Skip to content

Add Claude Code GitHub Workflow#2

Merged
dpup merged 2 commits into
mainfrom
add-claude-github-actions-1768267120917
Jan 13, 2026
Merged

Add Claude Code GitHub Workflow#2
dpup merged 2 commits into
mainfrom
add-claude-github-actions-1768267120917

Conversation

@dpup
Copy link
Copy Markdown
Collaborator

@dpup dpup commented Jan 13, 2026

🤖 Installing Claude Code GitHub App

This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.

What is Claude Code?

Claude Code is an AI coding agent that can help with:

  • Bug fixes and improvements
  • Documentation updates
  • Implementing new features
  • Code reviews and suggestions
  • Writing tests
  • And more!

How it works

Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.

Important Notes

  • This workflow won't take effect until this PR is merged
  • @claude mentions won't work until after the merge is complete
  • The workflow runs automatically whenever Claude is mentioned in PR or issue comments
  • Claude gets access to the entire PR or issue context including files, diffs, and previous comments

Security

  • Our Anthropic API key is securely stored as a GitHub Actions secret
  • Only users with write access to the repository can trigger the workflow
  • All Claude runs are stored in the GitHub Actions run history
  • Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits.
  • We can add more allowed tools by adding them to the workflow file like:
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)

There's more information in the Claude Code action repo.

After merging this PR, let's try mentioning @claude in a comment on any PR to get started!

@dpup dpup merged commit abf8093 into main Jan 13, 2026
4 checks passed
@dpup dpup deleted the add-claude-github-actions-1768267120917 branch January 13, 2026 02:13
@claude claude Bot mentioned this pull request Jan 13, 2026
Merged
6 tasks
andybons added a commit that referenced this pull request Jan 13, 2026
@andybons
fix(audit): address PR review feedback
e2487b9 
- Add structured logging for collector errors instead of silent failures
- Rename RekorProofsValid to RekorProofsPresent to clarify verification status
- Update CLI output to indicate Rekor proofs are not verified in offline mode
- Verify no race conditions with -race flag (all tests pass)

Closes review suggestions #1, #2, #3 from PR #3
andybons added a commit that referenced this pull request Jan 13, 2026
@andybons
feat(audit): add tamper-proof audit logging with cryptographic verifi…
356f276 
…cation (#3)

* docs(plans): add tamper-proof log database design

Design for cryptographically verifiable logging with:
- Hash-chained entries with Merkle tree organization
- Agent isolation via write-only Unix socket
- Tiered attestation (per-entry for critical, batched for console)
- Sigstore/Rekor integration for external anchoring
- CLI, proof bundles, and Go API for verification

* docs(audit): add runtime-aware transport section for agent isolation

Adds detailed transport mechanisms for both Docker (Unix socket) and
Apple containers (TCP + token auth). Documents why different transports
are needed and provides unified interface pattern.

* chore: add .worktrees to gitignore

* docs(audit): add Phase 1 implementation plan for tamper-proof logs

* feat(audit): add Entry type with hash-chain verification

Add the foundational Entry type for tamper-proof logging:
- EntryType constants for console, network, and credential logs
- Entry struct with sequence, timestamp, type, prev hash, data, and hash
- SHA-256 hash computation over all fields (seq, ts, type, prev, data)
- Verify method to check entry integrity
- newEntryWithTimestamp helper for deterministic testing

* fix(audit): improve Entry robustness and clarity

- Add documentation that Data field must be JSON-serializable to avoid
  hash collisions when marshaling fails
- Replace manual sequence encoding with binary.BigEndian.PutUint64()
  for improved clarity and maintainability

* test(audit): add Entry.Verify() tests for tamper detection

* feat(audit): add SQLite-backed Store for tamper-proof logs

Implements Store with SQLite persistence for hash-chained log entries.
The Store maintains chain state (lastSeq, lastHash) in memory and uses
a mutex for thread safety. Schema stores entries with sequence as
primary key and hash as unique constraint.

