diff --git a/.github/workflows/evict_caches.yml b/.github/workflows/evict_caches.yml
index eb0ae13..61c255b 100644
--- a/.github/workflows/evict_caches.yml
+++ b/.github/workflows/evict_caches.yml
@@ -13,7 +13,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -44,16 +44,7 @@ jobs:
           Dispatch-Trailer: {"type":"'))
         name: Check we don't have Dispatch-Trailer on a protected branch
         run: |-
-          echo "github.event.head_commit.message contains Dispatch-Trailer"
-          echo "github.event.head_commit.message value"
-          cat <<EOD
-          ${{ github.event.head_commit.message }}
-          EOD
-          echo "containsDispatchTrailer expression"
-          cat <<EOD
-          (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"'))
-          EOD
+          echo "github.event.head_commit.message contains Dispatch-Trailer but we are on a protected branch"
           false
       - name: Delete caches
         run: |-
diff --git a/.github/workflows/trybot.yml b/.github/workflows/trybot.yml
index 3a5c839..e2e03b7 100644
--- a/.github/workflows/trybot.yml
+++ b/.github/workflows/trybot.yml
@@ -20,7 +20,7 @@ jobs:
       Dispatch-Trailer: {"type":"'))
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -51,19 +51,10 @@ jobs:
           Dispatch-Trailer: {"type":"'))
         name: Check we don't have Dispatch-Trailer on a protected branch
         run: |-
-          echo "github.event.head_commit.message contains Dispatch-Trailer"
-          echo "github.event.head_commit.message value"
-          cat <<EOD
-          ${{ github.event.head_commit.message }}
-          EOD
-          echo "containsDispatchTrailer expression"
-          cat <<EOD
-          (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"'))
-          EOD
+          echo "github.event.head_commit.message contains Dispatch-Trailer but we are on a protected branch"
           false
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           cache: false
           go-version: 1.20.x
@@ -76,7 +67,7 @@ jobs:
       - if: |-
           (((github.ref == 'refs/heads/master') && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |-
             ${{ steps.go-mod-cache-dir.outputs.dir }}/cache/download
@@ -86,7 +77,7 @@ jobs:
       - if: |-
           ! (((github.ref == 'refs/heads/master') && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
-        uses: actions/cache/restore@v3
+        uses: actions/cache/restore@v4
         with:
           path: |-
             ${{ steps.go-mod-cache-dir.outputs.dir }}/cache/download
@@ -109,5 +100,6 @@ jobs:
         run: go run honnef.co/go/tools/cmd/staticcheck@v0.4.3 ./...
       - name: Tidy
         run: go mod tidy
-      - name: Check that git is clean at the end of the job
+      - if: always()
+        name: Check that git is clean at the end of the job
         run: test -z "$(git status --porcelain)" || (git status; git diff; false)
diff --git a/internal/ci/base/base.cue b/internal/ci/base/base.cue
index e6db33b..39b9010 100644
--- a/internal/ci/base/base.cue
+++ b/internal/ci/base/base.cue
@@ -42,11 +42,11 @@ gerritHubRepositoryURL: *("https://\(gerritHubHostname)/a/" + githubRepositoryPa
 trybotRepositoryPath:   *(githubRepositoryPath + "-" + trybot.key) | string
 trybotRepositoryURL:    *("https://github.com/" + trybotRepositoryPath) | string
 
-defaultBranch:           *"master" | string
-testDefaultBranch:       *"ci/test" | _
+defaultBranch:     *"master" | string
+testDefaultBranch: *"ci/test" | _
 protectedBranchPatterns: *[defaultBranch] | [...string]
-releaseTagPrefix:        *"v" | string
-releaseTagPattern:       *(releaseTagPrefix + "*") | string
+releaseTagPrefix:  *"v" | string
+releaseTagPattern: *(releaseTagPrefix + "*") | string
 
 botGitHubUser:                      string
 botGitHubUserTokenSecretsKey:       *(strings.ToUpper(botGitHubUser) + "_GITHUB_PAT") | string
diff --git a/internal/ci/base/codereview.cue b/internal/ci/base/codereview.cue
index 75bf11b..113aab8 100644
--- a/internal/ci/base/codereview.cue
+++ b/internal/ci/base/codereview.cue
@@ -21,7 +21,7 @@ import (
 // the key: value
 toCodeReviewCfg: {
 	#input: #codeReview
-	let parts = [ for k, v in #input {k + ": " + v}]
+	let parts = [for k, v in #input {k + ": " + v}]
 
