AIWG 2026.6.7 — "@aiwg/cockpit provenance metadata"
AIWG 2026.6.7 — "@aiwg/cockpit provenance metadata"
Released: 2026-06-21 Channel: stable (`npm install -g aiwg`)
Maintenance cut to validate the new `@aiwg/cockpit` npm trusted-publishing leg. The previous 2026.6.6 run generated a Sigstore provenance bundle for `github.com/jmagly/aiwg`, but npm rejected the cockpit publish because the packed `apps/cockpit/package.json` had no `repository.url`.
Fix
`@aiwg/cockpit` now declares repository metadata that matches the GitHub Actions provenance identity:
{
"repository": {
"type": "git",
"url": "https://github.com/jmagly/aiwg",
"directory": "apps/cockpit"
}
}
The npm scope is `@aiwg`, but the provenance source repository is still the GitHub mirror that runs the publish workflow. The `directory` field points npm users and registry metadata at the subpackage inside the monorepo.
The cockpit publishability smoke test now asserts this metadata so an empty or missing `repository.url` fails locally before a release tag is cut.
Upgrade
npm install -g aiwg # 2026.6.7
aiwg version # -> 2026.6.7 [stable]
No action required. Release-pipeline/package-metadata validation cut; no CLI behavior changes.
Links
- Changelog: `CHANGELOG.md`
- Release process: `docs/contributing/versioning.md`