keyrotate

Supply Chain Integrity

Document 02 of 5 · Last reviewed:

This document explains how the binaries you install are produced, how to verify them, and how to skip the prebuilts entirely if you prefer to build from source.

How binaries are built

Every tagged release triggers a GitHub Actions workflow (.github/workflows/release.yml) that:

  1. Checks out the tagged commit.
  2. Installs the pinned Bun version on a fresh ubuntu-latest runner.
  3. Cross-compiles the same TypeScript source four times: bun-darwin-arm64, bun-darwin-x64, bun-linux-x64, bun-windows-x64.
  4. Packages each binary as a tarball (zip for Windows), computes its SHA256, attaches all four artifacts to the GitHub Release, and publishes the same binaries as platform-specific npm packages under @prompto-studio/keyrotate-<platform>.
  5. Auto-renders a Homebrew Formula with the same SHA256s and attaches it to the release.

No human touches the artifacts between source and release. The workflow runs in a public log you can audit.

Verifying a downloaded binary

Every GitHub Release page lists the SHA256 of each archive. To verify a download manually:

# macOS / Linux
shasum -a 256 keyrotate-darwin-arm64.tar.gz
# Compare against the SHA shown on the release page

If the hash does not match what GitHub published, do not install. Open an issue.

Verifying via Homebrew

The Homebrew Formula pins each download's SHA256. brew install verifies the hash automatically before extracting the binary. A mismatch causes the install to fail loudly.

Verifying via npm

npm computes a SHA512 integrity hash for every published tarball and verifies it on install. The integrity hash is visible on each package's npmjs.com page and in your package-lock.json.

Building from source

If you would rather not trust the prebuilt binaries, build keyrotate yourself from the public source. Build dependencies: Bun 1.2 or newer. No other runtime needed — the resulting binary is statically linked.

git clone https://github.com/Prompto-Studio/keyrotate.git
cd keyrotate
git checkout v00.00.15            # pin a specific release tag
bun install --frozen-lockfile
bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/keyrotate
./dist/keyrotate version

The resulting dist/keyrotate is byte-identical to the published binary for the same tag and target. Confirm by computing its SHA256 and comparing against the release.

Dependencies

keyrotate has exactly one runtime npm dependency: @iarna/toml for parsing keyrotate.toml. All other functionality uses Bun's standard library. The lockfile is committed; Dependabot tracks updates.

What changed in this release

Every release publishes auto-generated release notes derived from the merged pull requests and direct commits since the previous tag. Browse them at github.com/Prompto-Studio/keyrotate/releases.