This process keeps oss-signal releases reproducible and easy to verify.
Run the full local check:
npm run check
Verify the public GitHub audit example:
npm run audit:github
Verify SARIF output:
node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
node -e "const fs = require('fs'); const sarif = JSON.parse(fs.readFileSync('docs/examples/self-audit.sarif', 'utf8')); if (sarif.version !== '2.1.0') throw new Error('invalid SARIF');"
Verify inventory output:
node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
Inspect the npm tarball before publishing:
npm publish --dry-run
The package version and tag must match:
node src/cli.js --version
git tag v$(node src/cli.js --version)
git push origin main --tags
Create a GitHub Release for the tag and use the release notes in docs/release-notes/ when available.
For example, v0.7.0 uses docs/release-notes/v0.7.0.md.
Manual publish path, used only as a fallback:
npm publish --access public
Automation path:
The tag-triggered release workflow runs the same checks, verifies the package with npm publish --dry-run, creates a GitHub Release, and publishes to npm with Trusted Publishing provenance.
Trusted Publishing must be configured on npm for:
oss-signalSalmonPlays/oss-signalrelease.ymlCheck the registry version:
npm view oss-signal version dist-tags.latest --json
Run from a clean temporary directory:
tmpdir=$(mktemp -d)
cd "$tmpdir"
npm exec --yes --package=oss-signal -- oss-signal SalmonPlays/oss-signal --format json
Check the public Action tag:
git ls-remote --tags https://github.com/SalmonPlays/oss-signal.git
Download metrics can lag behind package publication. Treat npm download counts as delayed evidence, not immediate proof that a release worked.