feat: zero-config drop-in — step summary setup guide, README one-liner, badge, Marketplace metadata

Author: bordumb

.auths/allowed_signers

@@ -1,4 +1,5 @@
 # auths:managed — do not edit manually
 # auths:attestation
 z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuPK6OfYp7ngZp40Q+Dsrahhks472v6gPIMD0upCRnM
+z6MkhfnUUc2UJJ5C9sQQ7GvXmSbQJsdtNKV6HNYcQtTjc7xE@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/Ib83sxXogDnEVzLjFBkyC+DhP+cssbPzZAmQhB+Lz
 # auths:manual

.github/workflows/release.yml

@@ -31,58 +31,14 @@ jobs:
       - name: Check dist is up to date
         run: git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map'
 
-      # --- Artifact signing (mirrors auths/auths release workflow) ---
-      - name: Install auths CLI
-        run: |
-          mkdir -p /tmp/auths-install
-          curl -sL https://github.com/auths-dev/auths/releases/latest/download/auths-linux-x86_64.tar.gz | tar xz -C /tmp/auths-install
-          sudo cp /tmp/auths-install/auths /usr/local/bin/auths
-          rm -rf /tmp/auths-install
-
-      - name: Sign dist/index.js
-        env:
-          AUTHS_CI_TOKEN: ${{ secrets.AUTHS_CI_TOKEN }}
-          AUTHS_KEYCHAIN_BACKEND: file
-          AUTHS_KEYCHAIN_FILE: /tmp/auths-ci-keychain
-        run: |
-          if [ -z "$AUTHS_CI_TOKEN" ]; then
-            echo "::warning::Skipping artifact signing: AUTHS_CI_TOKEN not set (run 'auths ci setup' to configure)"
-            exit 0
-          fi
-
-          # Extract fields from the single CI token
-          AUTHS_PASSPHRASE=$(echo "$AUTHS_CI_TOKEN" | jq -r '.passphrase')
-          echo "::add-mask::$AUTHS_PASSPHRASE"
-          export AUTHS_PASSPHRASE
-
-          echo "$AUTHS_CI_TOKEN" | jq -r '.keychain' | base64 -d > /tmp/auths-ci-keychain
-          mkdir -p /tmp/auths-identity
-          echo "$AUTHS_CI_TOKEN" | jq -r '.identity_repo' | base64 -d | tar -xz -C /tmp/auths-identity
-
-          if ! git -C /tmp/auths-identity rev-parse --git-dir > /dev/null 2>&1; then
-            echo "::warning::Skipping artifact signing: identity repo in AUTHS_CI_TOKEN is not a valid git repository"
-            exit 0
-          fi
-
-          auths artifact sign dist/index.js \
-            --device-key ci-release-device \
-            --note "GitHub Actions release — ${GITHUB_REF_NAME}" \
-            --repo /tmp/auths-identity
-
-          echo "Signed dist/index.js → dist/index.js.auths.json"
-
-          # Write verify bundle for next step
-          echo "$AUTHS_CI_TOKEN" | jq -r '.verify_bundle' > /tmp/auths-verify-bundle.json
-
-      # --- Verify the artifact we just signed (dogfood) ---
-      - name: Verify dist/index.js attestation
-        if: hashFiles('dist/index.js.auths.json') != ''
-        uses: ./
+      # --- Artifact signing (dogfood: sign dist/index.js using auths-dev/sign@v1) ---
+      - name: Sign and verify dist/index.js
+        uses: auths-dev/sign@v1
         with:
-          token: /tmp/auths-verify-bundle.json
+          token: ${{ secrets.AUTHS_CI_TOKEN }}
           files: 'dist/index.js'
-          fail-on-unattested: true
-          fail-on-unsigned: false
+          verify: true
+          note: 'GitHub Actions release — ${{ github.ref_name }}'
 
       - name: Generate SHA256 checksums
         run: |

README.md

@@ -1,5 +1,7 @@
 # Auths Verify Action
 
+[![Verified with Auths](https://img.shields.io/badge/Verified%20with-Auths-4B9CD3?logo=github&logoColor=white)](https://github.com/auths-dev/verify)
+
 Verify commit signatures using [Auths](https://github.com/auths-dev/auths) token keys. Ensures every commit in a PR or push is cryptographically signed by an authorized developer.
 
 ## Quickstart
@@ -13,6 +15,28 @@ Verify commit signatures using [Auths](https://github.com/auths-dev/auths) token
 
 That's it. The action auto-detects the commit range from the GitHub event (PR or push), downloads the `auths` CLI, and verifies each commit. Identity is auto-detected from the `token` input (defaults to `.auths/allowed_signers`).
 
+## One-Liner Install
+
+Add this file to your repo to start enforcing signed commits on every PR:
+
+```yaml
+# .github/workflows/verify.yml
+name: Verify Commits
+on: [pull_request]
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: auths-dev/verify@v1
+        with:
+          fail-on-unsigned: true
+```
+
+That's it. No token or configuration needed — the action reads `.auths/allowed_signers` automatically.
+
 ## Features
 
 - Verifies SSH commit signatures against allowed signers or identity bundles

action.yml

@@ -1,6 +1,11 @@
 name: 'Verify with Auths'
-description: 'Verify commit signatures and artifact attestations using Auths identity keys'
-author: 'auths'
+description: >
+  Protect your supply chain by enforcing cryptographic commit signatures on every PR.
+  Verifies that every commit is signed by an authorized developer using Auths identity keys.
+  Zero configuration needed — reads .auths/allowed_signers automatically.
+  Classifies failures (unsigned, unknown key, corrupted signature) with copy-pasteable fix commands
+  and posts a GitHub Step Summary with a "How to fix" guide.
+author: 'auths-dev'
 
 inputs:
   token: