Skip to content

GetIntegrityAPI/proof-of-publish-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 

Repository files navigation

GetIntegrityAPI Proof of Publish Demo

This repository demonstrates how to use GetIntegrityAPI/proof-of-publish@v1 from a separate consumer GitHub repository.

It shows the normal customer onboarding model:

  1. Add GI_API_KEY as a GitHub Actions secret.
  2. Run the workflow in .github/workflows/publish-receipt.yml.
  3. Generate a proof_id.
  4. Open a public receipt_url.
  5. Download the generated artifact bundle.

This demo is intentionally separate from the main Action repository.

The main repository hosts the Action.
This repository shows how a customer or consumer repository uses it.


Latest Demo Proof

The latest successful demo run produced a public verification receipt and downloadable evidence artifacts.

Item Value
Proof ID 2558d4d1-7858-4ea6-ad8e-37d276dad521
Repository GetIntegrityAPI/proof-of-publish-demo
Workflow Publish Receipt Demo
Run number 9
Commit 79b32ecbf051bc02e089a2a4620709ddd48aba95
Verification URL View public verification receipt

Example Artifact Bundle

A successful workflow run generates an evidence bundle containing:

Artifact Purpose
receipt.json Canonical machine-readable proof receipt
receipt.sha256 SHA-256 digest for offline integrity verification
receipt.pdf Human-readable receipt for audit, review, and compliance evidence

These artifacts can be retained with:

  • release records
  • deployment evidence
  • compliance documentation
  • audit evidence packages
  • software supply-chain archives

What This Demo Shows

This demo repository proves that a consumer GitHub repository can:

  • call GetIntegrityAPI/proof-of-publish@v1
  • generate a signed publish proof
  • expose a public verification URL
  • produce a proof_id
  • produce a SHA-256 receipt digest
  • upload receipt.json, receipt.sha256, and receipt.pdf as workflow artifacts
  • publish a workflow summary containing the proof outputs

In simple terms:

The Action creates the proof.
This demo shows how a customer repository uses it.



GetIntegrityAPI Proof of Publish for GitHub Actions: release integrity, public verification URL, signed proof, and artifact bundle

Demo Usage Note

This repository includes previously generated proof receipts and artifact bundles for review.

Viewing the verification URL, downloading receipt artifacts, or inspecting previous workflow runs does not generate a new proof and does not consume API usage.

Running the workflow manually creates a new publish receipt and consumes one usage unit from the configured GI_API_KEY.

To generate your own publish receipt, fork this repository, add your own GI_API_KEY as a GitHub Actions secret, and run the workflow in your fork.


Workflow File

This repository uses:

uses: GetIntegrityAPI/proof-of-publish@v1

The workflow lives at:

.github/workflows/publish-receipt.yml

A typical workflow run:

  1. checks out the repository
  2. calls the GetIntegrityAPI Proof of Publish Action
  3. receives a proof_id, receipt_url, and receipt_sha256
  4. confirms generated receipt files exist
  5. uploads the receipt artifact bundle
  6. writes the proof details to the GitHub Actions job summary

Secret Required

Before running the workflow, add this repository secret:

GI_API_KEY

Path in GitHub:

Settings → Secrets and variables → Actions → New repository secret

Use a scoped key with the minimum permissions required for the demo workflow.

For public demos, use a dedicated demo or sandbox key. Do not use a production customer key in public demo repositories.

Never place API keys directly in workflow files, README files, screenshots, issues, or public logs.


What You Get After a Successful Run

Each successful workflow run produces:

  • proof_id
  • receipt_url
  • receipt_sha256
  • receipt.pdf
  • an uploaded artifact bundle containing:
    • receipt.json
    • receipt.sha256
    • receipt.pdf

The public verification URL is the primary online verification surface.

The artifact bundle is the recommended evidence package for retention, audit review, compliance-supporting workflows, and offline integrity checks.


Verification Model

Proofs generated by this demo can be verified in multiple ways.

1. Public Verification URL

Open the receipt_url from the workflow summary, or use the latest demo receipt linked at the top of this README:

https://api.getintegrityapi.com/verify/2558d4d1-7858-4ea6-ad8e-37d276dad521

This provides a public verification surface for review and sharing.

2. GitHub Workflow Artifacts

Download the uploaded artifact bundle from the GitHub Actions run.

The bundle contains:

receipt.json
receipt.sha256
receipt.pdf

3. Offline Integrity Verification

For offline verification workflows, preserve:

receipt.json
receipt.sha256

Then:

  1. verify the SHA-256 digest locally
  2. verify the signed proof using the published GetIntegrityAPI public key material

GetIntegrityAPI public key endpoints:

https://api.getintegrityapi.com/.well-known/hp-public-key
https://api.getintegrityapi.com/.well-known/hp-keys

Why This Demo Exists

The main GetIntegrityAPI/proof-of-publish repository hosts the GitHub Action itself.

This repository shows the standard consumer-repository onboarding flow in a separate public repo, which is the normal production usage pattern for the Action.

This separation is intentional:

Repository Purpose
GetIntegrityAPI/proof-of-publish Hosts the GitHub Action
GetIntegrityAPI/proof-of-publish-demo Demonstrates customer-style usage in a consumer repository

Related Repositories


Learn More

About

Demo repository showing GetIntegrityAPI Proof of Publish in a consumer GitHub repository.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors