Fail CI when dependencies in your lockfile lose npm provenance or trusted publisher status

A composite GitHub Action that turns conventional commits into a draft release PR, tags the PR on merge, and stages publishing to npm via OIDC trusted publishing.

Indexing support for Trusted Publishing on PyPI

Trusted Publishing for Docker registries using GitHub Actions OIDC.

Get trusted publishing and build reproducibility insights for any Rust supply chain

[PoC] Trusted Publishing verifier for package URLs (purl)

Published npm artifact boundary for handshake-protocol-kernel; trusted publishing and MCP metadata.

Checks if an npm package version was published via a Trusted Publisher (OIDC/Provenance)

Advanced GitHub Actions and package supply-chain defense platform for the May 2026 CI/CD compromise wave.

an example of using a trusted publishing (OIDC) to publish a package

TypeScript hello world library with dual ES modules/CommonJS support. Features GitHub Actions trusted publishing to npmjs with Sigstore attestation.

Supply-chain-hardened release tool for JS/TS libraries. Multi-runner reproducible-build attestation, OIDC trusted publishing, hard pre-publish gates. Pure bash, zero dependencies.

npm package starter with OIDC trusted publishing, provenance, and CI/CD baked in

A reusable agent skill for shipping a JS/TS library to npm with GitHub Actions, including 8 well-documented pitfalls.

Python module to easily compare the local windows release version, against broadly available official versioning. Detects silent updating-issues. This Repository also acts as the web-source of truth, it displays signed info accessible programmatically through designated GitHub pages.

Evidence-first QuantumScalar DM simulation suite for reproducible runs, decision campaigns, and PyPI installs.

Reusable GitHub Actions CI for the Coroboros stack.

🔒 Fail CI if dependencies in your lockfile lose npm provenance or trusted publisher status, enhancing the security of your projects.