Enable artifact signing in CI and uncomment verify-artifacts job

[bordumb]

Context

The release workflow (.github/workflows/release.yml) now supports signing dist/index.js with auths artifact sign during releases, matching the pattern in auths-dev/auths. The CI workflow has a verify-artifacts job commented out, waiting for the first signed release.

Steps

1. Add CI secrets to this repo (Settings → Secrets → Actions):

   • AUTHS_CI_PASSPHRASE
   • AUTHS_CI_KEYCHAIN
   • AUTHS_CI_IDENTITY_BUNDLE

   These are the same secrets used in auths-dev/auths. Generate them with just ci-setup in the auths monorepo if they don't exist yet.

2. Cut a release to produce the first signed artifact:

   just release X.Y.Z
   

   Verify the GitHub Release has dist/index.js.auths.json attached.

3. Uncomment the verify-artifacts job in .github/workflows/ci.yml (~line 48) and provide the identity bundle:

   verify-artifacts:
     runs-on: ubuntu-latest
     needs: build-and-test
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
   
       - name: Verify dist/index.js attestation
         uses: ./
         with:
           identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
           artifact-paths: 'dist/index.js'
           fail-on-unattested: true

4. Commit and push. CI should now verify the dist/index.js attestation on every push/PR.

Why

This completes the supply-chain dogfooding story: the action verifies its own bundled artifact using the same mechanism it provides to consumers.