Fix WORKS Drive image upload recovery

test/production_image_workflows_policy_test.sh

@@ -44,6 +44,8 @@ grep -Fq "steps.version.outputs.image_tag" "$publish_workflow" \
   || fail "publish workflow must use the computed image tag for built image archives."
 grep -Fq "Upload built images to WORKS Drive archive" "$publish_workflow" \
   || fail "publish workflow must archive locally built images to WORKS Drive."
+grep -Fq "Verify built Docker images before WORKS upload" "$publish_workflow" \
+  || fail "publish workflow must verify all built Docker images before WORKS upload."
 grep -Fq "scripts/docker-image/upload_works_drive.sh" "$publish_workflow" \
   || fail "publish workflow must use the shared WORKS Drive image archive script."
 grep -Fq "docker/build-push-action@v5" "$publish_workflow" \
@@ -54,6 +56,12 @@ for image in backend userfront adminfront devfront orgfront; do
   grep -Fq "baron_sso/${image}:" "$publish_workflow" \
     || fail "publish workflow must build ${image} image."
 done
+grep -Fq 'docker image inspect "${image_ref}"' "$publish_workflow" \
+  || fail "publish workflow must inspect each built Docker image before upload."
+grep -Fq 'WORKS image upload ${image_index}/${image_total}: ${image_ref}' "$publish_workflow" \
+  || fail "publish workflow must log each WORKS image upload with index and image ref."
+grep -Fq 'uploaded_images' "$publish_workflow" \
+  || fail "publish workflow must track successfully uploaded image refs for failure diagnostics."
 grep -Fq "WORKS_DRIVE_ACCESS_TOKEN_INPUT: \${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}" "$publish_workflow" \
   || fail "publish workflow must support direct WORKS Drive access token auth."
 grep -Fq "WORKS_DRIVE_OAUTH_CLIENT_SECRET: \${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}" "$publish_workflow" \