Generate a cryptographically attested report of a developer's GitHub or GitLab collaboration activity from API metadata only — works on private repositories, no source code access required.
Runs inside your CI with a narrowly-scoped read-only token. No public exposure ever required.
Reads only API event metadata — pull requests, reviews, and comments. Repository contents are never fetched.
Both report.html and report.pdf are independently attested in CI.
Every metric ships with honest interpretation copy and explicit statements of what it cannot show. No composite score is computed.
| Metric | What it shows |
|---|---|
| Pull requests authored / merged | Shipping cadence |
| Reviews given (approve / changes requested) | Peer review engagement |
| Deep review % (≥ 3 inline comments) | Review depth, not just approval clicks |
| Review comments written / received | Collaboration texture |
| Median time to merge | PR scoping and team review responsiveness |
| Time to first review | How quickly teammates pick up your PRs |
| Rework rate | Share of PRs that required a revision cycle |
| Active days / contribution cadence | Consistency of engagement over the window |
| Monthly trend charts | How contribution patterns evolved over time |
Pin to a tagged version. The Sigstore certificate records the exact producing workflow identity — making the attestation machine-checkable.
jobs:
coderepute:
permissions:
contents: read
pull-requests: read
id-token: write
attestations: write
uses: grkanitz/CodeRepute/.github/workflows/coderepute-report.yml@v0.1.0
with:
repos: your-org/your-repo
subject: some-username
Cover an entire org:
org: your-org
instead of repos:
The action builds the CLI from this action's own pinned source, collects API event metadata, and generates the report — entirely within your environment.
report.html (with embedded JSON) and
report.pdf are independently signed.
The Sigstore certificate records the exact producing workflow at the exact pinned version.
Share report.html or report.pdf. The footer QR code links to this verify page — recipients can confirm the file has not been altered since the attested CI run.
Wherever your best work is locked in private repositories and you need a trustworthy way to share it.
Most of your best work lives in private repositories. Get a shareable, verifiable record of collaboration activity without exposing any code or repo names.
Request a report as part of a technical screen. The attestation proves the numbers come directly from the platform API and were not edited by the candidate.
Demonstrate code review investment and team impact that doesn't show up in personal commit counts.
Upload report.html or
report.pdf to verify it
has not been modified since the CI run that produced it.
Verification runs entirely in your browser — no data is sent to any server.