 	// Per https://pkg.go.dev/golang.org/x/review/git-codereview#hdr-Configuration
 	strings.Join(parts, "\n")
diff --git a/internal/ci/base/gerrithub.cue b/internal/ci/base/gerrithub.cue
index 9b0ae9c..0105ee0 100644
--- a/internal/ci/base/gerrithub.cue
+++ b/internal/ci/base/gerrithub.cue
@@ -45,7 +45,7 @@ trybotDispatchWorkflow: bashWorkflow & {
 		(trybot.key): {
 			"runs-on": linuxMachine
 
-			let goodDummyData = [ if encjson.Marshal(#dummyDispatch) != _|_ {true}, false][0]
+			let goodDummyData = [if encjson.Marshal(#dummyDispatch) != _|_ {true}, false][0]
 
 			// We set the "on" conditions above, but this would otherwise mean we
 			// run for all dispatch events.
diff --git a/internal/ci/base/github.cue b/internal/ci/base/github.cue
index 0e8080e..5e0eee1 100644
--- a/internal/ci/base/github.cue
+++ b/internal/ci/base/github.cue
@@ -17,7 +17,7 @@ bashWorkflow: json.#Workflow & {
 
 installGo: json.#step & {
 	name: "Install Go"
-	uses: "actions/setup-go@v4"
+	uses: "actions/setup-go@v5"
 	with: {
 		// We do our own caching in setupGoActionsCaches.
 		cache:        false
@@ -28,7 +28,7 @@ installGo: json.#step & {
 checkoutCode: {
 	#actionsCheckout: json.#step & {
 		name: "Checkout code"
-		uses: "actions/checkout@v3"
+		uses: "actions/checkout@v4"
 
 		// "pull_request" builds will by default use a merge commit,
 		// testing the PR's HEAD merged on top of the master branch.
@@ -91,15 +91,7 @@ checkoutCode: {
 			name: "Check we don't have \(dispatchTrailer) on a protected branch"
 			if:   "\(isProtectedBranch) && \(containsDispatchTrailer)"
 			run:  """
-				echo "\(_dispatchTrailerVariable) contains \(dispatchTrailer)"
-				echo "\(_dispatchTrailerVariable) value"
-				cat <<EOD
-				${{ \(_dispatchTrailerVariable) }}
-				EOD
-				echo "containsDispatchTrailer expression"
-				cat <<EOD
-				\(containsDispatchTrailer)
-				EOD
+				echo "\(_dispatchTrailerVariable) contains \(dispatchTrailer) but we are on a protected branch"
 				false
 				"""
 		},
@@ -109,20 +101,6 @@ checkoutCode: {
 earlyChecks: json.#step & {
 	name: "Early git and code sanity checks"
 	run: #"""
-		# Ensure the recent commit messages have Signed-off-by headers. We
-		# only need to check the HEAD commit because all commits are tested
-		# in CI. Unclear why git log outputs blank lines when parsing trailers
-		# in this way, but we remove those blank lines so as not to skew the
-		# count of the trailers we are searching for.
-		#
-		# TODO: Remove once this is enforced for admins too;
-		# see https://bugs.chromium.org/p/gerrit/issues/detail?id=15229
-		if [[ "$(git log -1 --pretty='%(trailers:key=Signed-off-by)' | sed '/^\s*$/d' | wc -l)" -eq 0 ]]; then
-			echo -e "\nRecent commit is lacking Signed-off-by:\n"
-			git show --quiet
-			exit 1
-		fi
-
 		# Ensure that commit messages have a blank second line.
 		# We know that a commit message must be longer than a single
 		# line because each commit must be signed-off.
@@ -131,34 +109,32 @@ earlyChecks: json.#step & {
 			exit 1
 		fi
 
