build: add release scripts

Author: bordumb

.github/workflows/ci.yml

@@ -45,16 +45,18 @@ jobs:
         with:
           fail-on-unsigned: true
 
-  verify-artifacts:
-    runs-on: ubuntu-latest
-    needs: build-and-test
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Verify dist/index.js attestation
-        uses: ./
-        with:
-          artifact-paths: 'dist/index.js'
-          fail-on-unattested: false
+  # TODO: Enable after first signed release (just release X.Y.Z runs auths artifact sign dist/index.js)
+  # verify-artifacts:
+  #   runs-on: ubuntu-latest
+  #   needs: build-and-test
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #       with:
+  #         fetch-depth: 0
+  #
+  #     - name: Verify dist/index.js attestation
+  #       uses: ./
+  #       with:
+  #         identity-bundle: ...  # provide bundle path or inline JSON
+  #         artifact-paths: 'dist/index.js'
+  #         fail-on-unattested: true

.github/workflows/release.yml

@@ -1,3 +1,6 @@
+# Triggered by: python scripts/release.py --push
+# (tags vX.Y.Z and pushes, which triggers this workflow)
+
 name: Release
 
 on:
@@ -13,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - uses: actions/setup-node@v4
         with:
@@ -26,33 +31,78 @@ jobs:
       - name: Check dist is up to date
         run: git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map'
 
+      # --- Artifact signing (mirrors auths/auths release workflow) ---
+      - name: Install auths CLI
+        run: |
+          curl -sL https://github.com/auths-dev/auths/releases/latest/download/auths-linux-x86_64.tar.gz | tar xz -C /usr/local/bin
+
+      - name: Sign dist/index.js
+        env:
+          AUTHS_PASSPHRASE: ${{ secrets.AUTHS_CI_PASSPHRASE }}
+          AUTHS_CI_KEYCHAIN_B64: ${{ secrets.AUTHS_CI_KEYCHAIN }}
+          AUTHS_CI_IDENTITY_BUNDLE_B64: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
+          AUTHS_KEYCHAIN_BACKEND: file
+          AUTHS_KEYCHAIN_FILE: /tmp/auths-ci-keychain
+        run: |
+          if [ -z "$AUTHS_PASSPHRASE" ] || [ -z "$AUTHS_CI_KEYCHAIN_B64" ] || [ -z "$AUTHS_CI_IDENTITY_BUNDLE_B64" ]; then
+            echo "::warning::Skipping artifact signing: AUTHS_CI_PASSPHRASE, AUTHS_CI_KEYCHAIN, and AUTHS_CI_IDENTITY_BUNDLE must all be set"
+            exit 0
+          fi
+
+          printf '%s' "$AUTHS_CI_KEYCHAIN_B64" | tr -d '[:space:]' | base64 -d > /tmp/auths-ci-keychain
+          mkdir -p /tmp/auths-identity
+          printf '%s' "$AUTHS_CI_IDENTITY_BUNDLE_B64" | tr -d '[:space:]' | base64 -d | tar -xz -C /tmp/auths-identity
+
+          if ! git -C /tmp/auths-identity rev-parse --git-dir > /dev/null 2>&1; then
+            echo "::warning::Skipping artifact signing: AUTHS_CI_IDENTITY_BUNDLE does not contain a valid git repository"
+            exit 0
+          fi
+
+          auths artifact sign dist/index.js \
+            --device-key ci-release-device \
+            --note "GitHub Actions release — ${GITHUB_REF_NAME}" \
+            --repo /tmp/auths-identity
+
+          echo "Signed dist/index.js → dist/index.js.auths.json"
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist
+          sha256sum index.js > index.js.sha256
+          if [ -f index.js.auths.json ]; then
+            sha256sum index.js.auths.json >> index.js.sha256
+          fi
+          cat index.js.sha256
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           make_latest: true
+          files: |
+            dist/index.js.auths.json
+            dist/index.js.sha256
           body: |
             ## Auths Verify GitHub Action
 
-            Verify commit signatures in your CI pipeline using [Auths](https://github.com/auths-dev/auths) identity keys.
-
-            ### Features
-            - Verifies SSH commit signatures against an allowed signers file or identity bundle
-            - Auto-downloads the `auths` CLI at runtime
-            - SHA256 checksum verification on downloaded binaries
-            - Supports `pull_request` and `push` events with automatic commit range detection
-            - GitHub Step Summary with per-commit verification results
-            - Optional PR comments with fix instructions for unsigned commits
-            - Skips merge commits and GPG-signed commits by default
+            Verify commit signatures and artifact attestations in your CI pipeline using [Auths](https://github.com/auths-dev/auths) identity keys.
 
