v0.3.0 — provenance mode (typed-authority emit)
First adapter release that emits a typed-authority satsignal.provenance.v1 manifest for Satsignal Phase-4 (2026-05-20) notaries.
Highlights
- New opt-in
provenance: 'true'input. When set, the action wraps the file digest in asatsignal.provenance.v1manifest with the typed-authority block populated from GitHub Actions env, and POSTs to/api/v1/provenance/anchor. - Default is
false— every existing workflow keeps anchoring raw file digests byte-identically. Drop-in upgrade. - The file sha rides as
subject.digestinside the manifest. Bytes never leave the runner. The full canonical manifest ships inside the.mbntbundle and is byte-exactly re-derivable offline.
What the manifest captures
| Manifest field | GH env source |
|---|---|
source |
{type: "github", id: $GITHUB_REPOSITORY} |
subject.digest |
sha256: + sha256(path) |
authority / organization |
github:$GITHUB_REPOSITORY_OWNER |
principal |
github:$GITHUB_ACTOR |
agent |
github-actions/$GITHUB_RUNNER_NAME |
run_scope |
$GITHUB_WORKFLOW_REF (canonical form) + environment: $GITHUB_REF_NAME |
privacy |
{onchain_mode: "hash_only"} |
Empty env vars are omitted — the notary validator rejects empty ids.
First real typed-authority anchor on chain
- txid:
915c86cbfcf9e0b92934870371a84dbfc53edab2e4bec8b9088d48abedfbac7b(block 949976) - manifest_sha256:
b16e65fa5e2b8282c74b0065916f9e7db41145685bf57961362f4d08754fc83e - Confirms canonicalization stability end-to-end: server hash = offline re-derivation = bundle's
proofs.json.manifest_sha256=canonical.json.byte_exact.hash.
Server requirement
Requires Phase-4 (2026-05-20) Satsignal notary or later. Older / self-hosted servers reject manifest.authority etc. as unknown_field. Keep provenance: 'false' (the default) for those targets.
Usage
- uses: Steleet/satsignal-action@v0.3.0
with:
path: ./eval-results.json
folder: ai-evals
provenance: 'true'
api-key: ${{ secrets.SATSIGNAL_API_KEY }}🤖 Generated with Claude Code