sigstore
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,6 +13,10 @@ updates:
         - "eslint*"
         - "@typescript-eslint/*"
         - "prettier"
+    oclif:
+      patterns:
+        - "oclif"
+        - "@oclif/*"
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     - name: Checkout source
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
     - name: Setup node
-      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
       with:
         node-version: 16
         cache: npm
@@ -34,9 +34,7 @@ jobs:
       fail-fast: false
       matrix:
         node-version:
-          - 14.17.0
-          - 14.x
-          - 16.13.0
+          - 16.14.0
           - 16.x
           - 18.0.0
           - 18.x
@@ -58,7 +56,7 @@ jobs:
     - name: Checkout source
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
     - name: Setup node
-      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
       with:
         node-version: ${{ matrix.node-version }}
         cache: npm

diff --git a/.github/workflows/compatibility-check.yml b/.github/workflows/compatibility-check.yml
@@ -0,0 +1,36 @@
+name: Backward compatibility
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    name: Verify bundles
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+    - name: Checkout source
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+    - name: Setup node
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      with:
+        node-version: 16
+        cache: npm
+    - name: Install CLI
+      run: npm install -g @sigstore/cli
+    - name: Verify bundles
+      run: |
+        for FILE in ./tests/bundles/*.sigstore; do
+          echo "Verifying ${FILE}"
+          sigstore verify $FILE
+        done
+
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -0,0 +1,27 @@
+name: "Conformance tests"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+
+jobs:
+  conformance:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout source
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+    - name: Setup node
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      with:
+        node-version: 16
+        cache: npm
+    - name: Install dependencies
+      run: npm ci
+    - name: Build sigstore-js
+      run: npm run build
+    - uses: sigstore/sigstore-conformance@1abc82cdefe80bd907855d8447f903ba8b4918e0 # v0.0.6
+      with:
+        entrypoint: ${{ github.workspace }}/packages/conformance/bin/run
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
       - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
         with:
           node-version: 16
           registry-url: 'https://registry.npmjs.org'

diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml
@@ -21,7 +21,7 @@ jobs:
     - name: Checkout source
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
     - name: Setup node
-      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
       with:
         node-version: 16
         cache: npm
@@ -40,6 +40,7 @@ jobs:
       run: |
         ./packages/cli/bin/run verify bundle.sigstore
     - name: Archive bundle
+      if: success() || failure()
       uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
       with:
         name: bundle