Prove when your code existed. One YAML file. Bitcoin-verified.
Every git push → your entire repository is snapshotted, hashed, and anchored to Bitcoin. The proof is independently verifiable by anyone, forever, without trusting Umarise.
push → snapshot → SHA-256 hash → Bitcoin anchor → .proof artifact
Your source code never leaves the runner. Only the hash is sent.
Add one file to your repo: .github/workflows/anchor.yml
name: Anchor to Bitcoin
on:
push:
branches: [main]
jobs:
anchor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Create deterministic snapshot
run: |
tar --sort=name \
--mtime='UTC 1970-01-01' \
--owner=0 --group=0 --numeric-owner \
-cf build.tar .
gzip -n -f build.tar
- name: Anchor to Bitcoin
uses: AnchoringTrust/anchor-action@v1
with:
file: build.tar.gz
env:
UMARISE_API_KEY: ${{ secrets.UMARISE_API_KEY }}That's it. 26 lines. No SDK. No dependency. No code change.
Every push to main now produces a .proof file — uploaded as a GitHub Actions artifact.
On Pull Requests, a comment is automatically posted with the anchor status:
Field Value Hash sha256:a1b2c3...Origin ID f47ac10b-...Status Bitcoin Confirmed
✅ Last tested: April 7, 2026 — 100% working.
| Step | What happens | Where |
|---|---|---|
| 1 | Checks out your repository | Runner |
| 2 | Creates a deterministic tar.gz snapshot | Runner |
| 3 | Computes SHA-256 hash (bytes never leave the runner) | Runner |
| 4 | Sends only the hash to Umarise Core API | API |
| 5 | Hash is anchored to Bitcoin via OpenTimestamps | Bitcoin |
| 6 | Downloads .proof bundle (certificate + OTS proof) |
Runner |
| 7 | Uploads .proof as a build artifact |
GitHub |
Privacy: Your source code never leaves the CI runner. Only a 64-character hash is transmitted.
The tar command uses fixed timestamps, sort order, and ownership to ensure the same code always produces the same hash. Without this, identical code would produce different hashes on different runs.
⚠️ Do not usetar czf build.tar.gz .— this produces non-deterministic archives and inconsistent hashes.
No account needed. No trust required.
pip install umarise
umarise verify build.tar.gz.proof
# ✓ Hash match | Bitcoin Block #939611 | 2026-03-06 | VALIDOr drag-and-drop at verify-anchoring.org.
Or with standard tools:
unzip build.tar.gz.proof
sha256sum build.tar.gz # compare with certificate.json
ots verify proof.ots # verify against Bitcoin| Input | Required | Default | Description |
|---|---|---|---|
file |
✅ | — | Path to the file to anchor |
upload-artifact |
— | true |
Upload .proof as build artifact |
pr-comment |
— | true |
Post anchor summary as a PR comment |
github-token |
— | ${{ github.token }} |
GitHub token for PR comments |
Authentication: Set UMARISE_API_KEY as a repository secret (Settings → Secrets → Actions).
💡 Tip: One key, multiple repos. Your API key is not repo-specific. Use the same key across all your repositories to keep all anchors under one account and avoid wasting your 100 free sandbox anchors.
💡 Tip: PR comments work automatically. The action uses the default
github.token— no extra secrets needed. To disable, setpr-comment: false.
💡 Tip: Naming the workflow file. When creating the file on GitHub (Add file → Create new file), type the full path
.github/workflows/anchor.ymlin the filename field — GitHub creates the folders automatically.
⚠️ Default branch must bemain. The workflow triggers onbranches: [main]. If your repository uses a different default branch name (e.g.master,develop), either rename it (Settings → General → Default branch) or changebranches: [main]in the YAML to match.
| Output | Description |
|---|---|
origin-id |
The origin ID from Umarise |
hash |
SHA-256 hash of the file |
proof-path |
Local path to the .proof file |
status |
Anchor status: confirmed or pending |
| Tier | Price | Includes |
|---|---|---|
| Developer sandbox | Free | 100 anchors, no credit card |
| Production | €1 per 1,000 anchors | Pay-as-you-go via Stripe |
Get your free API key at umarise.com/developers.
Your .proof files are uploaded as GitHub Actions artifacts (90-day retention by default). For long-term storage:
- Commit proofs to your repo in a
proofs/directory — they become part of your git history - Keep the original artifact (build.tar.gz) alongside its
.proof— you need both to verify - Backup to external storage (S3, GCS, etc.) for audit-critical proofs
Code signing proves who. SBOMs prove what. Anchoring proves when.
build → test → deploy → anchor
A .proof file next to a .sig and .sbom completes the audit trail.
- Get an API key at umarise.com/developers (100 free anchors, no credit card)
- Add
UMARISE_API_KEYto your repo secrets (Settings → Secrets → Actions) - Copy the YAML above to
.github/workflows/anchor.yml - Push. Done.
| Symptom | Cause | Fix |
|---|---|---|
Error: UMARISE_API_KEY not set |
Secret name typo or missing | Check Settings → Secrets → Actions. Name must be exactly UMARISE_API_KEY (case-sensitive) |
401 Unauthorized |
Invalid or revoked API key | Generate a new key at umarise.com/developers and update the secret |
402 Credit balance exhausted |
100 free sandbox anchors used up | Upgrade to production (€1/1,000 anchors) at umarise.com/developers |
| Workflow not triggering | Default branch is not main |
Rename branch (Settings → General → Default branch) or change branches: [main] in the YAML |
tar: .: file changed as we read it |
Files modified during snapshot | Safe to ignore — does not affect the hash |
| No artifact uploaded | upload-artifact set to false |
Remove or set upload-artifact: true |
💡 Still stuck? Open an issue at github.com/AnchoringTrust/anchor-action or email support@umarise.com.
- Get API key
- Live case study: 4,000+ anchored artifacts
- Independent verifier
- Open specification
- CLI & Python SDK
- Node.js SDK
Unlicense (Public Domain)