v1.0.1 — Expose installed cimon path to downstream steps

Follow-up to v1.0.0. The per-job install dir that landed in v1.0.0 made the binary unreachable for any verify step that hardcoded the pre-v1.0.0 path. This release surfaces the install location three ways so workflows don't have to reconstruct the tmpdir layout.

What's in (#121)

After the action installs cimon, the install directory is added to PATH, the absolute path is exported as CIMON_PATH, and the same path is emitted as the cimon-path step output. Subsequent steps can pick whichever fits their pattern:

- id: cimon
  uses: cycodelabs/cimon-action/attest@v1
  with: { subjects: dist\my-app.msi, keyless: true }

- name: Verify (PATH lookup)
  run: cimon.exe attest verify --subjects dist\my-app.msi --signed-prov provenance.intoto.jsonl.sig --keyless

- name: Verify (env var)
  run: '& $env:CIMON_PATH attest verify ...'

- name: Verify (step output)
  run: '& "${{ steps.cimon.outputs.cimon-path }}" attest verify ...'

Applies to all three install branches: Windows release-zip, Linux install.sh, and the release-path input override.

Verified

verify-attest-windows end-to-end job on windows-latest exercises the new behavior and passes in ~21s.

Notes

• No input changes, no breaking changes for existing @v1 consumers — workflows that didn't reach into $RUNNER_TEMP keep working unchanged.
• The hardcoded-path failure mode only affected explicit $RUNNER_TEMP\cimon\ references in verify steps; the action's own attest call continued to work in v1.0.0.

v1.0.0 — Windows / GHES attest support

First numbered v1.X.Y release. From here on, concrete release tags and the @v1 floating tag agree on the major.

Cross-platform cimon-action/attest: the attest sub-action now runs on Linux, Windows, and macOS GitHub Actions runners — including self-hosted runners on GitHub Enterprise Server.

What's in

• Windows install path (#118): resolves the latest tag from cycodelabs/cimon-releases and downloads cimon_windows_x86_64.zip directly. No S3 dependency.
• Per-job install dir + wipe-before-install (#114): closes a silent-reuse hole on self-hosted runners with persistent $RUNNER_TEMP. Applied to both the Linux install.sh path and the Windows release-zip path.
• verify-attest-windows CI job exercises the action end-to-end on windows-latest with keyed signing.
• Cross-platform attest/README.md with GHES support notes and signing-path guidance (KMS / private Sigstore / keyed offline / public Sigstore).
• Hardened build-attest-dist.yaml: npm ci --ignore-scripts, single-file commit guard, fork-safe checkout.

Requirements

• Cimon binary ≥ v1.0.17 on the release side (already published to cycodelabs/cimon-releases). The action installs this automatically.

Notes

• Hardening agent (cimon-action@v1 top-level, prevent: true) remains Linux-only.
• Windows ARM64 not yet supported; cimon-action/attest fails fast on Windows ARM64 with a clear error.

Versioning note

Earlier releases tagged as v0.X.Y while @v1 floated forward — a scheme-inconsistency carried over from when the v1 floating tag was first introduced. Starting with this release, concrete tags are v1.X.Y to match. @v1 consumers see no change in behavior; the floating tag derefs to the same commit either way.

Verified reference run

https://github.com/CycodeLabsDemo/cimon-demo-simple-app/actions/runs/25858006630

Customer-facing walkthrough

cimon-windows-l3-attestation-v1.0.17.pdf

v0.10.1

Backport of #115. Bumps action runtime from Node 20 → Node 24.

GitHub is forcing Node 24 on hosted runners June 2, 2026 and removing Node 20 support September 16, 2026. Without this patch, customers pinned to @v0 or @v0.10.x will fail to start on that date.

Required: self-hosted runners must be on a version of actions/runner that ships Node 24. Same for GitHub Enterprise Server.

v0.10.0

What's New

• Auto-upload SBOM artifacts from post step — no need for separate upload-artifact step
• SBOM summary in job report with component/relationship counts per build
• Memory protection support
• File integrity support
• PR comment summary support
• ESM compatibility fix for Node.js 20+

Bug Fixes

• Fix SBOM artifact ZIP paths when using CIMON_SBOM_OUTPUT_DIRECTORY
• Backward compatibility with older cimon versions without stats fields
• Filter noise from SBOM summary (TryCompile, empty subbuilds)
• Use same binary for stop as start to prevent timeout mismatches

v0.9.4

release: prepare v0.9.4 (#66)

v0.7.3

release: prepare v0.7.3 (#29)

v0.7.1

preparing release: v0.7.1 (#27)

v0.7.0

What's Changed

• feat(network-policy): configure ignored IP networks by @danielpacak in #23
• release: prepare v0.7.0 by @danielpacak in #24

Full Changelog: v0.6.0...v0.7.0

v0.6.0

What's Changed

• chore: small chore changes (explained in pr description) by @alex-ilgayev in #20
• release: prepare v0.6.0 by @danielpacak in #22

Full Changelog: v0.5.0...v0.6.0

v0.5.0

What's Changed

• feat: add disable-artifact flag by @elad-pticha in #15
• chore: add branding for publishing by @alex-ilgayev in #17
• docs: update README.md by @danielpacak in #18

New Contributors

• @elad-pticha made their first contribution in #15

Full Changelog: v0.4.0...v0.5.0