Skip to content

v0.1.0-dev.3

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 21 Jun 12:41
0bc4412

See CHANGELOG.md for the curated changelog.

SHA256SUMS covers every attached archive plus the CycloneDX SBOM + VEX: shasum -a 256 -c SHA256SUMS.

Desktop GUI bundles (UNSIGNED). This release also includes cross-platform sparq GUI desktop installers (sparq-gui_v0.1.0-dev.3_*): macOS .dmg, Windows .msi + NSIS .exe, and Linux .deb + .AppImage. These bundles are NOT code-signed or notarized. On macOS, Gatekeeper will quarantine them; on Windows, SmartScreen will warn — see /download for the install bypass instructions (Gatekeeper/SmartScreen). OS-level code-signing (Apple Developer ID notarization + Windows Authenticode) requires maintainer-held credentials and is tracked separately — until then, treat the GUI bundles as developer/test installs. The SLSA attestation below proves who built each bundle (build provenance); it is not a substitute for OS code-signing. (No win-arm64 GUI installer yet — the Tauri bundler cannot cross-bundle it from the x64 Windows runner; no mobile app bundles yet.)

Supply chain: each release carries a CycloneDX SBOM per binary (*-v0.1.0-dev.3.sbom.cdx.json, including the GUI shell sparq-gui-v0.1.0-dev.3.sbom.cdx.json), a CycloneDX SBOM for the published npm/WASM client (sparq-js-v0.1.0-dev.3.sbom.cdx.json runtime tree + sparq-js-dev-v0.1.0-dev.3.sbom.cdx.json full build tree), and a VEX (sparq-v0.1.0-dev.3.vex.cdx.json) stating the exploitability of every advisory the dependency policy ignores. All artifacts (archives, GUI bundles, SBOMs, VEX) are SLSA build-provenance attested — verify with gh attestation verify <file> --repo jeswr/sparq.

What's Changed