Fix TrustSignal verification API authentication: use x-api-key header

[Copilot]

The verification client was sending Authorization: ****** but the TrustSignal API at api.trustsignal.devexpectsx-api-key: , causing every verification attempt to fail with 403 Forbidden: invalid API key`.

Changes

• src/trustsignal/client.ts — Replace authorization: ****** with "x-api-key": apiKey`
• tests/trustsignalClient.test.ts — Update all header assertions to expect x-api-key
• docs/integrations/github.md — Correct the curl example to use -H "x-api-key: ${TRUSTSIGNAL_API_KEY}"
• apps/action/dist/index.js — Rebuilt bundle

- authorization: `******
+ "x-api-key": this.apiKey,

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[Copilot]

Pull request overview

This PR fixes TrustSignal verification client authentication by switching from an Authorization: Bearer ... header to the x-api-key header required by api.trustsignal.dev, preventing 403 Forbidden: invalid API key failures during verification.

Changes:

• Update TrustSignalVerificationClient to send x-api-key instead of authorization.
• Update unit tests to assert x-api-key header usage.
• Fix the GitHub integration curl example to use -H "x-api-key: ...".

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
src/trustsignal/client.ts	Sends API key via x-api-key header for verification requests
tests/trustsignalClient.test.ts	Updates mocked fetch header assertions to match new auth header
docs/integrations/github.md	Updates curl example to use x-api-key header
apps/action/dist/index.js	Rebuilt action bundle reflecting the header change

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.