ramonclaudio · ramonclaudio · Sep 6, 2025 · Sep 6, 2025 · Sep 6, 2025 · Sep 6, 2025
diff --git a/.github/workflows/audit-signatures.yml b/.github/workflows/audit-signatures.yml
@@ -24,12 +24,12 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Setup Node.js
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
-        node-version: '18'
+        node-version: '22'
         cache: 'npm'
 
     - name: Install dependencies

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,18 +17,18 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Setup Node.js
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
-        node-version: '18'
+        node-version: '22'
         cache: 'npm'
 
     - name: Enable corepack and set npm version
       run: |
         corepack enable
-        corepack prepare npm@10.9.0 --activate
+        corepack prepare npm@11.6.0 --activate
 
     - name: Install dependencies
       run: npm ci
@@ -50,37 +50,37 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+      uses: github/codeql-action/init@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
       with:
         languages: javascript-typescript
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+      uses: github/codeql-action/autobuild@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+      uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
 
   fuzz:
     name: Fuzz Testing
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Setup Node.js
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
-        node-version: '18'
+        node-version: '22'
         cache: 'npm'
 
     - name: Enable corepack and set npm version
       run: |
         corepack enable
-        corepack prepare npm@10.9.0 --activate
+        corepack prepare npm@11.6.0 --activate
 
     - name: Install dependencies
       run: npm ci

diff --git a/.github/workflows/fuzz-testing.yml b/.github/workflows/fuzz-testing.yml
@@ -24,26 +24,26 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Setup Node.js
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
-        node-version: '18'
+        node-version: '22'
         cache: 'npm'
 
     - name: Enable corepack and set npm version
       run: |
         corepack enable
-        corepack prepare npm@10.9.0 --activate
+        corepack prepare npm@11.6.0 --activate
 
     - name: Install dependencies
       run: npm ci
 
     - name: Install fast-check with lock file
       run: |
-        echo '{"name":"fuzz-test","devDependencies":{"fast-check":"3.22.0"}}' > package.json
-        npm install --package-lock-only
+        echo '{"name":"fuzz-test","devDependencies":{"fast-check":"4.3.0"}}' > package.json
+        npx --package=npm@11.6.0 npm install --package-lock-only
         npm ci
 
     - name: Create fuzz test

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,24 +7,40 @@ on:
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
   attestations: write
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.12.0
+        with:
+          disable-sudo: false
+          allowed-endpoints: |
+            api.github.com:443
+            registry.npmjs.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
+            uploads.github.com:443
+            nodejs.org:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: '20'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Enable corepack and set npm version
         run: |
           corepack enable
-          corepack prepare npm@10.9.0 --activate
+          corepack prepare npm@11.6.0 --activate
 
