chore: bump action references to v0.2.0

CHANGELOG.md

@@ -6,6 +6,8 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-03-16
+
 ### Changed
 
 - `sha256File` now uses a streaming `fs.createReadStream` instead of `fs.readFileSync` to avoid loading large artifacts fully into memory.

CONTRIBUTING.md

@@ -46,5 +46,5 @@ npm run validate:local
 
 - Follow semantic versioning.
 - Commit updated `dist/index.js` with each release.
-- Publish immutable tags such as `v0.1.0` and maintain a major tag such as `v1`.
+- Publish immutable tags such as `v0.2.0` and maintain a major tag such as `v1`.
 - GitHub Marketplace publication requires a public repository with `action.yml` at the repository root.

README.md

@@ -25,7 +25,7 @@ jobs:
 
       - name: Verify and issue receipt
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: https://api.trustsignal.dev
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
@@ -66,7 +66,7 @@ You can verify a local file against a saved receipt JSON.
 - name: Verify against saved receipt
   id: receipt-check
   continue-on-error: true
-  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
   with:
     artifact_path: dist/release.txt
     receipt: ${{ vars.RELEASE_RECEIPT_JSON }}

docs/integration.md

@@ -51,5 +51,5 @@ If the API omits a distinct verification identifier, the action uses `receipt_id
 ## Next Steps
 
 - Run the external workflow in `docs/live-test.md` against a deployed TrustSignal API environment.
-- Publish semantic version tags beginning with `v0.1.0`.
+- Publish semantic version tags beginning with `v0.2.0`.
 - Maintain a stable major tag once the action contract is proven in production use.

docs/live-test.md

@@ -36,7 +36,7 @@ jobs:
 
       - name: Verify artifact with TrustSignal
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
@@ -89,7 +89,7 @@ If you already have a SHA-256 digest, replace `artifact_path` with `artifact_has
 ```yaml
       - name: Verify known digest with TrustSignal
         id: trustsignal
-        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.1.0
+        uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
         with:
           api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
           api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}

docs/release-notes/v0.2.0.md

@@ -0,0 +1,48 @@
+# TrustSignal Verify Artifact v0.2.0
+
+## Overview
+
+`TrustSignal Verify Artifact` is a GitHub Action for verifying build artifacts in CI and issuing signed TrustSignal verification receipts that can be retained for later verification and provenance workflows.
+
+TrustSignal platform:
+
+- https://trustsignal.dev
+
+## Features
+
+- artifact integrity verification inside GitHub Actions
+- signed verification receipt issuance
+- GitHub workflow metadata capture
+- later verification support through receipt identifiers
+
+## Inputs
+
+- `api_base_url`
+- `api_key`
+- `artifact_path`
+- `artifact_hash`
+- `source`
+- `fail_on_mismatch`
+
+Exactly one of `artifact_path` or `artifact_hash` must be provided.
+
+## Outputs
+
+- `verification_id`
+- `status`
+- `receipt_id`
+- `receipt_signature`
+
+## Example Workflow
+
+```yaml
+- name: Verify artifact with TrustSignal
+  id: trustsignal
+  uses: TrustSignal-dev/TrustSignal-Verify-Artifact@v0.2.0
+  with:
+    api_base_url: ${{ secrets.TRUSTSIGNAL_API_BASE_URL }}
+    api_key: ${{ secrets.TRUSTSIGNAL_API_KEY }}
+    artifact_path: dist/release.txt
+    source: github-actions
+    fail_on_mismatch: "true"
+```

package.json

@@ -1,6 +1,6 @@
 {
   "name": "trustsignal-verify-artifact",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "GitHub Action for verifying build artifacts with TrustSignal and capturing signed verification receipts.",
   "main": "dist/index.js",
   "type": "commonjs",