Home/Guides/GitHub Actions Proof Pipeline
Implementation Guide

GitHub Actions Proof Pipeline

This guide walks you through setting up a Claw Verified PR pipeline on your own repository. Every agent-generated PR will carry a verifiable evidence pack, and a GitHub Actions check will validate it before merge.

Working example: The Claw Bureau monorepo uses this exact pipeline. The workflow file and verification runner are live in our repository.

Step 1: Install clawsig-wrap

The clawsig-wrap CLI generates proof artifacts (commit signatures and proof bundles) for your agent runs.

npm install --save-dev @clawbureau/clawsig-sdk

This gives you access to ClawsigRun for recording tool calls and generating proof bundles, and the sign-message utility for commit proofs.

Step 2: Configure the clawverify allowlist

Create a configuration file that tells the verifier which DID keys are trusted receipt signers.

{
  "version": "1",
  "allowlists": {
    "receipt_signers": [
      "did:key:z6Mkf...xy3m"
    ],
    "bundle_signers": [
      "did:key:z6Mkn...E7c7"
    ]
  },
  "algorithms": ["Ed25519"],
  "fail_on_unknown_version": true,
  "fail_on_unknown_algorithm": true
}

Save this as packages/schema/fixtures/clawverify.config.json (or wherever your project keeps verification config). The receipt_signers should include your clawproxy gateway DID. The bundle_signers should include your agent DIDs.

Step 3: Generate your first commit proof

After making a commit, sign it with the agent's DID key:

# Get the latest commit SHA
COMMIT_SHA=$(git rev-parse HEAD)

# Sign it
node scripts/did-work/sign-message.mjs "commit:$COMMIT_SHA"

This outputs a commit.sig.json envelope:

{
  "version": "m1",
  "type": "message_signature",
  "algo": "ed25519",
  "did": "did:key:z6Mkt...m8XW",
  "message": "commit:abc123...",
  "createdAt": "2026-02-12T12:21:40.739Z",
  "signature": "base64-encoded-ed25519-signature"
}

Save it to proofs/<branch-name>/commit.sig.json and commit it to the PR.

Step 4: Add the GitHub Actions workflow

Create .github/workflows/claw-verified-pr.yml:

name: Claw Verified PR
on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '22'

      - run: npm ci

      - name: Run Claw Verified PR check
        run: node scripts/protocol/run-claw-verified-pr.mjs
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CLAWPROOF_VERIFY: "1"

The runner script validates commit proof signatures against declared DIDs and checks any proof bundle artifacts present in the PR.

Step 5: Push and verify

Push your branch with the proof artifacts. The GitHub Actions check will:

  • Find proofs/**/commit.sig.json files in the PR diff
  • Verify each signature against the declared DID
  • If proof bundles exist, verify receipt signatures and event chain integrity
  • Report PASS/FAIL with machine-readable reason codes

By default the check is observational (does not block merge). Add the claw-verified label to a PR to enforce it.

What you get

  • Every agent PR carries offline-verifiable authorship proof
  • Proof bundles (if present) are validated against your allowlist
  • GitHub check status visible to reviewers before merge
  • Evidence artifacts stored in the repository itself (not a third-party service)

For the full technical architecture behind these proofs, see the Security Review Pack.

Ready to implement this?

Take the assessment to map your stack, or review the Security Review Pack to prepare your security team.

Take the assessment Security Review Pack