-		# Ensure that the commit author is the same as the signed-off-by.  This
-		# is a basic requirement of DCO. It is enforced by Gerrit (although
-		# noting that in Gerrit the author name does not have to match, only
-		# the email address), but _not_ by the DCO GitHub app:
-		#
-		#   https://github.com/dcoapp/app/issues/201
-		#
-		# Provide a sanity check as part of GitHub workflows that should enforce
-		# this, e.g. trybot workflows.
+		# All authors, including co-authors, must have a signed-off trailer by email.
+		# Note that trailers are in the form "Name <email>", so grab the email with sed.
+		# For now, we require the sorted lists of author and signer emails to match.
+		# Note that this also fails if a commit isn't signed-off at all.
 		#
-		# We do so by comparing the commit author and "Signed-off-by" trailer for
-		# strict equality. Whilst this is more strict than Gerrit, it should
-		# generally be the case, and we can always relax this when presented with
-		# specific situations where it is is a problem.
-
-		# commit author email address
-		commitauthor="$(git log -1 --pretty="%ae")"
-
-		# signed-off-by trailer email address. There is no way to parse just the
-		# email address from the trailer in the same way as git log, so instead
-		# grab the relevant trailer and then take the last whitespace-delimited
-		# part as the "<>" contained email address.
-		# Getting the Signed-off-by trailer in this way causes blank
-		# lines for some reason. Use awk to remove them.
-		commitsigner="$(git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p')"
-
-		if [[ "$commitauthor" != "$commitsigner" ]]; then
-			echo "commit author email address does not match signed-off-by trailer"
+		# In Gerrit we already enable a form of this via https://gerrit-review.googlesource.com/Documentation/project-configuration.html#require-signed-off-by,
+		# but it does not support co-authors nor can it be used when testing GitHub PRs.
+		commit_authors="$(
+			{
+				git log -1 --pretty='%ae'
+				git log -1 --pretty='%(trailers:key=Co-authored-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p'
+			} | sort -u
+		)"
+		commit_signers="$(
+			{
+				git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p'
+			} | sort -u
+		)"
+		if [[ "${commit_authors}" != "${commit_signers}" ]]; then
+			echo "Error: commit author email addresses do not match signed-off-by trailers"
+			echo
+			echo "Authors:"
+			echo "${commit_authors}"
+			echo
+			echo "Signers:"
+			echo "${commit_signers}"
 			exit 1
 		fi
 		"""#
@@ -239,7 +215,7 @@ setupGoActionsCaches: {
 		if !#readonly {
 			cacheStep & {
 				if:   readWriteCacheExpr
-				uses: "actions/cache@v3"
+				uses: "actions/cache@v4"
 			}
 		},
 
@@ -252,7 +228,7 @@ setupGoActionsCaches: {
 				if: "! \(readWriteCacheExpr)"
 			}
 
-			uses: "actions/cache/restore@v3"
+			uses: "actions/cache/restore@v4"
 		},
 
 		if #cleanTestCache {
@@ -278,7 +254,7 @@ setupGoActionsCaches: {
 // but array literals are not yet supported in expressions.
 isProtectedBranch: {
 	#trailers: [...string]
-	"((" + strings.Join([ for branch in protectedBranchPatterns {
+	"((" + strings.Join([for branch in protectedBranchPatterns {
 		(_matchPattern & {variable: "github.ref", pattern: "refs/heads/\(branch)"}).expr
 	}], " || ") + ") && (! \(containsDispatchTrailer)))"
 }
@@ -296,6 +272,7 @@ isReleaseTag: {
 
 checkGitClean: json.#step & {
 	name: "Check that git is clean at the end of the job"
+	if:   "always()"
 	run:  "test -z \"$(git status --porcelain)\" || (git status; git diff; false)"
 }
 
@@ -308,7 +285,7 @@ repositoryDispatch: json.#step & {
 
 	name: string
 	run:  #"""
-			\#(_curlGitHubAPI) -f --request POST --data-binary \#(strconv.Quote(encjson.Marshal(#arg))) https://api.github.com/repos/\#(#githubRepositoryPath)/dispatches
+			\#(_curlGitHubAPI) --fail --request POST --data-binary \#(strconv.Quote(encjson.Marshal(#arg))) https://api.github.com/repos/\#(#githubRepositoryPath)/dispatches
 			"""#
 }
 
@@ -354,7 +331,7 @@ containsDispatchTrailer: {
 	//
 	//     Dispatch-Trailer: {"type:}
 	//
-	let _typeCheck = [ if #type != _|_ {#type + "\""}, ""][0]
+	let _typeCheck = [if #type != _|_ {#type + "\""}, ""][0]
 	"""
 	(contains(\(_dispatchTrailerVariable), '\n\(dispatchTrailer): {"type":"\(_typeCheck)'))
 	"""