Problem
Consumers cannot cryptographically verify that the published npm packages and
release binaries were built by this repository's workflows.
Proposal
npm publish --provenance in publish-one.yml (OIDC trusted publishing
already provides the identity).
- GitHub artifact attestations (
actions/attest-build-provenance) for the
xmd release binaries alongside the existing sha256 checksums.
Related: #68 (macOS Developer-ID signing + notarization).
Problem
Consumers cannot cryptographically verify that the published npm packages and
release binaries were built by this repository's workflows.
Proposal
npm publish --provenanceinpublish-one.yml(OIDC trusted publishingalready provides the identity).
actions/attest-build-provenance) for thexmdrelease binaries alongside the existing sha256 checksums.Related: #68 (macOS Developer-ID signing + notarization).