Skip to content

RegistryStack v0.8.3

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 Jun 13:20
· 5 commits to main since this release
v0.8.3
ecde458
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

RegistryStack v0.8.3

RegistryStack v0.8.3 is a security and release-trust patch release after
v0.8.2.

Scope

  • Keeps the stack release in the public registrystack/registry-stack
    monorepo.
  • Adds release-level SLSA provenance generation for tag-triggered GitHub
    Releases, allowing the release workflow to publish and verify
    *.intoto.jsonl provenance for non-signature release assets.
  • Fixes cargo-deny advisory checks and removes unmaintained JSON-LD test
    dependencies.
  • Triages CodeQL code scanning findings in scripts, demos, and generated docs
    helpers.
  • Replaces RS256 RSA verification support with AWS-LC-backed crypto in the
    platform crypto layer.
  • Keeps Crosswalk as the tested pinned product input.
  • Keeps Registry Atlas and the eSignet Relay authenticator held as lab-only
    external inputs.

Release Gates

The source release is expected to pass:

  • release manifest validation;
  • import-map audit;
  • Rust workspace checks;
  • Lab monorepo source proof;
  • full docs checks, archive builds, SEO, and built-link validation.

The tag-driven release workflow publishes final binaries, GHCR images, image
digests, SBOMs, Grype reports, keyless cosign signatures, and release-level SLSA
provenance. Hosted/public announcement remains a separate gate after
hosted-state proof.

Assets 72
Loading