             ### Usage
 
             ```yaml
-            - uses: auths-dev/auths-verify-github-action@v1
+            - uses: auths-dev/auths-verify-github-action@${{ github.ref_name }}
               with:
                 allowed-signers: '.auths/allowed_signers'
             ```
 
+            **New: Artifact verification**
+            ```yaml
+            - uses: auths-dev/auths-verify-github-action@${{ github.ref_name }}
+              with:
+                identity-bundle: ${{ secrets.AUTHS_IDENTITY_BUNDLE }}
+                artifact-paths: 'dist/*.tar.gz'
+            ```
+
             See the [README](https://github.com/auths-dev/auths-verify-github-action#readme) for full configuration options.
 
       - name: Update floating major tag

dist/index.js

@@ -71492,33 +71492,35 @@ async function run() {
                 throw new Error('Artifact verification requires an identity bundle (identity-bundle or identity-bundle-json). ' +
                     'The allowed-signers mode is not supported for artifact verification.');
             }
-            const patterns = artifactPathPatterns.join('\n');
-            const globber = await glob.create(patterns, { followSymbolicLinks: false });
-            let files = await globber.glob();
-            // Workspace containment check
-            const workspace = path.resolve(process.env.GITHUB_WORKSPACE || process.cwd());
-            files = files.filter(f => {
-                const resolved = path.resolve(f);
-                if (!resolved.startsWith(workspace + path.sep) && resolved !== workspace) {
-                    core.warning(`Skipping path outside workspace: ${f}`);
-                    return false;
-                }
-                return true;
-            });
-            // Deduplicate
-            files = [...new Set(files)];
-            if (files.length === 0) {
-                core.warning('artifact-paths provided but no files matched');
-            }
-            for (const file of files) {
-                core.info(`Verifying artifact: ${path.basename(file)}`);
-                const result = await (0, verifier_1.verifyArtifact)(authsPath, file, resolvedBundlePath, artifactAttestationDir || undefined);
-                artifactResults.push(result);
-                if (result.valid) {
-                    core.info(`\u2713 ${path.basename(file)} - verified${result.issuer ? ` (issuer: ${result.issuer})` : ''}`);
+            else {
+                const patterns = artifactPathPatterns.join('\n');
+                const globber = await glob.create(patterns, { followSymbolicLinks: false });
+                let files = await globber.glob();
+                // Workspace containment check
+                const workspace = path.resolve(process.env.GITHUB_WORKSPACE || process.cwd());
+                files = files.filter(f => {
+                    const resolved = path.resolve(f);
+                    if (!resolved.startsWith(workspace + path.sep) && resolved !== workspace) {
+                        core.warning(`Skipping path outside workspace: ${f}`);
+                        return false;
+                    }
+                    return true;
+                });
+                // Deduplicate
+                files = [...new Set(files)];
+                if (files.length === 0) {
+                    core.warning('artifact-paths provided but no files matched');
                 }
-                else {
-                    core.warning(`\u2717 ${path.basename(file)} - ${result.error || 'verification failed'}`);
+                for (const file of files) {
+                    core.info(`Verifying artifact: ${path.basename(file)}`);
+                    const result = await (0, verifier_1.verifyArtifact)(authsPath, file, resolvedBundlePath, artifactAttestationDir || undefined);
+                    artifactResults.push(result);
+                    if (result.valid) {
+                        core.info(`\u2713 ${path.basename(file)} - verified${result.issuer ? ` (issuer: ${result.issuer})` : ''}`);
+                    }
+                    else {
+                        core.warning(`\u2717 ${path.basename(file)} - ${result.error || 'verification failed'}`);
+                    }
                 }
             }
         }

dist/index.js.map

@@ -17,15 +17,15 @@ check-dist:
 # Run the full CI suite locally: test + build + verify dist
 ci: test build check-dist
 
-# Sign the dist/index.js artifact (creates dist/index.js.auths.json)
+# Sign the dist/index.js artifact locally (creates dist/index.js.auths.json)
 sign-dist:
     auths artifact sign dist/index.js
 
