Changelog

Version history and release notes for epack CLI and specification.

v0.1.34 May 2026 Latest

Security fixes for transitive dependencies.

Dependencies

  • Bumped go-jose to v4.1.4 to fix a JWE decryption panic (GHSA-78h2-9frx-2jm8)
  • Bumped sigstore/timestamp-authority to v2.0.6 for improper certificate validation in the verifier (GHSA-xm5m-wgh2-rrg3)
  • Bumped go.opentelemetry.io/otel to v1.42.0 to fix a baggage-header allocation amplification (GHSA-mh2q-q3fh-2475)
v0.1.32 May 2026 Stable

Collection levels for graduated evidence gathering.

Protocol

  • Reserved a top-level level config key with values trust, audit, internal; defaults to trust when absent
  • Levels are cumulative: audit is a superset of trust; internal is a superset of audit
  • Unknown values downgrade to trust with a stderr warning so collectors never gather more than was asked for
  • Collectors honoring the field stamp collected_at_level on their top-level artifact for downstream interpretation

Go SDK

  • Added componentsdk.Level with LevelTrust / LevelAudit / LevelInternal constants
  • Added ctx.Level() reader and Level.AtLeast(other) comparator for gating field collection
v0.1.31 March 2026 Stable

Locktivity-managed credentials, portable hooks, build-context emission, and smoother GitHub Actions signing.

Managed Workflows

  • Added top-level credential_sets for Locktivity-managed workflow integrations
  • Collectors, tools, and remotes can request managed credentials by logical ref
  • Locktivity remote auth docs now reflect access_token, device_code, and client_credentials

Runner UX

  • Added epack hooks run for portable project hooks under .epack/hooks/
  • Added epack context build to emit build metadata for runners
  • Project scaffolding now keeps .epack/hooks/ tracked while ignoring other runtime state

CI/CD Signing

  • epack sign now uses ambient GitHub Actions OIDC automatically when id-token: write is granted
  • Other CI systems can continue to provide EPACK_OIDC_TOKEN explicitly
v0.1.29 March 2025 Stable

Profile and overlay support, multiple collector artifacts, and new top-level commands.

Profiles & Overlays

  • Added profiles and overlays configuration sections in epack.yaml
  • Support for registry-sourced profiles with version locking
  • Profile/overlay digests tracked in manifest for reproducibility

Collector SDK

  • Breaking: Emit() now accepts []CollectedArtifact for multiple artifacts per collection
  • New CollectedArtifact struct with Schema and Path metadata
  • Collectors can emit multiple artifacts in a single call

New Commands

  • epack catalog search — unified search across collectors, tools, remotes, and utilities
  • epack catalog refresh — update local catalog cache
  • epack utility install/list/remove — manage global utilities

Remote Protocol

  • Added runs.sync and auth.whoami feature capabilities
  • Consistent sync behavior across collector, tool, and remote adapters

Bug Fixes

  • Fixed offline verification mode to properly use embedded timestamps
  • Fixed JSON output returning null instead of [] for empty arrays
v0.1.27 March 2025

Verification improvements and remote protocol enhancements.

Verification

  • Improved error messages for attestation verification failures
  • Added support for sigstore-js provenance bundles

Remote Protocol

  • Added sidecar push support for parallel attestation uploads
  • Improved push workflow reliability
v0.1.24 February 2025

Initial public release of the Evidence Pack specification and epack CLI.

Specification

  • Evidence Pack format specification v1.0
  • Manifest schema with SHA-256 digests for all artifacts
  • Sigstore attestation bundle format
  • Pack digest and manifest digest algorithms

CLI (epack-core)

  • build — create packs from artifacts
  • sign — keyless signing via Sigstore
  • verify — integrity and signature verification
  • inspect — view pack contents and metadata
  • diff — compare two packs
  • merge — combine multiple packs
  • list — list artifacts in a pack
  • extract — extract artifacts from a pack

CLI (Full)

  • new — scaffold a new epack project
  • init — initialize epack in existing directory
  • collect — run collectors and build pack
  • push / pull — remote registry operations
  • lock / sync / install / update — dependency management
  • collector / tool — plugin management

Go SDK

  • pack — core pack types and operations
  • pack/builder — fluent API for building packs
  • pack/verify — verification with policy options
  • sign — Sigstore signing integration

Stay Updated

Watch the repository for new releases and subscribe to release notifications.

View Releases

Versioning Policy

epack follows Semantic Versioning:

  • Major versions (1.0, 2.0) may include breaking changes to the specification or CLI
  • Minor versions (0.2, 0.3) add new features in a backwards-compatible manner
  • Patch versions (0.1.1, 0.1.2) include backwards-compatible bug fixes

Specification vs CLI versions

The Evidence Pack specification version is independent of the CLI version. The specification is versioned in the manifest ("spec_version": "1.0") and changes less frequently than the CLI.

Backwards compatibility

The CLI will always be able to read packs created by older versions. New features that require pack format changes will use new specification versions, and the CLI will indicate when a pack requires a newer version.