Skip to content

v1.5.3

Latest

Choose a tag to compare

@github-actions github-actions released this 01 Jul 20:20

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo today: the OCI static bundle (ckp:static) per SPEC.OCI.BUNDLE.v0.4, attestation-gated (this file renders only after gh attestation verify passes). The npm package @conceptkernel/cklib is staged in package.json (publish deferred until npm auth lands; the workflow's npm steps are gated on repo var NPM_PUBLISH). See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.5.3

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.5.3 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The bundle lands the facade + transport + cache at image root (/ck.js, /ck-client.js, /ck-store.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.5.3 latest sha256:2548a67bbe3120a082feb1f9a71d7017f3e8f37cf7d7922b310c3d4f66ae8470 2026-07-01 20:20:23 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.5.3 latest sha256:59be4ed3c0e9e6f1c8ec52fc5c961c385951485429a70d614704517b1ebc43d5 2026-07-01 20:20:23 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.5.3 (also tagged latest)
Aggregate digest sha256:0ceeb30beacbdc0f65fded1a547b705f81a69ee8633841a895d1ac85b6435c9c
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #28545233818
Built from commit 8d1e4985d0653b9b0070af4c38ae9e8c846d9e2c
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.5.3
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:2548a67bbe3120a082feb1f9a71d7017f3e8f37cf7d7922b310c3d4f66ae8470 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.5.3 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.3
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.3
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.5.3) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CK concept-kernel API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-07-01 20:20:23 UTC after gh attestation verify accepted the aggregate digest above.