refactor!: shrink scope to build + sign + archive + checksum (#10)

* refactor!: shrink scope to build + sign + archive + checksum

BREAKING. The action now stops at producing signed, checksummed
files on disk and emitting their paths. Distribution concerns move
to dedicated downstream actions.

Removed (inputs, source, tests, docs, e2e jobs):
- Release attach — attach-to-release, release-{tag,name,body,draft,
  prerelease}, generate-release-table. Replace with
  softprops/action-gh-release against outputs.artifacts.
- Docker OCI publish — docker-* inputs + packages/core/src/docker.ts.
  Replace with docker/build-push-action against outputs.binaries.
- Homebrew tap PR — homebrew-* + renderHomebrewFormula. Replace with
  a dedicated tap-updater action.
- Scoop bucket PR — scoop-* + renderScoopManifest.
- SLSA provenance — provenance input + attest-build-provenance wire-up.
  Replace with actions/attest-build-provenance@v4 as a chained step.
- SBOM — sbom input + packages/core/src/sbom.ts. Replace with
  anchore/sbom-action.
- Workflow artifact upload — upload-artifact + artifact-name inputs +
  @actions/artifact integration. Replace with actions/upload-artifact@v4.
- release-url output and summary Release trailer.

Runtime deps drop @actions/artifact (v6.2.1) and @actions/github
(v9.1.0). Cap moves from 6 → 4 runtime deps.

Kept unchanged:
- Build pipeline (all pkg-* inputs, targets, mode, compress-node, etc.)
- Post-build archive + checksum
- Windows metadata (resedit)
- Signing — macOS codesign + notarytool, Windows signtool, Azure
  Trusted Signing
- Matrix sub-action
- Step-summary (no Release trailer)

Bundle shrinks: packages/build/dist/index.mjs ~3.6 MB → ~1 MB.
Tests: 296 → 222 (deletions, no regressions). Typecheck + lint green.
docs/publishing.md, distribution.md, docker.md, provenance.md,
sbom.md removed. README rewritten around outputs + "After the build"
handoff examples. docs/architecture.md trimmed accordingly. STATUS
records scope decision and a `removed:` section with replacement
pointers.

Pre-cut state is accessible at the `pre-scope-cut` tag.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* chore(ci): drop spike-node24.yml

Dead weight. M-1 pre-flight probe to confirm runs.using:node24 on
hosted runners; that question has been answered for months — every
sub-action uses node24 and the main e2e workflow runs it across
ubuntu/macos/windows on every push. workflow_dispatch-only, so not
load-bearing.

Also drop the two docs/architecture.md references to it.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* docs: address Copilot review

- README quick start: wrap artifacts JSON via fromJson+join so
  upload-artifact gets newline-separated paths.
- architecture: clarify DI boundary (exec/logger only; fs not
  universally injected).
- architecture: codegen drift gate lives in ci.yml plus e2e
  codegen-drift job, not e2e.yml alone.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* feat: v1.0 hardening — tar reproducibility + digests output + post-sign verify

Three narrow-scope wins before v1.0.0. Each is a bug or contract tightening, not
a new feature surface.

- Tar reproducibility (packages/core/src/archive.ts): pass --mtime, --uid=0,
  --gid=0, --numeric-owner + pin source mtime with utimes before shelling out.
  Flags understood by both GNU tar (ubuntu) and bsdtar (macos + windows).
  Previously: same binary → different tar bytes → different sha across runs,
  breaking provenance/cache chains.

- digests output (packages/build/src/main.ts): emit a per-artifact
  { "<basename>": { sha256: "…", sha512: "…" } } JSON map alongside the
  existing SHASUMS files. Saves downstream consumers a file read + awk parse.

- Post-sign verification (packages/core/src/signing.ts): chain codesign --verify
  after sign, signtool verify /pa after signtool/azuresigntool. Catches bad
  identities and silent signing failures before archive/checksum.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(archive): use GNU tar owner/group flags on linux

GNU tar (ubuntu runners) rejects --uid=0 / --gid=0; those are bsdtar-only.
Branch on process.platform: linux → --owner=0 --group=0, else --uid=0 --gid=0.
--mtime + --numeric-owner are portable across both.

Caught by E2E on refactor/scope-cut-build-only — tiny-cjs/ubuntu-latest failed
with: "tar: unrecognized option '--uid=0'".

