Harden TrustSignal Verify Artifact: request timeout, dist alignment, live integration test, release checklist, and integration workflow

[Copilot]

Moves the TrustSignal Verify Artifact GitHub Action from locally-validated to enterprise-credible: enforces dist/source alignment in CI, adds a live integration test path, tightens the security posture, formalizes the release process, and adds a complete end-to-end integration workflow.

Summary

• Added 30-second AbortController timeout to callVerificationApi — prevents the action from hanging on unresponsive API endpoints; AbortError surfaces as a clean message with no header or secret leakage
• Added scripts/check-dist.js — SHA-256 compares src/index.js vs dist/index.js; fails with a npm run build hint on drift; wired into npm run validate and the CI job
• Added scripts/integration-test.js — exercises all four output fields (verification_id, status, receipt_id, receipt_signature) against a real API using actual fetch (no mocks); skips cleanly when credentials are absent
• Added verify-artifact-action job to .github/workflows/ci.yml with permissions: contents: read running check → check:dist → test:local on every push/PR
• Added .github/workflows/main.yml — complete integration workflow: checks out repo, builds a release artifact, calls the TrustSignal action via local monorepo path with secrets (TRUSTSIGNAL_API_BASE_URL, TRUSTSIGNAL_API_KEY), and records verification_id, status, and receipt_id outputs; runs on push to master and workflow_dispatch with fail_on_mismatch: true and permissions: contents: read
• Added docs/release-checklist.md: dist alignment, validation, semver tagging, post-release verification, and Marketplace publication steps
• Updated docs/integration.md: full request/response contract table, security behavior, live test instructions; removed stale limitations
• Updated docs/integrations/github-action.md: response field mapping table, timeout/fail-closed notes, validation section
• Updated CONTRIBUTING.md and README.md to reflect new scripts and validation flow

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview, Comment	Mar 18, 2026 4:26pm
trustsignal	Ready	Preview, Comment	Mar 18, 2026 4:26pm

[chrismaz11]

Enterprise release

[chrismaz11]

@copilot i updated the setup worklow yml

[Copilot]

@copilot i updated the setup worklow yml

Picked up your main.yml changes and replaced the placeholder with a complete integration workflow (93acb16). It now:

• Checks out the repo and builds a release artifact
• Calls the action via local path (./github-actions/trustsignal-verify-artifact) using TRUSTSIGNAL_API_BASE_URL and TRUSTSIGNAL_API_KEY secrets
• Runs with fail_on_mismatch: true (fail-closed) and permissions: contents: read
• Logs verification_id, status, and receipt_id in the final step

The verify-artifact-action job in ci.yml is kept separately — it validates source syntax, dist alignment, and local contract tests on every push without needing live credentials.