From 0655bd3da581da443e727df904fa38e67e4aa951 Mon Sep 17 00:00:00 2001
From: bordumb <bordumbb@gmail.com>
Date: Sat, 4 Apr 2026 13:05:26 -0700
Subject: [PATCH 1/4] build: uncomment ci

---
 .github/workflows/ci.yml | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ff82087..cc7bd3e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,17 +46,17 @@ jobs:
           fail-on-unsigned: true
 
   # TODO: Enable after first signed release (just release X.Y.Z runs auths artifact sign dist/index.js)
-  # verify-artifacts:
-  #   runs-on: ubuntu-latest
-  #   needs: build-and-test
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #       with:
-  #         fetch-depth: 0
-  #
-  #     - name: Verify dist/index.js attestation
-  #       uses: ./
-  #       with:
-  #         identity-bundle: ...  # provide bundle path or inline JSON
-  #         artifact-paths: 'dist/index.js'
-  #         fail-on-unattested: true
+  verify-artifacts:
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+  
+      - name: Verify dist/index.js attestation
+        uses: ./
+        with:
+          identity-bundle: ...  # provide bundle path or inline JSON
+          artifact-paths: 'dist/index.js'
+          fail-on-unattested: true

From 7cf512b29daec1b06210173674e0aa7c7a54d57a Mon Sep 17 00:00:00 2001
From: bordumb <bordumbb@gmail.com>
Date: Sat, 4 Apr 2026 13:07:53 -0700
Subject: [PATCH 2/4] fix: add ci secrets

---
 .github/workflows/ci.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cc7bd3e..a236b43 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,7 +45,6 @@ jobs:
         with:
           fail-on-unsigned: true
 
-  # TODO: Enable after first signed release (just release X.Y.Z runs auths artifact sign dist/index.js)
   verify-artifacts:
     runs-on: ubuntu-latest
     needs: build-and-test
@@ -53,10 +52,10 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-  
+
       - name: Verify dist/index.js attestation
         uses: ./
         with:
-          identity-bundle: ...  # provide bundle path or inline JSON
+          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
           artifact-paths: 'dist/index.js'
           fail-on-unattested: true

From 9162c487f9f22f988bab05f71bfde38ff647de71 Mon Sep 17 00:00:00 2001
From: bordumb <bordumbb@gmail.com>
Date: Sat, 4 Apr 2026 13:20:59 -0700
Subject: [PATCH 3/4] fix: use JSON identity bundle secret for CI artifact
 verification

---
 .github/workflows/ci.yml |  2 +-
 scripts/ci-setup.sh      | 19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a236b43..9dfae4a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -56,6 +56,6 @@ jobs:
       - name: Verify dist/index.js attestation
         uses: ./
         with:
-          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
+          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
           artifact-paths: 'dist/index.js'
           fail-on-unattested: true
diff --git a/scripts/ci-setup.sh b/scripts/ci-setup.sh
index dd59ba3..b596984 100755
--- a/scripts/ci-setup.sh
+++ b/scripts/ci-setup.sh
@@ -142,7 +142,7 @@ else
     echo -e "${GREEN}✓${RESET} CI device linked"
 fi
 
-# --- Step 8: Package identity repo ---
+# --- Step 8: Package identity repo (for release signing) ---
 AUTHS_DIR="${HOME}/.auths"
 echo -e "${DIM}Packaging identity repo...${RESET}"
 
@@ -161,6 +161,17 @@ tar -czf "$BUNDLE_PATH" \
 
 IDENTITY_BUNDLE_B64=$(base64 < "$BUNDLE_PATH" | tr -d '\n')
 
+# --- Step 8b: Export identity bundle JSON (for CI artifact verification) ---
+echo -e "${DIM}Exporting identity bundle JSON (1-year TTL)...${RESET}"
+BUNDLE_JSON_PATH="$TMPDIR_WORK/identity-bundle.json"
+auths id export-bundle \
+    --alias ci-release-device \
+    --output "$BUNDLE_JSON_PATH" \
+    --max-age-secs 31536000
+
+IDENTITY_BUNDLE_JSON=$(cat "$BUNDLE_JSON_PATH")
+echo -e "${GREEN}✓${RESET} Identity bundle JSON exported (expires in 1 year)"
+
 # --- Step 9: Set GitHub secrets ---
 echo ""
 echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${RESET}"
@@ -186,10 +197,11 @@ if [ "$GH_OK" -eq 1 ]; then
     echo -n "$CI_PASS" | gh secret set AUTHS_CI_PASSPHRASE --repo "$REPO" || GH_OK=0
     echo -n "$KEYCHAIN_B64" | gh secret set AUTHS_CI_KEYCHAIN --repo "$REPO" || GH_OK=0
     echo -n "$IDENTITY_BUNDLE_B64" | gh secret set AUTHS_CI_IDENTITY_BUNDLE --repo "$REPO" || GH_OK=0
+    echo -n "$IDENTITY_BUNDLE_JSON" | gh secret set AUTHS_CI_IDENTITY_BUNDLE_JSON --repo "$REPO" || GH_OK=0
 fi
 
 if [ "$GH_OK" -eq 1 ]; then
-    echo -e "${GREEN}✓${RESET} All 3 secrets set on ${CYAN}${REPO}${RESET}"
+    echo -e "${GREEN}✓${RESET} All 4 secrets set on ${CYAN}${REPO}${RESET}"
 else
     echo -e "${YELLOW}Could not set secrets automatically.${RESET}"
     echo -e "${DIM}Try: gh auth login then re-run, or add manually:${RESET}"
@@ -203,6 +215,9 @@ else
     echo ""
     echo -e "${BOLD}AUTHS_CI_IDENTITY_BUNDLE${RESET}"
     echo "$IDENTITY_BUNDLE_B64"
+    echo ""
+    echo -e "${BOLD}AUTHS_CI_IDENTITY_BUNDLE_JSON${RESET}"
+    echo "$IDENTITY_BUNDLE_JSON"
 fi
 
 echo ""

From ff38d0c24f24574d339c5ec186f97fe85d2cafd8 Mon Sep 17 00:00:00 2001
From: bordumb <bordumbb@gmail.com>
Date: Sat, 4 Apr 2026 13:32:27 -0700
Subject: [PATCH 4/4] build: move artifact vefification to release build

---
 .github/workflows/ci.yml      | 14 --------------
 .github/workflows/release.yml | 10 ++++++++++
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9dfae4a..0b1e056 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,17 +45,3 @@ jobs:
         with:
           fail-on-unsigned: true
 
-  verify-artifacts:
-    runs-on: ubuntu-latest
-    needs: build-and-test
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Verify dist/index.js attestation
-        uses: ./
-        with:
-          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
-          artifact-paths: 'dist/index.js'
-          fail-on-unattested: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0ab152e..b3719bf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -75,6 +75,16 @@ jobs:
 
           echo "Signed dist/index.js → dist/index.js.auths.json"
 
+      # --- Verify the artifact we just signed (dogfood) ---
+      - name: Verify dist/index.js attestation
+        if: hashFiles('dist/index.js.auths.json') != ''
+        uses: ./
+        with:
+          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+          artifact-paths: 'dist/index.js'
+          fail-on-unattested: true
+          fail-on-unsigned: false
+
       - name: Generate SHA256 checksums
         run: |
           cd dist