jonobr1
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 4 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 6 additions & 12 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 6 additions & 12 deletions
diff --git a/‎.github/workflows/copilot-setup-steps.yml‎
Lines changed: 2 additions & 4 deletions b/‎.github/workflows/copilot-setup-steps.yml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 34 additions & 13 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 34 additions & 13 deletions
diff --git a/‎.github/workflows/publish.yml‎
Lines changed: 45 additions & 10 deletions b/‎.github/workflows/publish.yml‎
Lines changed: 45 additions & 10 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,4 @@
+# CODEOWNERS — all files require review from the project maintainer.
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+*       @jonobr1
@@ -0,0 +1,46 @@
+version: 2
+
+updates:
+  # Root npm package
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*"
+
+  # tests/types npm package
+  - package-ecosystem: "npm"
+    directory: "/tests/types"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*"
+
+  # tests/typescript npm package
+  - package-ecosystem: "npm"
+    directory: "/tests/typescript"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      github-actions:
+        patterns:
+          - "*"
@@ -22,19 +22,16 @@ jobs:
         language: [ javascript ]
 
     steps:
-      # checkout@v5
       - name: Checkout repository
-        uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5
 
-      # setup-node@v5
       - name: Set up Node.js
-        uses: jonobr1/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5
         with:
           node-version: '24.14.1'
 
-      # cache@v4
       - name: Cache node modules
-        uses: jonobr1/cache@0400d5f644dc74513175e3cd8d07132dd4860809
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809  # v4
         with:
           path: |
             node_modules
@@ -43,19 +40,16 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      # codeql-action/init@v3
       - name: Initialize CodeQL
-        uses: jonobr1/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3  # v3
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
-      # codeql-action/autobuild@v3
       - name: Autobuild
-        uses: jonobr1/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3
+        uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3  # v3
 
-      # codeql-action/analyze@v3
       - name: Perform CodeQL Analysis
-        uses: jonobr1/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3  # v3
         with:
           category: "/language:${{ matrix.language }}"
@@ -18,12 +18,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        # checkout@v5
-        uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5
 
       - name: Set up Node.js
-        # setup-node@v5
-        uses: jonobr1/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5
         with:
           node-version: "20"
           cache: "npm"
 
@@ -8,16 +8,37 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      # checkout@v6
-      - uses: jonobr1/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-      # setup-node@v6
-      - uses: jonobr1/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
-        with:
-          node-version: '24.14.1'
-          cache: 'npm'
-      - name: Install modules
-        run: npm ci
-      - name: Run ESLint
-        run: npm run lint
-      - name: Check TypeScript sample
-        run: npx tsc --noEmit --skipLibCheck tests/typescript/index.ts
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5
+    - name: Install modules
+      run: npm ci
+    - name: Run ESLint
+      run: npm run lint
+
+  check-dependency-files:
+    name: Check dependency manifest/lockfile pairs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5
+    - name: Verify each Dependabot-managed npm directory has package.json and package-lock.json
+      shell: bash
+      run: |
+        dirs=("." "tests/types" "tests/typescript")
+        ok=true
+        for dir in "${dirs[@]}"; do
+          if [ ! -f "$dir/package.json" ]; then
+            echo "ERROR: $dir/package.json is missing"
+            ok=false
+          fi
+          if [ ! -f "$dir/package-lock.json" ]; then
+            echo "ERROR: $dir/package-lock.json is missing"
+            ok=false
+          fi
+        done
+        if [ "$ok" != "true" ]; then
+          echo ""
+          echo "Every npm directory managed by Dependabot must contain both"
+          echo "package.json and package-lock.json. Run 'npm install' in the"
+          echo "affected directory and commit the result."
+          exit 1
+        fi
+        echo "All dependency file pairs are present."
@@ -11,21 +11,56 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write  # Required for OIDC
-      contents: read
+      id-token: write      # Required for OIDC (npm provenance + GitHub attestation)
+      contents: write      # Required to create GitHub releases and upload assets
+      attestations: write  # Required for actions/attest-build-provenance
+
     steps:
-      # checkout@v6
-      - uses: jonobr1/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-      # setup-node@v6
-      - uses: jonobr1/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f  # v6
         with:
           node-version: '24.14.1'
           registry-url: 'https://registry.npmjs.org'
 
       # Ensure npm 11.5.1 or later is installed
       - name: Update npm
-        run: npm install -g npm@latest
+        run: npm install -g npm@11.5.1
       - run: npm ci
-      - run: npm run build --if-present
-      # - run: npm test
-      - run: npm publish
+      - run: npm run build
+
+      - name: Generate SLSA provenance attestation
+        id: attest
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: |
+            build/two.js
+            build/two.module.js
+            build/two.min.js
+
+      - name: Stage provenance bundle for release
+        env:
+          BUNDLE_PATH: ${{ steps.attest.outputs.bundle-path }}
+          TAG: ${{ github.ref_name }}
+        run: cp "$BUNDLE_PATH" "two.js-${TAG}.intoto.jsonl"
+
+      - name: Upload provenance bundle as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: provenance-bundle-${{ github.ref_name }}
+          path: two.js-${{ github.ref_name }}.intoto.jsonl
+
+      - name: Publish to npm with provenance
+        run: npm publish --provenance
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release create "$TAG" \
+            --title "Official Stable Release of $TAG" \
+            --generate-notes \
+            build/two.js \
+            build/two.module.js \
+            build/two.min.js \
+            "two.js-${TAG}.intoto.jsonl"
@@ -20,19 +20,19 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           persist-credentials: false
 
       - name: Run Scorecard analysis
-        uses: jonobr1/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a  # v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a  # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: Upload results to GitHub Security tab
-        uses: jonobr1/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3  # v3.35.1
+        uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699  # v3.35.1
         with:
           sarif_file: results.sarif
           wait-for-processing: true