diff --git a/.github/actions/verify-debug-artifact-scan-completed/action.yml b/.github/actions/verify-debug-artifact-scan-completed/action.yml
new file mode 100644
index 000000000..f2331daaa
--- /dev/null
+++ b/.github/actions/verify-debug-artifact-scan-completed/action.yml
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node20
+  main: index.js
+  post: post.js
diff --git a/.github/actions/verify-debug-artifact-scan-completed/index.js b/.github/actions/verify-debug-artifact-scan-completed/index.js
new file mode 100644
index 000000000..9cb49e3e1
--- /dev/null
+++ b/.github/actions/verify-debug-artifact-scan-completed/index.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
diff --git a/.github/actions/verify-debug-artifact-scan-completed/post.js b/.github/actions/verify-debug-artifact-scan-completed/post.js
new file mode 100644
index 000000000..996b1e923
--- /dev/null
+++ b/.github/actions/verify-debug-artifact-scan-completed/post.js
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml
index 86936202d..1c1343b19 100644
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -58,6 +58,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -73,14 +75,6 @@ jobs:
           CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
         with:
           expect-error: true
-      - name: Verify artifact scan ran
-        shell: bash
-        run: |
-          if [[ "$CODEQL_ACTION_ARTIFACT_SCAN_FINISHED" != "true" ]]; then
-            echo "Error: Best effort artifact scan did not run"
-            exit 1
-          fi
-          echo "✓ Best effort artifact scan completed successfully"
   download-and-check-artifacts:
     name: Download and check debug artifacts after failure in analyze
     if: github.triggering_actor != 'dependabot[bot]'
diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml
index 78e3a9fe3..5314cc753 100644
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -54,6 +54,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         id: init
         with:
@@ -67,14 +69,6 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
-      - name: Verify artifact scan ran
-        shell: bash
-        run: |
-          if [[ "$CODEQL_ACTION_ARTIFACT_SCAN_FINISHED" != "true" ]]; then
-            echo "Error: Best effort artifact scan did not run"
-            exit 1
-          fi
-          echo "✓ Best effort artifact scan completed successfully"
   download-and-check-artifacts:
     name: Download and check debug artifacts
     if: github.triggering_actor != 'dependabot[bot]'