Reference
GitHub Action Reference
The Sigillum GitHub Action is a first-party hosted PR check that uses the same live quote, x402 payment, inspect, and receipt path as the CLI and dashboard.
Workflow options
Downstream repositories can either call the reusable workflow or use the direct action. The reusable workflow is the cleanest adoption path when you want less YAML drift.
Direct action usage
uses: Devendurance/sigillum/.github/actions/sigillum-pr-check@main
with:
github_token: ${{ github.token }}
comment_mode: sticky
fail_on_warn: "false"
max_risk_score: "85"
max_allowed_recommendation: warn
max_quote_amount_usdc: "0.000500"
save_receipt_json: true
env:
X402_BUYER_PRIVATE_KEY: ${{ secrets.X402_BUYER_PRIVATE_KEY }}
X402_NETWORK: arcTestnet
X402_RPC_URL: ${{ secrets.X402_RPC_URL }}Required secrets and permissions
The maintainer should treat buyer payment credentials as CI secrets only. Sticky PR comments also need the correct GitHub write scopes. If you are brand new to this, add the secrets first before expecting the workflow to pass.
- X402_BUYER_PRIVATE_KEY
- X402_RPC_URL
- X402_NETWORK=arcTestnet
- contents: read
- pull-requests: write
- issues: write when sticky comments are enabled
Expected outputs
A healthy run should always return proof artifacts, not just a green check.
- receipt_id
- receipt_url
- recommendation
- risk_score
- agent_decision
- payment_reference
- paid_amount_usdc