auths-dev · bordumb · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -45,18 +45,3 @@ jobs:
         with:
           fail-on-unsigned: true
 
-  # TODO: Enable after first signed release (just release X.Y.Z runs auths artifact sign dist/index.js)
-  # verify-artifacts:
-  #   runs-on: ubuntu-latest
-  #   needs: build-and-test
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #       with:
-  #         fetch-depth: 0
-  #
-  #     - name: Verify dist/index.js attestation
-  #       uses: ./
-  #       with:
-  #         identity-bundle: ...  # provide bundle path or inline JSON
-  #         artifact-paths: 'dist/index.js'
-  #         fail-on-unattested: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -75,6 +75,16 @@ jobs:
 
           echo "Signed dist/index.js → dist/index.js.auths.json"
 
+      # --- Verify the artifact we just signed (dogfood) ---
+      - name: Verify dist/index.js attestation
+        if: hashFiles('dist/index.js.auths.json') != ''
+        uses: ./
+        with:
+          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+          artifact-paths: 'dist/index.js'
+          fail-on-unattested: true
+          fail-on-unsigned: false
+
       - name: Generate SHA256 checksums
         run: |
           cd dist

diff --git a/scripts/ci-setup.sh b/scripts/ci-setup.sh
@@ -142,7 +142,7 @@ else
     echo -e "${GREEN}✓${RESET} CI device linked"
 fi
 
-# --- Step 8: Package identity repo ---
+# --- Step 8: Package identity repo (for release signing) ---
 AUTHS_DIR="${HOME}/.auths"
 echo -e "${DIM}Packaging identity repo...${RESET}"
 
@@ -161,6 +161,17 @@ tar -czf "$BUNDLE_PATH" \
 
 IDENTITY_BUNDLE_B64=$(base64 < "$BUNDLE_PATH" | tr -d '\n')
 
+# --- Step 8b: Export identity bundle JSON (for CI artifact verification) ---
+echo -e "${DIM}Exporting identity bundle JSON (1-year TTL)...${RESET}"
+BUNDLE_JSON_PATH="$TMPDIR_WORK/identity-bundle.json"
+auths id export-bundle \
+    --alias ci-release-device \
+    --output "$BUNDLE_JSON_PATH" \
+    --max-age-secs 31536000
+
+IDENTITY_BUNDLE_JSON=$(cat "$BUNDLE_JSON_PATH")
+echo -e "${GREEN}✓${RESET} Identity bundle JSON exported (expires in 1 year)"
+
 # --- Step 9: Set GitHub secrets ---
 echo ""
 echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${RESET}"
@@ -186,10 +197,11 @@ if [ "$GH_OK" -eq 1 ]; then
     echo -n "$CI_PASS" | gh secret set AUTHS_CI_PASSPHRASE --repo "$REPO" || GH_OK=0
     echo -n "$KEYCHAIN_B64" | gh secret set AUTHS_CI_KEYCHAIN --repo "$REPO" || GH_OK=0
     echo -n "$IDENTITY_BUNDLE_B64" | gh secret set AUTHS_CI_IDENTITY_BUNDLE --repo "$REPO" || GH_OK=0
+    echo -n "$IDENTITY_BUNDLE_JSON" | gh secret set AUTHS_CI_IDENTITY_BUNDLE_JSON --repo "$REPO" || GH_OK=0
 fi
 
 if [ "$GH_OK" -eq 1 ]; then
-    echo -e "${GREEN}✓${RESET} All 3 secrets set on ${CYAN}${REPO}${RESET}"
+    echo -e "${GREEN}✓${RESET} All 4 secrets set on ${CYAN}${REPO}${RESET}"
 else
     echo -e "${YELLOW}Could not set secrets automatically.${RESET}"
     echo -e "${DIM}Try: gh auth login then re-run, or add manually:${RESET}"
@@ -203,6 +215,9 @@ else
     echo ""
     echo -e "${BOLD}AUTHS_CI_IDENTITY_BUNDLE${RESET}"
     echo "$IDENTITY_BUNDLE_B64"
+    echo ""
+    echo -e "${BOLD}AUTHS_CI_IDENTITY_BUNDLE_JSON${RESET}"
+    echo "$IDENTITY_BUNDLE_JSON"
 fi
 
 echo ""