-# Cut a release: test, build, sign artifact, commit dist, tag, push
+# Cut a release: bump version, commit, then tag+push via release script
+# The release workflow handles build verification, artifact signing, and GitHub release creation.
 # Usage: just release 1.0.3
-release VERSION: test build sign-dist
+release VERSION: test build
     npm version {{VERSION}} --no-git-tag-version
-    git add package.json dist/ src/ .github/ justfile
-    git commit -m "Release v{{VERSION}}"
-    git tag "v{{VERSION}}"
-    git push && git push origin "v{{VERSION}}"
+    git add package.json package-lock.json dist/ src/ .github/ justfile
+    git commit -m "build: bump version to {{VERSION}}"
+    python scripts/release.py --push

justfile

@@ -249,7 +249,7 @@ describe('Artifact verification integration', () => {
     expect(artifactFailures).toHaveLength(0);
   });
 
-  it('requires identity bundle for artifact verification', async () => {
+  it('fails when no identity bundle provided for artifact verification', async () => {
     mockMultilineInputs['artifact-paths'] = ['dist/*.tar.gz'];
     // No identity bundle set — only allowed-signers
     mockInputs['identity-bundle'] = '';
@@ -258,9 +258,10 @@ describe('Artifact verification integration', () => {
 
     await runMain();
 
-    // Should fail with an error about requiring identity bundle
+    // Should hard-fail — silent skip would give false confidence
     const bundleErrors = mockFailed.filter(m => m.includes('identity bundle') || m.includes('Artifact verification requires'));
     expect(bundleErrors.length).toBeGreaterThan(0);
+    expect(mockVerifyArtifact).not.toHaveBeenCalled();
   });
 
   it('handles partial success correctly', async () => {

src/__tests__/artifact-integration.test.ts

@@ -167,42 +167,42 @@ async function run(): Promise<void> {
           'Artifact verification requires an identity bundle (identity-bundle or identity-bundle-json). ' +
           'The allowed-signers mode is not supported for artifact verification.'
         );
-      }
-
-      const patterns = artifactPathPatterns.join('\n');
-      const globber = await glob.create(patterns, { followSymbolicLinks: false });
-      let files = await globber.glob();
-
-      // Workspace containment check
-      const workspace = path.resolve(process.env.GITHUB_WORKSPACE || process.cwd());
-      files = files.filter(f => {
-        const resolved = path.resolve(f);
-        if (!resolved.startsWith(workspace + path.sep) && resolved !== workspace) {
-          core.warning(`Skipping path outside workspace: ${f}`);
-          return false;
-        }
-        return true;
-      });
-
-      // Deduplicate
-      files = [...new Set(files)];
+      } else {
+        const patterns = artifactPathPatterns.join('\n');
+        const globber = await glob.create(patterns, { followSymbolicLinks: false });
+        let files = await globber.glob();
+
+        // Workspace containment check
+        const workspace = path.resolve(process.env.GITHUB_WORKSPACE || process.cwd());
+        files = files.filter(f => {
+          const resolved = path.resolve(f);
+          if (!resolved.startsWith(workspace + path.sep) && resolved !== workspace) {
+            core.warning(`Skipping path outside workspace: ${f}`);
+            return false;
+          }
+          return true;
+        });
 
-      if (files.length === 0) {
-        core.warning('artifact-paths provided but no files matched');
-      }
+        // Deduplicate
+        files = [...new Set(files)];
 
-      for (const file of files) {
-        core.info(`Verifying artifact: ${path.basename(file)}`);
-        const result = await verifyArtifact(
-          authsPath, file, resolvedBundlePath,
-          artifactAttestationDir || undefined
-        );
-        artifactResults.push(result);
+        if (files.length === 0) {
+          core.warning('artifact-paths provided but no files matched');
+        }
 
-        if (result.valid) {
-          core.info(`\u2713 ${path.basename(file)} - verified${result.issuer ? ` (issuer: ${result.issuer})` : ''}`);
-        } else {
-          core.warning(`\u2717 ${path.basename(file)} - ${result.error || 'verification failed'}`);
+        for (const file of files) {
+          core.info(`Verifying artifact: ${path.basename(file)}`);
+          const result = await verifyArtifact(
+            authsPath, file, resolvedBundlePath,
+            artifactAttestationDir || undefined
+          );
+          artifactResults.push(result);
+
+          if (result.valid) {
+            core.info(`\u2713 ${path.basename(file)} - verified${result.issuer ? ` (issuer: ${result.issuer})` : ''}`);
+          } else {
+            core.warning(`\u2717 ${path.basename(file)} - ${result.error || 'verification failed'}`);
+          }
         }
       }
     }