There are a number of approaches we might use, with various benefits and drawbacks:
We can find this via sitespeed, but it would be great to find it in PRs themselves
If we are OK to catch this post-release, we can do it via a splunk report/alert.
Another approach is to run collectstatic and then make sure that every .js file has a corresponding hashed version?
Perhaps overload some paver task that already collected static (e.g. bok-choy)?
Or maybe we need to keep this isolated and discreet