> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Protect GitHub Action

> Automatically protect code and artifacts with cryptographic proofs on every push or release.

The Truthlocks Protect GitHub Action creates cryptographic proofs of authorship for your code and build artifacts on every push, pull request, or release. Each protected file gets an attestation anchored to the transparency log, giving you a timestamped, verifiable record of when the content existed.

## Prerequisites

* A Truthlocks Verify account at [verify.truthlocks.com](https://verify.truthlocks.com)
* A personal access token from [verify.truthlocks.com/settings](https://verify.truthlocks.com/settings)
* A GitHub repository with Actions enabled

## Quick start

Add the following workflow to your repository:

```yaml theme={null}
# .github/workflows/protect.yml
name: Protect on release
on:
  release:
    types: [published]

jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "src/**/*.ts README.md"
          category: code
```

Store your Truthlocks token as a [repository secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets) named `TRUTHLOCK_TOKEN`.

## Inputs

| Input          | Required | Default  | Description                                           |
| -------------- | -------- | -------- | ----------------------------------------------------- |
| `token`        | Yes      | —        | Your Truthlocks personal access token                 |
| `files`        | No       | —        | Files or glob patterns to protect (space-separated)   |
| `directory`    | No       | —        | Directory to protect (all files, up to 3 levels deep) |
| `category`     | No       | `code`   | Content category for the protections                  |
| `visibility`   | No       | `public` | `public` or `private`                                 |
| `title-prefix` | No       | —        | Prefix added to each protection title                 |

You must provide either `files` or `directory`. If both are omitted, the action exits with an error.

### Categories

Use the `category` input to classify the protected content:

`code`, `research`, `design`, `media`, `dataset`, `ai-output`, `writing`, `digital-art`, `other`

## Outputs

The action provides three outputs you can reference in subsequent workflow steps:

| Output             | Description                                      |
| ------------------ | ------------------------------------------------ |
| `attestation-ids`  | Comma-separated list of attestation IDs created  |
| `protection-count` | Number of files protected                        |
| `badge-url`        | Verification badge URL for the first attestation |

### Using outputs in your workflow

```yaml theme={null}
jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        id: protect
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "dist/bundle.js"
      - name: Comment on release
        run: |
          echo "Protected ${{ steps.protect.outputs.protection-count }} file(s)"
          echo "Badge: ${{ steps.protect.outputs.badge-url }}"
```

## Examples

### Protect source files on push to main

```yaml theme={null}
name: Protect source
on:
  push:
    branches: [main]

jobs:
  protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          directory: src
          category: code
          title-prefix: "myproject - "
```

### Protect build artifacts on release

```yaml theme={null}
name: Protect release artifacts
on:
  release:
    types: [published]

jobs:
  build-and-protect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: npm ci && npm run build
      - uses: truthlocks/protect-action@v1
        with:
          token: ${{ secrets.TRUTHLOCK_TOKEN }}
          files: "dist/**/*.js"
          category: code
          visibility: public
```

### Private protections

Set `visibility: private` to protect content without listing it publicly. Private protections are still verifiable by attestation ID but do not appear in your public portfolio.

```yaml theme={null}
- uses: truthlocks/protect-action@v1
  with:
    token: ${{ secrets.TRUTHLOCK_TOKEN }}
    files: "internal/**/*"
    visibility: private
```

## How it works

The action:

1. Installs the `@truthlock/protect` CLI
2. Authenticates using your token
3. Computes a SHA-256 hash of each file (the file content is never uploaded)
4. Mints an attestation for each hash, anchored to the transparency log
5. Outputs the attestation IDs and a verification badge URL

Each attestation is a cryptographic proof that the file existed with that exact content at the time of the workflow run.

## Related

<CardGroup cols={2}>
  <Card title="Protect CLI" icon="terminal" href="/guides/protect-cli">
    Protect files from the command line for local workflows.
  </Card>

  <Card title="Content protection" icon="shield-halved" href="/guides/content-protection">
    Full guide to protecting content and sharing proof links.
  </Card>
</CardGroup>