jaegertracing · Sapthagiri777 · Feb 4, 2026 · Feb 4, 2026 · Feb 5, 2026 · Feb 6, 2026
@@ -0,0 +1,204 @@
+# Copyright (c) 2026 The Jaeger Authors.
+# SPDX-License-Identifier: Apache-2.0
+
+# This workflow verifies that contributors have run tests locally.
+# It uses pull_request_target to run for PRs from forks.
+# New contributors must provide a Test-Gist proving tests were run.
+#
+# Note: Only the HEAD commit is checked. If a PR has multiple commits,
+# only the latest commit needs the trailers.
+
+name: Verify PR
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+
+# Explicit permissions for security with pull_request_target
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
-    steps:
+    steps:
+      - name: Harden GitHub Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
-    steps:
+    steps:
+      - name: Harden GitHub Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - name: Harden GitHub Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout PR head
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 1
+
+      - name: Get author association
+        id: author
+        run: |
+          ASSOCIATION="${{ github.event.pull_request.author_association }}"
+          echo "association=$ASSOCIATION" >> $GITHUB_OUTPUT
+
+          # Trusted contributors: OWNER, MEMBER, COLLABORATOR
+          # Note: CONTRIBUTOR (people with previously merged PRs but not members)
+          # are still required to provide Test-Gist proof.
+          if [[ "$ASSOCIATION" == "OWNER" || "$ASSOCIATION" == "MEMBER" || "$ASSOCIATION" == "COLLABORATOR" ]]; then
+            echo "trusted=true" >> $GITHUB_OUTPUT
+          else
+            echo "trusted=false" >> $GITHUB_OUTPUT
+          fi
+
+          echo "Author association: $ASSOCIATION"
+
+      - name: Check for Tested-By trailer
+        id: tested-by
+        run: |
+          COMMIT_MSG=$(git log -1 --pretty=%B)
+          echo "Commit message:"
+          echo "$COMMIT_MSG"
+          echo "---"
+
+          if echo "$COMMIT_MSG" | grep -q "Tested-By:"; then
-          if echo "$COMMIT_MSG" | grep -q "Tested-By:"; then
+          TRAILERS=$(printf '%s\n' "$COMMIT_MSG" | git interpret-trailers --parse)
+          echo "Parsed trailers:"
+          echo "$TRAILERS"
+          echo "---"
+          
+          if echo "$TRAILERS" | grep -qE '^Tested-By:[[:space:]]*'; then
-          if echo "$COMMIT_MSG" | grep -q "Tested-By:"; then
+          TRAILERS=$(printf '%s\n' "$COMMIT_MSG" | git interpret-trailers --parse)
+          echo "Parsed trailers:"
+          echo "$TRAILERS"
+          echo "---"
+          
+          if echo "$TRAILERS" | grep -qE '^Tested-By:[[:space:]]*'; then
+            echo "✅ Found Tested-By trailer"
+            echo "found=true" >> $GITHUB_OUTPUT
+          else
+            echo "❌ Missing Tested-By trailer"
-          if echo "$COMMIT_MSG" | grep -q "Tested-By:"; then
-            echo "✅ Found Tested-By trailer"
-            echo "found=true" >> $GITHUB_OUTPUT
-          else
-            echo "❌ Missing Tested-By trailer"
+          # Require a properly formatted Tested-By trailer: Tested-By: Name <email>
+          if echo "$COMMIT_MSG" | grep -Eq '^Tested-By: .+ <.+@.+>$'; then
+            echo "✅ Found Tested-By trailer with valid format"
+            echo "found=true" >> $GITHUB_OUTPUT
+          else
+            echo "❌ Missing or malformed Tested-By trailer (expected: Tested-By: Name <email>)"
-          if echo "$COMMIT_MSG" | grep -q "Tested-By:"; then
-            echo "✅ Found Tested-By trailer"
-            echo "found=true" >> $GITHUB_OUTPUT
-          else
-            echo "❌ Missing Tested-By trailer"
+          # Require a properly formatted Tested-By trailer: Tested-By: Name <email>
+          if echo "$COMMIT_MSG" | grep -Eq '^Tested-By: .+ <.+@.+>$'; then
+            echo "✅ Found Tested-By trailer with valid format"
+            echo "found=true" >> $GITHUB_OUTPUT
+          else
+            echo "❌ Missing or malformed Tested-By trailer (expected: Tested-By: Name <email>)"
+            echo "found=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for Test-Gist trailer (new contributors only)
+        id: test-gist
+        if: steps.author.outputs.trusted == 'false'
+        run: |
+          COMMIT_MSG=$(git log -1 --pretty=%B)
+          # Use tree SHA - it represents the code content and doesn't change with commit amend
+          PR_TREE_SHA=$(git rev-parse HEAD^{tree})
+
+          # Extract Test-Gist URL
+          GIST_URL=$(echo "$COMMIT_MSG" | grep "Test-Gist:" | awk '{print $2}' | head -1)
+
+          if [ -z "$GIST_URL" ]; then
+            echo "❌ Missing Test-Gist trailer. New contributors must run 'make verify-with-proof' before pushing."