       - run: npm ci
 
@@ -40,4 +56,150 @@ jobs:
       - name: Publish with provenance
         run: npm publish --provenance --access public
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Create package tarball and set version
+        run: |
+          npm pack
+          echo "PACKAGE_FILE=$(ls create-claude-*.tgz | head -1)" >> $GITHUB_ENV
+          echo "VERSION=$(ls create-claude-*.tgz | head -1 | sed 's/create-claude-\(.*\)\.tgz/\1/')" >> $GITHUB_ENV
+
+      - name: Install and verify minisign
+        run: |
+          # Download minisign with checksum verification
+          curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz
+          curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz.sha256
+          sha256sum -c minisign-0.12-linux.tar.gz.sha256
+          tar xzf minisign-0.12-linux.tar.gz
+          sudo mv minisign-linux/x86_64/minisign /usr/local/bin/
+          rm -f minisign-0.12-linux.tar.gz minisign-0.12-linux.tar.gz.sha256
+
+      - name: Setup minisign keys
+        run: |
+          echo "${{ secrets.MINISIGN_PRIVATE_KEY }}" | base64 -d > minisign.key
+          chmod 600 minisign.key
+
+      - name: Sign package with minisign
+        run: |
+          minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Sign package with GPG
+        run: |
+          gpg --armor --detach-sign --output "$PACKAGE_FILE.asc" "$PACKAGE_FILE"
+
+      - name: Generate SLSA Provenance
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: ${{ env.PACKAGE_FILE }}
+
+      - name: Generate comprehensive SBOMs with Syft
+        uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
+        with:
+          path: .
+          format: 'spdx-json,cyclonedx-json,cyclonedx-xml'
+          output-file: 'create-claude-${{ env.VERSION }}.sbom'
+
+      - name: Generate legacy SPDX with Microsoft tool
+        run: |
+          # Download and verify Microsoft SBOM tool
+          curl -LO https://github.com/microsoft/sbom-tool/releases/download/v4.1.2/sbom-tool-linux-x64
+          curl -LO https://github.com/microsoft/sbom-tool/releases/download/v4.1.2/sbom-tool-linux-x64.sha256
+          sha256sum -c sbom-tool-linux-x64.sha256
+          chmod +x sbom-tool-linux-x64
+
+          # Generate Microsoft SBOM
+          ./sbom-tool-linux-x64 generate -b . -bc . -pn create-claude -pv $VERSION -ps RMNCLDYO -nsb https://github.com/RMNCLDYO/create-claude
+          mv _manifest/spdx_2.2/manifest.spdx.json "create-claude-$VERSION.ms-spdx.json"
+
+          # Cleanup
+          rm -rf _manifest sbom-tool-linux-x64 sbom-tool-linux-x64.sha256
+
+      - name: Sign all SBOMs and attestations
+        run: |
+          # Sign all SBOM files with both minisign and GPG
+          for sbom in create-claude-$VERSION.sbom.* create-claude-$VERSION.ms-spdx.json; do
+            if [ -f "$sbom" ]; then
+              echo "Signing $sbom"
+              minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
+              gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
+            fi
+          done
+
+          # Find and sign any GitHub attestation files
+          find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
+          find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;
+
+      - name: Cleanup sensitive files and temporary artifacts
+        run: |
+          rm -f minisign.key
+          rm -f *.tar.gz *.sha256
+
+      - name: Create comprehensive GitHub Release
+        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.3.2
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
+          body: |
+            ## 🚀 Release ${{ github.ref_name }}
+
+            **Install:**
+            ```bash
+            npm install -g create-claude@${{ github.ref_name }}
+            ```
+
+            ## 🔐 Security & Verification
+
+            **Package Signatures:**
+            ```bash
+            # Download verification keys
+            curl -O https://raw.githubusercontent.com/${{ github.repository }}/main/minisign.pub
+
+            # Verify minisign signature (recommended)
+            minisign -Vm create-claude-${{ github.ref_name }}.tgz -p minisign.pub
+
+            # Verify GPG signature
+            gpg --verify create-claude-${{ github.ref_name }}.tgz.asc create-claude-${{ github.ref_name }}.tgz
+            ```
+
+            **Supply Chain Attestations:**
+            - ✅ **NPM Provenance**: Package published with Sigstore attestation
+            - ✅ **SLSA Build Provenance**: GitHub-generated build attestation  
+            - ✅ **Signed SBOMs**: All dependency manifests cryptographically signed
+
+            ## 📋 Software Bill of Materials (SBOM)
+
+            Multiple SBOM formats available for comprehensive dependency analysis:
+
+            | Format | File | Signatures |
+            |--------|------|------------|
+            | **SPDX 2.3** | `create-claude-${{ github.ref_name }}.sbom.spdx.json` | `.minisig`, `.asc` |
+            | **CycloneDX** | `create-claude-${{ github.ref_name }}.sbom.cyclonedx.json` | `.minisig`, `.asc` |
+            | **CycloneDX XML** | `create-claude-${{ github.ref_name }}.sbom.cyclonedx.xml` | `.minisig`, `.asc` |
+            | **Microsoft SPDX** | `create-claude-${{ github.ref_name }}.ms-spdx.json` | `.minisig`, `.asc` |
+            | **SLSA Provenance** | `*.intoto.jsonl` | `.minisig`, `.asc` |
+
+            ## 🛡️ Security Standards Compliance
+
+            - 🎯 **OpenSSF Scorecard**: Optimized for maximum security score
+            - 🏆 **SLSA Level 3**: Build provenance and hermetic builds  
+            - 📊 **SSDF Compliant**: Secure software development framework
+            - 🔍 **SBOM Standards**: SPDX 2.3, CycloneDX 1.5+ compatible
+
+            ---
+
+            **Full Changelog**: [CHANGELOG.md](https://github.com/RMNCLDYO/create-claude/blob/main/CHANGELOG.md)
+          files: |
+            create-claude-*.tgz
+            create-claude-*.tgz.minisig
+            create-claude-*.tgz.asc
+            *.intoto.jsonl
+            *.intoto.jsonl.minisig
+            *.intoto.jsonl.asc
+            create-claude-*.sbom.*
+            create-claude-*.ms-spdx.json*
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -21,25 +21,25 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -21,12 +21,12 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Setup Node.js
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
-        node-version: '18'
+        node-version: '22'
         cache: 'npm'
 
     - name: Install dependencies
@@ -39,11 +39,11 @@ jobs:
       run: npm audit signatures
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+      uses: github/codeql-action/init@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
       with:
         languages: javascript
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+      uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0
       with:
         category: "/language:javascript"