Moves the TrustSignal Verify Artifact GitHub Action from locally-validated to enterprise-credible: enforces dist/source alignment in CI, adds a live integration test path, tightens the security posture, formalizes the release process, and adds a complete end-to-end integration workflow.

Summary

• Added 30-second AbortController timeout to callVerificationApi — prevents the action from hanging on unresponsive API endpoints; AbortError surfaces as a clean message with no header or secret leakage
• Added scripts/check-dist.js — SHA-256 compares src/index.js vs dist/index.js; fails with a npm run build hint on drift; wired into npm run validate and the CI job
• Added scripts/integration-test.js — exercises all four output fields (verification_id, status, receipt_id, receipt_signature) against a real API using actual fetch (no mocks); skips cleanly when credentials are absent
• Added verify-artifact-action job to .github/workflows/ci.yml with permissions: contents: read running check → check:dist → test:local on every push/PR
• Added .github/workflows/main.yml — complete integration workflow: checks out repo, builds a release artifact, calls the TrustSignal action via local monorepo path with secrets (TRUSTSIGNAL_API_BASE_URL, TRUSTSIGNAL_API_KEY), and records verification_id, status, and receipt_id outputs; runs on push to master and workflow_dispatch with fail_on_mismatch: true and permissions: contents: read
• Added docs/release-checklist.md: dist alignment, validation, semver tagging, post-release verification, and Marketplace publication steps
• Updated docs/integration.md: full request/response contract table, security behavior, live test instructions; removed stale limitations
• Updated docs/integrations/github-action.md: response field mapping table, timeout/fail-closed notes, validation section
• Updated CONTRIBUTING.md and README.md to reflect new scripts and validation flow

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.