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

Author: robertsLando

.github/workflows/e2e.yml

@@ -250,167 +250,3 @@ jobs:
           [ -f "$bin" ] || { echo "::error::binary missing: $bin"; exit 1; }
           echo "Checking $bin"
           node --experimental-strip-types .github/scripts/assert-windows-metadata.ts "$bin"
-
-  # ──────────────────────────────────────────────────────────────────────
-  # M6 §6.1: SLSA build-provenance attestation. Runs the composite with
-  # provenance=true on a cheap ubuntu-latest target; asserts that every
-  # artifact has a corresponding attestation uploaded to the repo's
-  # attestations store via `gh attestation list` + a JSON walk.
-  provenance:
-    name: provenance / ubuntu-latest
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Build tiny-app with provenance enabled
-        id: build
-        uses: ./
-        with:
-          config: test-fixtures/tiny-app-cjs/package.json
-          targets: node22-linux-x64
-          compress: tar.gz
-          checksum: sha256
-          filename: '{name}-{version}-{os}-{arch}'
-          provenance: true
-
-      - name: Verify an attestation was produced for the artifact
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        shell: bash
-        run: |
-          artifact=$(echo '${{ steps.build.outputs.artifacts }}' | jq -r '.[0]')
-          [ -f "$artifact" ] || { echo "::error::artifact missing: $artifact"; exit 1; }
-          echo "Verifying attestation for $artifact"
-          # gh attestation verify hits the repo's attestation store. When the
-          # attestation from this run was indexed successfully, this call
-          # exits 0 with a signed summary. Any failure means provenance
-          # wasn't produced or wasn't discoverable — treat both as fatal.
-          gh attestation verify "$artifact" --repo "$GITHUB_REPOSITORY"
-
-  # ──────────────────────────────────────────────────────────────────────
-  # M6 §6.2: SBOM generation. Runs the composite with sbom=cyclonedx on a
-  # cheap ubuntu-latest target; asserts the SBOM file is uploaded as a
-  # workflow artifact AND contains a valid CycloneDX 1.5 doc referencing
-  # the binary's hash.
-  sbom-cyclonedx:
-    name: sbom-cyclonedx / ubuntu-latest
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Build tiny-app with CycloneDX SBOM
-        id: build
-        uses: ./
-        with:
-          config: test-fixtures/tiny-app-cjs/package.json
-          targets: node22-linux-x64
-          compress: tar.gz
-          checksum: sha256
-          filename: '{name}-{version}-{os}-{arch}'
-          sbom: cyclonedx
-
-      - name: Assert SBOM file exists and parses
-        shell: bash
-        run: |
-          sbom="$RUNNER_TEMP"/pkg-action-*/final/tiny-app-cjs-0.0.1.cdx.json
-          # Glob it explicitly.
-          sbom_resolved=$(ls $sbom 2>/dev/null | head -n1)
-          [ -n "$sbom_resolved" ] || { echo "::error::SBOM file not found (glob: $sbom)"; exit 1; }
-          echo "Found SBOM: $sbom_resolved"
-          bomFormat=$(jq -r '.bomFormat' "$sbom_resolved")
-          specVersion=$(jq -r '.specVersion' "$sbom_resolved")
-          [ "$bomFormat" = "CycloneDX" ] || { echo "::error::bomFormat=$bomFormat"; exit 1; }
-          [ "$specVersion" = "1.5" ] || { echo "::error::specVersion=$specVersion"; exit 1; }
-          # metadata.component.name must be the project name.
-          projName=$(jq -r '.metadata.component.name' "$sbom_resolved")
-          [ "$projName" = "tiny-app-cjs" ] || { echo "::error::component.name=$projName"; exit 1; }
