Skip to content

Commit bd6efd2

Browse files
committed
docs(release): confirm npm token revocation — credential hygiene fully closed, @Loop-Engine family TP-only
1 parent 521a1ef commit bd6efd2

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

docs/internal/release-rc1-publish-plan.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -156,14 +156,18 @@ Tag push is performed manually after this review.
156156
- CI publish confirmed from GitHub Actions: bootstrap dispatch `27287626502` (success, `580a8c5`),
157157
OIDC tag run `27288864301` (success, `9c5be4e`). No laptop publish.
158158

159-
**Credential hygiene: PASS (one item user-attested)**
159+
**Credential hygiene: PASS (confirmed)**
160160
- 9 first-ever names bootstrapped via the gated `token_bootstrap` dispatch; path retired —
161161
`BOOTSTRAP_PACKAGES` pruned with empty-list guard (`9c5be4e`).
162162
- `NPM_TOKEN` repo secret **deleted** (verified: `gh secret list` empty).
163163
- Trusted Publishers bound for the 9 (repo `loopengine/loop-engine`, workflow
164164
`rc-tag-release.yml`, environment blank) — user-performed 2026-06-10; mechanically provable at
165165
the next OIDC publish of any of the 9.
166-
- npm-side token revocation: user-attested (registry state not queryable from CI).
166+
- npm-side tokens revoked — **confirmed 2026-06-10 09:57 PT** (account token page): bootstrap
167+
"Runbook Token", rc.0-era "automation", and expired "bttrdata" all deleted. **No standing
168+
long-lived token remains for the `@loop-engine` family** — TP-only publishing from here. One
169+
account token remains by deliberate choice (`betterdata-org-publish`, expires Jul 30) for the
170+
`@betterdata/*` npmjs pipeline (Signal Tags) — different family, out of this gate's scope.
167171

168172
**Tag integrity: PASS**
169173
- Remote `refs/tags/v1.0.0-rc.1` (annotated `8a3c067`) dereferences to **`9c5be4e`**; the stale

0 commit comments

Comments
 (0)