Skip to main content

GitHub Live Validation Evidence Template

Use this template to record evidence artifacts from GitHub post-cloud validation. Fill out each section after completing the corresponding validation step.

Metadata

FieldValue
ProviderGitHub
Validation date<!-- DATE-YYYY-MM-DD -->
Cloud endpoint<!-- CLOUD-ENDPOINT-URL -->
GitHub account<!-- OWNER/REPO -->
GitHub webhook ID<!-- WEBHOOK-ID -->
Validator<!-- NAME -->
Platform version<!-- COMMIT-SHA or VERSION -->
Overall resultPASS / FAIL

Positive Test — Webhook Delivery

CheckResultEvidence ref
Event triggered (dispatch / push)PASS / FAILgithub-post-cloud-YYYYMMDD/delivery-log.json
Delivery status = deliveredPASS / FAILgithub-post-cloud-YYYYMMDD/delivery-log.json
Event type matches triggered eventPASS / FAILgithub-post-cloud-YYYYMMDD/delivery-log.json
Timestamp within 60s of triggerPASS / FAILgithub-post-cloud-YYYYMMDD/delivery-log.json

Signature Validation

CheckResultEvidence ref
X-Hub-Signature-256 header presentPASS / FAILgithub-post-cloud-YYYYMMDD/validation-evidence.json
Platform signature verification = validPASS / FAILgithub-post-cloud-YYYYMMDD/validation-evidence.json
Manual re-verification matchesPASS / FAILgithub-post-cloud-YYYYMMDD/manual-verify-output.json
X-Hub-Request-Id presentPASS / FAILgithub-post-cloud-YYYYMMDD/validation-evidence.json

Negative Tests

TestExpectedActualEvidence ref
Invalid HMAC signature401 / 403<!-- STATUS -->github-post-cloud-YYYYMMDD/negative-invalid-sig.json
Missing X-Hub-Signature-256401<!-- STATUS -->github-post-cloud-YYYYMMDD/negative-missing-sig.json
Missing X-GitHub-Event header400<!-- STATUS -->github-post-cloud-YYYYMMDD/negative-missing-event.json

Artifacts

  • github-post-cloud-YYYYMMDD/delivery-log.json
  • github-post-cloud-YYYYMMDD/validation-evidence.json
  • github-post-cloud-YYYYMMDD/manual-verify-output.json
  • github-post-cloud-YYYYMMDD/negative-invalid-sig.json
  • github-post-cloud-YYYYMMDD/negative-missing-sig.json
  • github-post-cloud-YYYYMMDD/negative-missing-event.json
  • github-post-cloud-YYYYMMDD/README.md (summary)

Claim Guard Check

  • ❌ Does this evidence contain live credentials? YES / NO
  • ❌ Does this evidence claim "live validated" for all providers? YES / NO
  • ❌ Does this evidence claim "GA" or "public launch GO"? YES / NO
  • ❌ Does this evidence claim "Free is evaluation-only"? YES / NO

If any claim guard answer is YES, redact and retract before publication.