From 2fafe4c45244c417e3e77ed1c7931232bb025204 Mon Sep 17 00:00:00 2001
From: chrismaz11 <chrismaz11@me.com>
Date: Mon, 16 Mar 2026 19:59:02 -0500
Subject: [PATCH] chore: bump project to v0.2.0

---
 CHANGELOG.md                 |  2 ++
 CONTRIBUTING.md              |  2 +-
 README.md                    |  4 +--
 docs/integration.md          |  2 +-
 docs/live-test.md            |  4 +--
 docs/release-notes/v0.2.0.md | 48 ++++++++++++++++++++++++++++++++++++
 package.json                 |  2 +-
 7 files changed, 57 insertions(+), 7 deletions(-)
 create mode 100644 docs/release-notes/v0.2.0.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc015db..b72a4ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,8 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-03-16
+
 ### Changed
 
 - `sha256File` now uses a streaming `fs.createReadStream` instead of `fs.readFileSync` to avoid loading large artifacts fully into memory.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 24e5fc0..2787ec2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -46,5 +46,5 @@ npm run validate:local
 
 - Follow semantic versioning.
 - Commit updated `dist/index.js` with each release.
-- Publish immutable tags such as `v0.1.0` and maintain a major tag such as `v1`.
+- Publish immutable tags such as `v0.2.0` and maintain a major tag such as `v1`.
 - GitHub Marketplace publication requires a public repository with `action.yml` at the repository root.
diff --git a/README.md b/README.md
index 29ead1f..d272f8d 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ jobs:
 
       - name: Verify and issue receipt
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: https://api.trustsignal.dev
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
@@ -66,7 +66,7 @@ You can verify a local file against a saved receipt JSON.
 - name: Verify against saved receipt
   id: receipt-check
   continue-on-error: true
-  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
   with:
     artifact_path: dist/release.txt
     receipt: ${{ vars.RELEASE_RECEIPT_JSON }}
diff --git a/docs/integration.md b/docs/integration.md
index 348a52b..01fb599 100644
--- a/docs/integration.md
+++ b/docs/integration.md
@@ -51,5 +51,5 @@ If the API omits a distinct verification identifier, the action uses `receipt_id
 ## Next Steps
 
 - Run the external workflow in `docs/live-test.md` against a deployed TrustSignal API environment.
-- Publish semantic version tags beginning with `v0.1.0`.
+- Publish semantic version tags beginning with `v0.2.0`.
 - Maintain a stable major tag once the action contract is proven in production use.
diff --git a/docs/live-test.md b/docs/live-test.md
index ebf731d..c267b25 100644
--- a/docs/live-test.md
+++ b/docs/live-test.md
@@ -36,7 +36,7 @@ jobs:
 
       - name: Verify artifact with TrustSignal
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
@@ -89,7 +89,7 @@ If you already have a SHA-256 digest, replace `artifact_path` with `artifact_has
 ```yaml
       - name: Verify known digest with TrustSignal
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
diff --git a/docs/release-notes/v0.2.0.md b/docs/release-notes/v0.2.0.md
new file mode 100644
index 0000000..1bdb485
--- /dev/null
+++ b/docs/release-notes/v0.2.0.md
@@ -0,0 +1,48 @@
+# TrustSignal Verify Artifact v0.2.0
+
+## Overview
+
+`TrustSignal Verify Artifact` is a GitHub Action for verifying build artifacts in CI and issuing signed TrustSignal verification receipts that can be retained for later verification and provenance workflows.
+
+TrustSignal platform:
+
+- https://trustsignal.dev
+
+## Features
+
+- artifact integrity verification inside GitHub Actions
+- signed verification receipt issuance
+- GitHub workflow metadata capture
+- later verification support through receipt identifiers
+
+## Inputs
+
+- `api_base_url`
+- `api_key`
+- `artifact_path`
+- `artifact_hash`
+- `source`
+- `fail_on_mismatch`
+
+Exactly one of `artifact_path` or `artifact_hash` must be provided.
+
+## Outputs
+
+- `verification_id`
+- `status`
+- `receipt_id`
+- `receipt_signature`
+
+## Example Workflow
+
+```yaml
+- name: Verify artifact with TrustSignal
+  id: trustsignal
+  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
+  with:
+    api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
+    api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
+    artifact_path: dist/release.txt
+    source: github-actions
+    fail_on_mismatch: "true"
+```
diff --git a/package.json b/package.json
index f2b1d7e..7547281 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "trustsignal-verify-artifact",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "GitHub Action for verifying build artifacts with TrustSignal and capturing signed verification receipts.",
   "main": "dist/index.js",
   "type": "commonjs",