# GitHub Repository Code Signing and Attestation with Post-Quantum Cryptography > Automate post-quantum code signing and software supply chain attestation for GitHub repositories and release artifacts. This workflow asks the user which GitHub repository, branch, tag, or specific file they want to certify, downloads the content using the GitHub Repo Browser tool, and signs it with the Quantum-Safe File Attestation tool using ML-DSA-65 (Dilithium3) post-quantum digital signatures via hardware security module. Returns a verifiable attestation package containing a cryptographic manifest, digital signature, and verification bundle with a downloadable certificate link. Use cases include software release signing, open source distribution integrity, SBOM attestation, build artifact certification, code audit compliance evidence, CI/CD pipeline integrity verification, regulatory submission of source code, DevSecOps supply chain security, and tamper-proof repository snapshots for legal or IP protection. Content type: workflow Source URL: https://www.agentpmt.com/agent-workflow-skills/github-repository-code-signing-and-attestation-with-post-quantum-cryptography Markdown URL: https://www.agentpmt.com/api/agent/workflows/github-repository-code-signing-and-attestation-with-post-quantum-cryptography?format=agent-md Updated: 2026-03-30T03:28:05.835Z Author: firef1ie --- Estimated time saved: 20 minutes. ## Tools - GitHub Repo Browser - Read Only - Quantum-Safe File Attestation ## Workflow Outline 1. Gather Repository Details: Prompt step. 2. Download from GitHub: Use the repository details gathered from the user. If the user specified a single file path, use the download_to_storage action with the owner, repo, and path. If the user wants t... 3. Prepare Attestation Input: Prompt step. 4. Create Quantum-Safe Attestation: Call the attest_artifact action with the file_id from the previous step. Set the artifact_name to the descriptive name prepared (e.g., 'owner/repo:path'). Include metadata with re... 5. Deliver Certificate to User: Prompt step. ## Frequently Asked Questions ### How do I connect this workflow to my local agent like OpenClaw or Claude Code? You can install the local MCP server by opening a terminal and running: ``` npm install -g @agentpmt/mcp-router agentpmt-setup ``` This will connect you to local agents like Claude Code, Windsurf, Grok Build, Cursor, etc. Alternatively you can connect to the hosted version with this config block, no installation required: ``` { "mcpServers": { "agentpmt": { "type": "streamable-http", "url": "https://api.agentpmt.com/mcp", "headers": { "Authorization": "Bearer ", "x-instance-metadata": "{\"client\":\"generic-mcp\",\"platform\":\"remote\"}" } } } } ``` [View MCP Connection Instructions](/docs/mcp-reference/connection) for more details. ### How do I trigger this workflow? You can use it here in the browser by clicking the 'Try It' button. If you 'star' the workflow it will save to your dashboard for quick access. To use the workflow in an external agent, make sure you have followed the steps to connect it to the MCP server and then copy / paste this prompt, or just tell it to use the AgentPMT MCP server and use this workflow. > Call the AgentPMT-Workflow-Skills tool with action 'get\_workflow\_skill' and skill\_id 69c9e9c394c1eacb907d4150 ("GitHub Repository Code Signing and Attestation with Post-Quantum Cryptography").