Why
specfact-cli-modules verifies module signatures on every PR but has no automated signing step in CI. The only path to a signed manifest is local signing — which blocks non-interactive development. This is the modules-repo half of the paired change: it adds the missing CI signing job (triggered by PR approval) and relaxes the verify gate on dev-targeting PRs.
Scope
- NEW
.github/workflows/sign-modules-on-approval.yml — same pull_request_review trigger as core; discovers manifests from packages/*/module-package.yaml
- MODIFY
.github/workflows/pr-orchestrator.yml — split verify-module-signatures by target branch (dev: checksum-only; main: require-signature)
Trust Model
Same as paired core change: signatures enforced only at main boundary; feature/dev branches use checksum-only integrity.
OpenSpec Change
openspec/changes/marketplace-06-ci-module-signing/
Paired Change
nold-ai/specfact-cli#500 — covers pre-commit hook, sign-modules.yml, and pr-orchestrator changes in the core CLI repo
Why
specfact-cli-modulesverifies module signatures on every PR but has no automated signing step in CI. The only path to a signed manifest is local signing — which blocks non-interactive development. This is the modules-repo half of the paired change: it adds the missing CI signing job (triggered by PR approval) and relaxes the verify gate on dev-targeting PRs.Scope
.github/workflows/sign-modules-on-approval.yml— samepull_request_reviewtrigger as core; discovers manifests frompackages/*/module-package.yaml.github/workflows/pr-orchestrator.yml— splitverify-module-signaturesby target branch (dev: checksum-only; main: require-signature)Trust Model
Same as paired core change: signatures enforced only at
mainboundary; feature/dev branches use checksum-only integrity.OpenSpec Change
openspec/changes/marketplace-06-ci-module-signing/Paired Change
nold-ai/specfact-cli#500 — covers pre-commit hook,
sign-modules.yml, and pr-orchestrator changes in the core CLI repo