rc.12"
+          auths-version: "0.1.2"
           identity-bundle: ${{ secrets.AUTHS_IDENTITY_BUNDLE }}
           fail-on-unsigned: ${{ inputs.mode == 'enforce' && 'true' || 'false' }}
 ```

action.yml

@@ -12,7 +12,7 @@ inputs:
     required: false
     default: ''
   auths-version:
-    description: 'Auths CLI version to pin (e.g. "0.0.1-rc.12"). Required unless `auths` is already on PATH — a verification action must not resolve `latest` (supply-chain hardening). The pinned release must publish a `.sha256` checksum.'
+    description: 'Auths CLI version to pin (e.g. "0.1.2"). Required unless `auths` is already on PATH — a verification action must not resolve `latest` (supply-chain hardening). The pinned release must publish a `.sha256` checksum.'
     required: false
     default: ''
   fail-on-unsigned:

dist/index.js

@@ -72219,7 +72219,7 @@ async function ensureAuthsInstalled(version) {
     // `releases/latest`, which would let an upstream release silently change the binary
     // a verification action runs. (A pre-installed `auths` on PATH is exempt — handled above.)
     if (!version) {
-        throw new Error("The 'auths-version' input must be pinned to a released version (e.g. '0.0.1-rc.12'); " +
+        throw new Error("The 'auths-version' input must be pinned to a released version (e.g. '0.1.2'); " +
             "resolving 'latest' is not allowed for a verification action.");
     }
     // Determine the version for cache lookup

src/verifier.ts

@@ -410,7 +410,7 @@ export async function ensureAuthsInstalled(version: string): Promise<string | nu
   // a verification action runs. (A pre-installed `auths` on PATH is exempt — handled above.)
   if (!version) {
     throw new Error(
-      "The 'auths-version' input must be pinned to a released version (e.g. '0.0.1-rc.12'); " +
+      "The 'auths-version' input must be pinned to a released version (e.g. '0.1.2'); " +
       "resolving 'latest' is not allowed for a verification action."
     );
   }