This repository demonstrates how to use GetIntegrityAPI/proof-of-publish@v1 from a separate consumer GitHub repository.
It shows the normal customer onboarding model:
- Add
GI_API_KEYas a GitHub Actions secret. - Run the workflow in
.github/workflows/publish-receipt.yml. - Generate a
proof_id. - Open a public
receipt_url. - Download the generated artifact bundle.
This demo is intentionally separate from the main Action repository.
The main repository hosts the Action.
This repository shows how a customer or consumer repository uses it.
The latest successful demo run produced a public verification receipt and downloadable evidence artifacts.
| Item | Value |
|---|---|
| Proof ID | 2558d4d1-7858-4ea6-ad8e-37d276dad521 |
| Repository | GetIntegrityAPI/proof-of-publish-demo |
| Workflow | Publish Receipt Demo |
| Run number | 9 |
| Commit | 79b32ecbf051bc02e089a2a4620709ddd48aba95 |
| Verification URL | View public verification receipt |
A successful workflow run generates an evidence bundle containing:
| Artifact | Purpose |
|---|---|
receipt.json |
Canonical machine-readable proof receipt |
receipt.sha256 |
SHA-256 digest for offline integrity verification |
receipt.pdf |
Human-readable receipt for audit, review, and compliance evidence |
These artifacts can be retained with:
- release records
- deployment evidence
- compliance documentation
- audit evidence packages
- software supply-chain archives
This demo repository proves that a consumer GitHub repository can:
- call
GetIntegrityAPI/proof-of-publish@v1 - generate a signed publish proof
- expose a public verification URL
- produce a
proof_id - produce a SHA-256 receipt digest
- upload
receipt.json,receipt.sha256, andreceipt.pdfas workflow artifacts - publish a workflow summary containing the proof outputs
In simple terms:
The Action creates the proof.
This demo shows how a customer repository uses it.
This repository includes previously generated proof receipts and artifact bundles for review.
Viewing the verification URL, downloading receipt artifacts, or inspecting previous workflow runs does not generate a new proof and does not consume API usage.
Running the workflow manually creates a new publish receipt and consumes one usage unit from the configured GI_API_KEY.
To generate your own publish receipt, fork this repository, add your own GI_API_KEY as a GitHub Actions secret, and run the workflow in your fork.
This repository uses:
uses: GetIntegrityAPI/proof-of-publish@v1The workflow lives at:
.github/workflows/publish-receipt.yml
A typical workflow run:
- checks out the repository
- calls the GetIntegrityAPI Proof of Publish Action
- receives a
proof_id,receipt_url, andreceipt_sha256 - confirms generated receipt files exist
- uploads the receipt artifact bundle
- writes the proof details to the GitHub Actions job summary
Before running the workflow, add this repository secret:
GI_API_KEY
Path in GitHub:
Settings → Secrets and variables → Actions → New repository secret
Use a scoped key with the minimum permissions required for the demo workflow.
For public demos, use a dedicated demo or sandbox key. Do not use a production customer key in public demo repositories.
Never place API keys directly in workflow files, README files, screenshots, issues, or public logs.
Each successful workflow run produces:
proof_idreceipt_urlreceipt_sha256receipt.pdf- an uploaded artifact bundle containing:
receipt.jsonreceipt.sha256receipt.pdf
The public verification URL is the primary online verification surface.
The artifact bundle is the recommended evidence package for retention, audit review, compliance-supporting workflows, and offline integrity checks.
Proofs generated by this demo can be verified in multiple ways.
Open the receipt_url from the workflow summary, or use the latest demo receipt linked at the top of this README:
https://api.getintegrityapi.com/verify/2558d4d1-7858-4ea6-ad8e-37d276dad521
This provides a public verification surface for review and sharing.
Download the uploaded artifact bundle from the GitHub Actions run.
The bundle contains:
receipt.json
receipt.sha256
receipt.pdf
For offline verification workflows, preserve:
receipt.json
receipt.sha256
Then:
- verify the SHA-256 digest locally
- verify the signed proof using the published GetIntegrityAPI public key material
GetIntegrityAPI public key endpoints:
https://api.getintegrityapi.com/.well-known/hp-public-key
https://api.getintegrityapi.com/.well-known/hp-keys
The main GetIntegrityAPI/proof-of-publish repository hosts the GitHub Action itself.
This repository shows the standard consumer-repository onboarding flow in a separate public repo, which is the normal production usage pattern for the Action.
This separation is intentional:
| Repository | Purpose |
|---|---|
GetIntegrityAPI/proof-of-publish |
Hosts the GitHub Action |
GetIntegrityAPI/proof-of-publish-demo |
Demonstrates customer-style usage in a consumer repository |
