Record Godpowers 5.5.0 publication evidence#71
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 92b4f60d93
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - [DECISION] The root release asset SHA-256 digest is `d8452cb7e8d862da6609faf1858e50e8e1d4a31147eeb811d53abf61e69a3c2f`. | ||
| - [DECISION] The MCP release asset SHA-256 digest is `afccadc9727398aa666bd5e155af477a258f0aa06428a7aaf53bf5389c4b028e`. | ||
| - [DECISION] Provenance workflow 29264981272 published `godpowers@5.5.0` and `@godpowers/mcp@5.5.0` under the `latest` tag. | ||
| - [DECISION] The root registry integrity is `sha512-matKwEhx+nxl+luBjAnGSPzdef1I19hpxfXmaxGAgRCu54qcGPLZbuMPLhH8/PHYI6FGODUMoeNmG1i2vSvGAA==` and matches the local release tarball. |
There was a problem hiding this comment.
Correct the root package integrity evidence
At this commit, packing the root package with npm pack --json --pack-destination <tmp> reports integrity sha512-nJ5cg1NIAwe7IVLwbEUZz2yg4RmCVTLATjiP9Z22WUxh8ROrJfKyxliFt4EKBZoI6XhZJjcHGN+z4kPwSu7lCg== and SHA-256 b1af9819f23cae01112888156d8f289e3ef23ccc63291fef1cbdb9f8d0d245ac, not the values recorded here. Because RELEASE.md is included in the root package, adding this publication evidence changes the tarball after publication, so anyone trying to verify or reproduce godpowers@5.5.0 from this tree will get a mismatch instead of the claimed local-release match.
Useful? React with 👍 / 👎.
Summary
Verification