Skip to main content
The Truthlocks Protect GitHub Action creates cryptographic proofs of authorship for your code and build artifacts on every push, pull request, or release. Each protected file gets an attestation anchored to the transparency log, giving you a timestamped, verifiable record of when the content existed.

Prerequisites

Quick start

Add the following workflow to your repository: 
# .github/workflows/protect.yml
name: Protect on release
on:
  release:
    types: [published]

jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "src/**/*.ts README.md"
          category: code
Store your Truthlocks token as a repository secret named TRUTHLOCK_TOKEN.

Inputs

InputRequiredDefaultDescription
tokenYesYour Truthlocks personal access token
filesNoFiles or glob patterns to protect (space-separated)
directoryNoDirectory to protect (all files, up to 3 levels deep)
categoryNocodeContent category for the protections
visibilityNopublicpublic or private
title-prefixNoPrefix added to each protection title
You must provide either files or directory. If both are omitted, the action exits with an error.

Categories

Use the category input to classify the protected content: code, research, design, media, dataset, ai-output, writing, digital-art, other

Outputs

The action provides three outputs you can reference in subsequent workflow steps:
OutputDescription
attestation-idsComma-separated list of attestation IDs created
protection-countNumber of files protected
badge-urlVerification badge URL for the first attestation

Using outputs in your workflow

jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        id: protect
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "dist/bundle.js"
      - name: Comment on release
        run: |
          echo "Protected ${{ steps.protect.outputs.protection-count }} file(s)"
          echo "Badge: ${{ steps.protect.outputs.badge-url }}"

Examples

Protect source files on push to main

name: Protect source
on:
  push:
    branches: [main]

jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          directory: src
          category: code
          title-prefix: "myproject - "

Protect build artifacts on release

name: Protect release artifacts
on:
  release:
    types: [published]

jobs:
  build-and-protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: npm ci && npm run build
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "dist/**/*.js"
          category: code
          visibility: public

Private protections

Set visibility: private to protect content without listing it publicly. Private protections are still verifiable by attestation ID but do not appear in your public portfolio. 
- uses: truthlocks/protect-action@v1
  with:
    token: ${{ secrets.TRUTHLOCK_TOKEN }}
    files: "internal/**/*"
    visibility: private

How it works

The action:
  1. Installs the @truthlock/protect CLI
  2. Authenticates using your token
  3. Computes a SHA-256 hash of each file (the file content is never uploaded)
  4. Mints an attestation for each hash, anchored to the transparency log
  5. Outputs the attestation IDs and a verification badge URL
Each attestation is a cryptographic proof that the file existed with that exact content at the time of the workflow run.

Protect CLI

Protect files from the command line for local workflows.

Content protection

Full guide to protecting content and sharing proof links.