v2.0.4 — npm provenance via CI trusted publishing
Starting with this release, npm packages are published by GitHub Actions via OIDC trusted publishing: no npm tokens exist anywhere, every release carries SLSA provenance attestations (verify with npm audit signatures or on the npm package page), and release tags are SSH-signed. No engine changes.
What's Changed
- ci: npm OIDC trusted publishing with provenance and signed release tags by @shayaShav in #5
Full Changelog: v2.0.3...v2.0.4