fix: release v0.1.10 - workflow security fixes and template formatting (#15)

* fix: fix minisign checksum verification in publish workflow

- Add proper formatting for minisign checksum file
- Set read-only permissions at top level following OpenSSF best practices
- Move NPM publish after security artifact generation
- Fix duplicate jobs section in workflow

* fix: add missing newlines to template files

- Fix missing newline at end of debugger.md
- Fix missing newlines in all command template files
- Add newline to end of CLAUDE.md individual preferences section

* chore: bump version to 0.1.10

- Update package.json version to 0.1.10
- Update package-lock.json version
- Add v0.1.10 changelog entry documenting all fixes

Author: ramonclaudio

.github/workflows/publish.yml

@@ -6,13 +6,16 @@ on:
       - 'v*'
 
 permissions:
-  id-token: write
-  contents: write
-  attestations: write
-
+  contents: read
+  id-token: write  # Required for npm provenance
+  
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Required for creating releases
+      id-token: write  # Required for npm provenance
+      attestations: write  # Required for SLSA attestations
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.12.0
@@ -53,11 +56,6 @@ jobs:
       - run: npm run build --if-present
       - run: npm test
 
-      - name: Publish with provenance
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-      
       - name: Create package tarball and set version
         run: |
           npm pack
@@ -69,6 +67,8 @@ jobs:
           # Download minisign with checksum verification
           curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz
           curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz.sha256
+          # Fix checksum format (file contains only hash, not "hash  filename" format)
+          echo "$(cat minisign-0.12-linux.tar.gz.sha256)  minisign-0.12-linux.tar.gz" > minisign-0.12-linux.tar.gz.sha256
           sha256sum -c minisign-0.12-linux.tar.gz.sha256
           tar xzf minisign-0.12-linux.tar.gz
           sudo mv minisign-linux/x86_64/minisign /usr/local/bin/
@@ -135,10 +135,14 @@ jobs:
           find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
           find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;
           
-      - name: Cleanup sensitive files and temporary artifacts
+      - name: Cleanup sensitive files
         run: |
           rm -f minisign.key
-          rm -f *.tar.gz *.sha256
+          
+      - name: Publish with provenance to NPM
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create comprehensive GitHub Release
         uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.3.2

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.10] - 2025-09-07
+
+### Fixed
+
+- **Publish Workflow**: Fixed minisign checksum verification format issue preventing security artifact generation
+- **Workflow Security**: Improved token permissions following OpenSSF best practices with read-only defaults
+- **Workflow Ordering**: Reorganized publish workflow to ensure all security artifacts are generated before NPM publish
+- **Template Formatting**: Fixed missing newlines in command and agent template files
+
+### Security
+
+- **Token Permissions**: Set top-level permissions to read-only with job-level write permissions only where required
+- **OpenSSF Compliance**: Aligned publish workflow with OpenSSF Scorecard requirements for signed releases and SBOMs
+
 ## [0.1.9] - 2025-09-07
 
 ### Added

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Claude Code setup that just works. Bootstrap every project with agents, hooks, commands, and smart permissions. One command, zero headaches.",
   "type": "module",
   "sideEffects": false,

package.json

@@ -54,4 +54,4 @@ FIX: [file:line]
 VERIFIED: [test command]
 ```
 
-No theories. Only facts and fixes.
+No theories. Only facts and fixes.

skel/.claude/agents/debugger.md

@@ -6,10 +6,12 @@ model: claude-3-5-haiku-20241022
 ---
 
 ## Context
+
 - Status: !`git status --short`
 - Staged changes: !`git diff --cached --stat`
 
 ## Task
+
 Stage and commit changes with message: $ARGUMENTS
 
-Use conventional commit format. Be concise.
+Use conventional commit format. Be concise.

skel/.claude/commands/commit.md

@@ -5,4 +5,4 @@ argument-hint: [file-or-component]
 
 Explain $ARGUMENTS
 
-One paragraph max. Focus on what it does, not how.
+One paragraph max. Focus on what it does, not how.

skel/.claude/commands/explain.md

@@ -9,4 +9,4 @@ Fix issue: $ARGUMENTS
 2. Find root cause
 3. Implement minimal fix
 4. Verify with tests
-5. No side effects
+5. No side effects

skel/.claude/commands/fix.md

@@ -5,4 +5,4 @@ argument-hint: [file-or-function]
 
 Optimize: $ARGUMENTS
 
-Find performance bottlenecks. Implement specific improvements. Measure impact.
+Find performance bottlenecks. Implement specific improvements. Measure impact.

skel/.claude/commands/optimize.md

@@ -5,10 +5,12 @@ allowed-tools: Bash(git:*), Read(*), Write(*)
 ---
 
 ## Context
+
 - Current branch: !`git branch --show-current`
 - Git status: !`git status --short`
 - Recent commits: !`git log --oneline -5`
 - Files changed: !`git diff --stat HEAD~1`
 
 ## Task
-Create a pull request for current changes. Summarize what changed and why. Include test plan.
+
+Create a pull request for current changes. Summarize what changed and why. Include test plan.