-          # formulation[].components[0].hashes must reference SHA-256.
-          algo=$(jq -r '.formulation[0].components[0].hashes[0].alg' "$sbom_resolved")
-          [ "$algo" = "SHA-256" ] || { echo "::error::hash alg=$algo"; exit 1; }
-          echo "SBOM OK"
-
-  # ──────────────────────────────────────────────────────────────────────
-  # M6 §6.3: Docker OCI publish. Builds a tiny-app binary and pushes it to
-  # the repo's own ghcr.io namespace under a disposable tag, then docker-
-  # pulls + runs the image and asserts stdout matches the expected version
-  # line. GITHUB_TOKEN has packages:write on ghcr by default.
-  docker-publish:
-    name: docker / ubuntu-latest
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: docker/setup-buildx-action@v4
-
-      - name: Build tiny-app and push as OCI image
-        id: build
-        uses: ./
-        with:
-          config: test-fixtures/tiny-app-cjs/package.json
-          targets: node22-linux-x64
-          compress: none
-          checksum: sha256
-          filename: '{name}-{version}-{os}-{arch}'
-          docker-image: ghcr.io/${{ github.repository }}-e2e:{version}-{sha}
-          docker-username: ${{ github.actor }}
-          docker-password: ${{ secrets.GITHUB_TOKEN }}
-          # cc variant bundles libc + libstdc++ + libgcc, required by the
-          # pkg-packaged Node binary (base-debian12 lacks libstdc++.so.6).
-          docker-base-image: gcr.io/distroless/cc-debian12:latest
-
-      - name: Log in to ghcr.io for pull
-        # The action pushes via a private DOCKER_CONFIG dir to keep the
-        # password off argv, so the host daemon has no ghcr creds afterward.
-        # Authenticate the default config explicitly before docker pull.
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
-
-      - name: Pull + run the pushed image
-        shell: bash
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          image="ghcr.io/${GITHUB_REPOSITORY,,}-e2e:0.0.1-$(git rev-parse --short HEAD)"
-          echo "Pulling $image"
-          docker pull "$image"
-          out=$(docker run --rm "$image")
-          echo "Container stdout: $out"
-          echo "$out" | grep -q 'tiny-app-cjs 0.0.1' || {
-            echo "::error::image did not emit expected version line"
-            exit 1
-          }
-
-  sbom-spdx:
-    name: sbom-spdx / ubuntu-latest
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Build tiny-app with SPDX SBOM
-        id: build
-        uses: ./
-        with:
-          config: test-fixtures/tiny-app-cjs/package.json
-          targets: node22-linux-x64
-          compress: none
-          checksum: sha256
-          filename: '{name}-{version}-{os}-{arch}'
-          sbom: spdx
-
-      - name: Assert SPDX SBOM file exists and parses
-        shell: bash
-        run: |
-          sbom_resolved=$(ls "$RUNNER_TEMP"/pkg-action-*/final/tiny-app-cjs-0.0.1.spdx.json 2>/dev/null | head -n1)
-          [ -n "$sbom_resolved" ] || { echo "::error::SPDX SBOM not found"; exit 1; }
-          echo "Found SBOM: $sbom_resolved"
-          spdxVersion=$(jq -r '.spdxVersion' "$sbom_resolved")
-          [ "$spdxVersion" = "SPDX-2.3" ] || { echo "::error::spdxVersion=$spdxVersion"; exit 1; }
-          # DESCRIBES relationship to the project root must exist.
-          count=$(jq '[.relationships[] | select(.relationshipType=="DESCRIBES")] | length' "$sbom_resolved")
-          [ "$count" -ge 1 ] || { echo "::error::no DESCRIBES relationship"; exit 1; }
-          echo "SPDX SBOM OK"

