This document describes the release process for coherence-mcp, including versioning, GPG signing, and SpiralSafe synchronization.
Releases follow Semantic Versioning:
- MAJOR: Breaking changes
- MINOR: New features (backward compatible)
- PATCH: Bug fixes (backward compatible)
The release process is automated via GitHub Actions. A release is triggered by:
- Tag Push: Pushing a tag matching
v*(e.g.,v0.2.1) - Manual Dispatch: Using the GitHub Actions UI to trigger a release
# Update version in package.json
npm version patch # or minor, major
# Push with tags
git push origin main --tags- Go to Actions → Release workflow
- Click Run workflow
- Enter the version number (e.g.,
0.2.1) - Optionally mark as pre-release
- Click Run workflow
The release workflow consists of the following jobs:
┌──────────────┐
│ Validate │ ← Run tests, build, determine version
└──────┬───────┘
│
▼
┌──────────────┐
│ Build │ ← Create package tarball, generate checksums
└──────┬───────┘
│
▼
┌──────────────┐
│ Sign │ ← GPG sign artifacts (if keys configured)
└──────┬───────┘
│
▼
┌──────────────┐
│ Publish NPM │ ← Publish to npm with provenance
└──────┬───────┘
│
▼
┌──────────────┐
│ Release │ ← Create GitHub Release with artifacts
└──────┬───────┘
│
▼
┌──────────────┐
│ Notify Sync │ ← Notify SpiralSafe ecosystem
└──────────────┘
GPG signatures provide:
- Authenticity: Proof that releases come from the official maintainers
- Integrity: Detection of any tampering with release artifacts
- Trust: Verification through the web of trust
# Generate a new key
gpg --full-generate-key
# Select:
# - RSA and RSA (default)
# - 4096 bits
# - Key does not expire (or set expiry)
# - Use: SpiralSafe Release Signing <release@spiralsafe.org># Get the key ID
gpg --list-secret-keys --keyid-format LONG
# Export private key (keep this safe!)
gpg --armor --export-secret-keys YOUR_KEY_ID > private-key.asc
# Export public key (for verification)
gpg --armor --export YOUR_KEY_ID > public-key.ascAdd these secrets to the repository:
| Secret | Description |
|---|---|
GPG_PRIVATE_KEY |
Contents of private-key.asc |
GPG_PASSPHRASE |
Passphrase for the GPG key |
GPG_KEY_ID |
Key ID (e.g., ABCD1234EFGH5678) |
NPM_TOKEN |
NPM access token with publish permissions |
SPIRALSAFE_API_TOKEN |
SpiralSafe API token for sync notifications |
The public key should be published to:
- Repository
.well-known/pgp-key.txt - https://spiralsafe.org/.well-known/pgp-key.txt
- Key servers (optional):
gpg --keyserver keyserver.ubuntu.com --send-keys YOUR_KEY_ID
Users can verify release signatures:
# 1. Import the SpiralSafe signing key
curl -s https://spiralsafe.org/.well-known/pgp-key.txt | gpg --import
# Or from this repository:
curl -s https://raw.githubusercontent.com/toolate28/coherence-mcp/main/.well-known/pgp-key.txt | gpg --import
# 2. Download the release artifacts
VERSION="0.2.1"
curl -LO "https://github.com/toolate28/coherence-mcp/releases/download/v${VERSION}/SHA256SUMS.txt"
curl -LO "https://github.com/toolate28/coherence-mcp/releases/download/v${VERSION}/SHA256SUMS.txt.asc"
# 3. Verify the signature
gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt
# 4. Verify the package checksum
npm pack @toolate28/coherence-mcp@${VERSION}
sha256sum -c SHA256SUMS.txtEach release includes:
SHA256SUMS.txt- SHA-256 checksums of all artifactsSHA512SUMS.txt- SHA-512 checksums of all artifacts
Releases are published with npm provenance, which provides:
- Attestation that the package was built by GitHub Actions
- Link to the specific workflow run that created the package
- Verification through Sigstore
Check provenance:
npm audit signatures @toolate28/coherence-mcpReleases are automatically synced with the SpiralSafe ecosystem:
- Notification: The release workflow notifies the SpiralSafe API
- Registry Update: SpiralSafe registry is updated with the new version
- Documentation Sync: Release notes are synchronized to SpiralSafe docs
If automatic sync fails, manually update:
- Update version in
registry-submission.yaml - Create a PR to the SpiralSafe registry repository
- Announce in SpiralSafe Discord
Before releasing:
- All tests pass (
npm test) - Build succeeds (
npm run build) - Changelog updated (if maintaining one)
- Version number updated in
package.json - Version number updated in
registry-submission.yaml - README badges updated (if version shown)
- No security vulnerabilities (
npm audit)
After releasing:
- Verify GitHub Release created with artifacts
- Verify NPM package published
- Verify checksums are correct
- Verify GPG signatures (if enabled)
- Test installation:
npx @toolate28/coherence-mcp@VERSION - Update SpiralSafe ecosystem docs (if needed)
- Check the GitHub Actions logs for the specific error
- Common issues:
- Missing secrets (NPM_TOKEN, GPG keys)
- Version already exists on NPM
- Test failures
- Verify GPG_PRIVATE_KEY is correctly base64 encoded
- Check passphrase is correct
- Ensure key hasn't expired
- Check NPM_TOKEN has publish permissions
- Verify the version doesn't already exist
- Ensure package.json is valid
- GPG private keys are stored as GitHub Secrets (encrypted at rest)
- NPM tokens should be scoped to only publish packages
- Release workflow requires approval via GitHub Environments
- All releases are auditable via GitHub Actions logs
See SECURITY.md for security reporting procedures.