* fix(audit): address code review issues for Store

- Add comment for blank import of modernc.org/sqlite driver
- Fix ignored errors in TestStore_Append_ChainedEntries
- Add TestStore_PersistenceAcrossReopen to verify hash chain
  continuity after closing and reopening the store

* feat(audit): add Store query methods Get, Count, and Range

* fix(audit): address code review issues for Store query methods

- Change Count() to return (uint64, error) for consistency with other methods
- Add comments explaining why time.Parse and json.Unmarshal errors are
  safe to ignore in scan helpers (data format controlled by Append)

* feat(audit): add VerifyChain for tamper detection

* fix(audit): improve VerifyChain test assertions

* feat(audit): add Collector with Unix socket transport

* fix(audit): handle errors in Collector for tamper-proof integrity

* feat(audit): add TCP transport with token authentication

* fix(audit): add read deadline for TCP auth to prevent slow-loris

* feat(audit): add typed entry helpers for console, network, credential

* fix(audit): add field assertions to AppendCredential test

* test(audit): add integration test for full workflow

* fix(audit): check errors in integration test for Go idioms

* chore(audit): address linter feedback

* fix(proxy): use constant-time comparison for token authentication

Use crypto/subtle.ConstantTimeCompare instead of == for auth token
comparison to prevent timing attacks. While practical exploitation
over HTTP is unlikely for 256-bit tokens due to network jitter,
constant-time comparison is a security best practice that eliminates
the theoretical risk entirely.

* feat(audit): add MerkleNode type with leaf hash computation

* feat(audit): add internal node hash computation with domain separation

* feat(audit): add MerkleTree with BuildFromEntries

* feat(audit): add inclusion proof generation

* feat(audit): add inclusion proof verification

* feat(audit): add MerkleRoot storage and persistence

* feat(audit): add ProveEntry for generating inclusion proofs

* test(audit): add Merkle proof integration test

* feat(audit): add Signer type with Ed25519 key generation

* feat(audit): add Sign and Verify methods to Signer

* feat(audit): add Attestation type with storage

* feat(audit): add Auditor type for verification

* feat(cli): add agent audit command

* fix(cli): handle UserHomeDir error and use proper error return

* test(audit): add audit workflow integration test

* chore(audit): address linter feedback for Phase 3

* build(deps): add sigstore-go for Rekor integration

* feat(audit): add RekorClient wrapper

* feat(audit): add RekorProof type and Upload method signature

* feat(audit): add Rekor proof storage

* feat(audit): add Rekor proof count to Auditor verification

* feat(cli): show Rekor proof status in audit output

* test(audit): add Rekor workflow integration test

* fix(audit): check json.Unmarshal error in LoadRekorProofs

* feat(audit): add ProofBundle type

* feat(audit): add Store.Export() for proof bundles

* feat(audit): add ProofBundle.Verify() for offline verification

* test(audit): add JSON round-trip test for ProofBundle

* feat(cli): add --export flag to audit command

* feat(cli): add verify-bundle command for offline verification

* feat(audit): add ExportWithProofs() for selective inclusion proofs

* test(audit): add bundle workflow integration test

* chore(audit): address linter feedback for Phase 5

* fix(audit): preserve canonical JSON for hash verification across round-trips

The hash chain verification was failing after database round-trips because:
- Struct types marshal JSON fields in definition order
- map[string]any types marshal JSON keys in sorted order

After loading from DB, Data becomes map[string]any, producing different JSON
and thus different hashes.

Fix: Store the original JSON in Entry.dataJSON and use it for hash computation.
This ensures verification works correctly regardless of how Data is represented
in memory.

Also adds E2E demo test showing the full tamper-proof workflow.

* docs(audit): add tamper-proof audit logging documentation

- Add audit/ package to CLAUDE.md architecture section
- Add Audit Logging flow to Key Flows section
- Add agent audit and verify-bundle commands to README
- Add Tamper-Proof Audit Logging section explaining verification

* fix(audit): address PR review feedback

- Add structured logging for collector errors instead of silent failures
- Rename RekorProofsValid to RekorProofsPresent to clarify verification status
- Update CLI output to indicate Rekor proofs are not verified in offline mode
- Verify no race conditions with -race flag (all tests pass)

Closes review suggestions #1, #2, #3 from PR #3

* docs(audit): update CLI output examples to match actual format

* style(audit): fix struct field alignment
This was referenced Jan 13, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Jan 20, 2026
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Closed
This was referenced Jan 27, 2026
Closed
Merged
Merged
Merged
Merged
Merged
This was referenced Feb 1, 2026
Merged
Merged
@claude claude Bot mentioned this pull request Feb 17, 2026
Closed
9 tasks
This was referenced Mar 6, 2026
Merged
Merged
This was referenced Mar 17, 2026
Merged
Merged
This was referenced Apr 12, 2026
Merged
Merged
@dpup dpup mentioned this pull request Apr 16, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dpup