.github/workflows/spike-node24.yml

@@ -1,29 +1,49 @@
 # `yao-pkg/pkg-action`
 
-> **Status: M0 scaffold — not yet functional. Do not consume from a workflow until `v1.0.0` is tagged.**
+> **Status: ALPHA — API still shifting until `v1.0.0`.**
 
-Official GitHub Action to build, sign, archive, and publish Node.js binaries with [`@yao-pkg/pkg`](https://github.com/yao-pkg/pkg).
+Official GitHub Action to build Node.js binaries with
+[`@yao-pkg/pkg`](https://github.com/yao-pkg/pkg).
+
+Scope is intentionally narrow: **build → (optional Windows metadata
+patch) → (optional sign) → archive → checksum**. The action stops at
+producing signed, checksummed files on disk and emitting their paths
+as step outputs. Shipping those files to a GitHub release, a workflow
+artifact, a container registry, or a package manager is a separate
+concern — chain a dedicated action against the `binaries` / `artifacts`
+/ `checksums` outputs.
 
 Tracking issue: [yao-pkg/pkg#248](https://github.com/yao-pkg/pkg/issues/248).
-Implementation plan: see the pinned comment on that issue.
 
-## What this will do (once shipped)
+## Quick start
 
 ```yaml
 - uses: yao-pkg/pkg-action@v1
+  id: build
   with:
     targets: node22-linux-x64,node22-macos-arm64,node22-win-x64
     compress: tar.gz
     checksum: sha256
-    attach-to-release: true
+
+- uses: actions/upload-artifact@v4
+  with:
+    name: pkg-binaries
+    path: "${{ join(fromJson(steps.build.outputs.artifacts), '\n') }}"
 ```
 
-…plus Windows metadata injection (`resedit`), macOS codesign + notarize, Windows signtool + Azure Trusted Signing, archive + checksum + release upload, and a matrix helper for cross-compile-safe multi-OS jobs.
+## Outputs
+
+| Output      | Shape                                                                     |
+| ----------- | ------------------------------------------------------------------------- |
+| `binaries`  | JSON array of absolute paths (bare binaries)                              |
+| `artifacts` | JSON array — archive when `compress != none`, else the binary             |
+| `checksums` | JSON array of SHASUMS file paths (one per algorithm)                      |
+| `digests`   | JSON object `{ "<artifact basename>": { "sha256": "…", "sha512": "…" } }` |
+| `version`   | Project version from `package.json#version`                               |
 
 ## Matrix helper
 
-When you want one shard per target, pinned to a native runner, use the
-`matrix` sub-action:
+One shard per target, pinned to a native runner:
 
 ```yaml
 jobs:
@@ -54,64 +74,64 @@ jobs:
           targets: ${{ matrix.entry.target }}
 ```
 
-Full reference — inputs, self-hosted overrides, cross-compile policy — in
-[`docs/matrix.md`](./docs/matrix.md).
+Reference: [`docs/matrix.md`](./docs/matrix.md).
 
-## Release attach
+## Windows metadata + signing
 
-Publish the produced binaries to a GitHub release in the same workflow:
+- Windows PE resource patch (ProductName, CompanyName, FileVersion,
+  icon, manifest) via `resedit` — set any `windows-*` input.
+- macOS codesign + optional notarytool staple.
+- Windows signtool or Azure Trusted Signing.
 
-```yaml
-on:
-  push:
-    tags: ['v*']
+All signing happens between Windows-metadata patch and archive, so the
+shasum and archive contain the signed bytes. Full input reference:
+[`docs/inputs.md`](./docs/inputs.md).
 
-permissions:
-  contents: write
+## After the build — example handoffs
 
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: yao-pkg/pkg-action@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          targets: node22-linux-x64,node22-macos-arm64,node22-win-x64
-          compress: tar.gz
-          checksum: sha256
-          attach-to-release: true
-```
+Attach to a GitHub release:
 
-Full reference (non-tag triggers, body templating, asset overwrites,
-permissions) in [`docs/publishing.md`](./docs/publishing.md).
+```yaml
+- uses: yao-pkg/pkg-action@v1
+  id: build
+  with:
+    targets: node22-linux-x64,node22-macos-arm64,node22-win-x64
+    compress: tar.gz
+    checksum: sha256
 
-## Build provenance (SLSA)
+- uses: softprops/action-gh-release@v2
+  with:
+    files: |
+      ${{ join(fromJson(steps.build.outputs.artifacts), '\n') }}
+      ${{ join(fromJson(steps.build.outputs.checksums), '\n') }}
+```
 
-Opt in with `provenance: true` and grant the two required permissions
-to emit a signed SLSA build-provenance attestation for every artifact:
+Build + push a Docker image:
 
 ```yaml
-permissions:
-  contents: write
-  id-token: write
-  attestations: write
+- uses: yao-pkg/pkg-action@v1
+  id: build
+  with:
+    targets: node22-linux-x64
 
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: yao-pkg/pkg-action@v1
-        with:
-          targets: node22-linux-x64,node22-macos-arm64,node22-win-x64
-          provenance: true
+- uses: docker/build-push-action@v6
+  with:
+    context: .
+    push: true
+    tags: ghcr.io/${{ github.repository }}:latest
+    build-args: BIN_PATH=${{ fromJson(steps.build.outputs.binaries)[0] }}
 ```
 
-Consumers verify with `gh attestation verify`. Full reference —
-permissions, release-attach combo, verification examples — in
-[`docs/provenance.md`](./docs/provenance.md).
+SLSA provenance:
+
+```yaml
+- uses: actions/attest-build-provenance@v4
+  with:
+    subject-path: ${{ join(fromJson(steps.build.outputs.artifacts), '\n') }}
+```
+
+Homebrew tap, Scoop bucket, npm package — all live in the same
+"consume outputs, run a dedicated action" pattern.
 
 ## Development
 
@@ -121,8 +141,6 @@ permissions, release-attach combo, verification examples — in
 - `yarn test` — `node --test` with `--experimental-strip-types`
 - `yarn lint` — ESLint + Prettier
 
-See `CONTRIBUTING.md` for the strip-types dev loop and `.node-version` policy.
-
 ## License
 
 MIT — see [`LICENSE`](./LICENSE).