build: move artifact vefification to release build

bordumb · bordumb · commit ff38d0c24f24 · 2026-04-04T13:32:27.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -45,17 +45,3 @@ jobs:
         with:
           fail-on-unsigned: true
 
-  verify-artifacts:
-    runs-on: ubuntu-latest
-    needs: build-and-test
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Verify dist/index.js attestation
-        uses: ./
-        with:
-          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
-          artifact-paths: 'dist/index.js'
-          fail-on-unattested: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -75,6 +75,16 @@ jobs:
 
           echo "Signed dist/index.js → dist/index.js.auths.json"
 
+      # --- Verify the artifact we just signed (dogfood) ---
+      - name: Verify dist/index.js attestation
+        if: hashFiles('dist/index.js.auths.json') != ''
+        uses: ./
+        with:
+          identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+          artifact-paths: 'dist/index.js'
+          fail-on-unattested: true
+          fail-on-unsigned: false
+
       - name: Generate SHA256 checksums
         run: |
           cd dist