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+          echo "Found Test-Gist URL: $GIST_URL"
+
+          # Extract Gist ID from URL (handles both 20 and 32 character IDs)
+          GIST_ID=$(echo "$GIST_URL" | grep -oE '[0-9a-f]{20,32}' | tail -1)
+
+          if [ -z "$GIST_ID" ]; then
+            echo "❌ Could not extract Gist ID from URL: $GIST_URL"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+          echo "Gist ID: $GIST_ID"
+
-          
+          
+          # Ensure jq is available before attempting to parse the GitHub API response
+          if ! command -v jq >/dev/null 2>&1; then
+            echo "❌ 'jq' is required but not installed on this runner."
+            echo "   Please ensure the runner environment includes 'jq' (e.g., install it before running this workflow)."
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+          
-          
+          
+          # Ensure jq is available before attempting to parse the GitHub API response
+          if ! command -v jq >/dev/null 2>&1; then
+            echo "❌ 'jq' is required but not installed on this runner."
+            echo "   Please ensure the runner environment includes 'jq' (e.g., install it before running this workflow)."
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+          
+          # Fetch Gist content securely using GitHub API (not user-provided URL)
+          GIST_CONTENT=$(curl -s "https://api.github.com/gists/$GIST_ID" | jq -r '.files | to_entries[0].value.content // empty')
+
-          GIST_CONTENT=$(curl -s "https://api.github.com/gists/$GIST_ID" | jq -r '.files | to_entries[0].value.content // empty')
-          
+          GIST_API_URL="https://api.github.com/gists/$GIST_ID"
+          GIST_RESPONSE_FILE="$(mktemp)"
+          HTTP_STATUS=$(curl -sS -w "%{http_code}" -o "$GIST_RESPONSE_FILE" "$GIST_API_URL")
+          
+          if [ "$HTTP_STATUS" -eq 404 ]; then
+            echo "❌ Gist not found for ID: $GIST_ID (HTTP 404)"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            rm -f "$GIST_RESPONSE_FILE"
+            exit 1
+          elif [ "$HTTP_STATUS" -ge 400 ]; then
+            echo "❌ GitHub API error while fetching Gist ID: $GIST_ID (HTTP $HTTP_STATUS)"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            rm -f "$GIST_RESPONSE_FILE"
+            exit 1
+          fi
+          
+          GIST_CONTENT=$(jq -r '.files | to_entries[0].value.content // empty' "$GIST_RESPONSE_FILE")
+          rm -f "$GIST_RESPONSE_FILE"
+          
-          GIST_CONTENT=$(curl -s "https://api.github.com/gists/$GIST_ID" | jq -r '.files | to_entries[0].value.content // empty')
-          
+          GIST_API_URL="https://api.github.com/gists/$GIST_ID"
+          GIST_RESPONSE_FILE="$(mktemp)"
+          HTTP_STATUS=$(curl -sS -w "%{http_code}" -o "$GIST_RESPONSE_FILE" "$GIST_API_URL")
+          
+          if [ "$HTTP_STATUS" -eq 404 ]; then
+            echo "❌ Gist not found for ID: $GIST_ID (HTTP 404)"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            rm -f "$GIST_RESPONSE_FILE"
+            exit 1
+          elif [ "$HTTP_STATUS" -ge 400 ]; then
+            echo "❌ GitHub API error while fetching Gist ID: $GIST_ID (HTTP $HTTP_STATUS)"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            rm -f "$GIST_RESPONSE_FILE"
+            exit 1
+          fi
+          
+          GIST_CONTENT=$(jq -r '.files | to_entries[0].value.content // empty' "$GIST_RESPONSE_FILE")
+          rm -f "$GIST_RESPONSE_FILE"
+          
+          if [ -z "$GIST_CONTENT" ]; then
+            echo "❌ Could not fetch Gist content for ID: $GIST_ID"
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+          # Extract tree SHA from Gist content (first line should be "Tree SHA: <sha>")
+          GIST_TREE_SHA=$(echo "$GIST_CONTENT" | grep -oE "Tree SHA: [0-9a-f]{40}" | head -1 | awk '{print $3}')
+
+          if [ -z "$GIST_TREE_SHA" ]; then
+            echo "❌ Could not find tree SHA in Gist content."
+            echo "   This may be an older format Gist. Checking for commit SHA..."
+
+            # Fallback: check for old "Commit SHA:" format
+            GIST_COMMIT_SHA=$(echo "$GIST_CONTENT" | grep -oE "Commit SHA: [0-9a-f]{40}" | head -1 | awk '{print $3}')
+            if [ -n "$GIST_COMMIT_SHA" ]; then
+              echo "   Found old format with Commit SHA: $GIST_COMMIT_SHA"
+              echo "   Note: Old format cannot be verified against tree SHA and is no longer accepted."
+            fi
+
+            echo "❌ Cannot verify SHA match. Failing verification."
+            echo "   Please re-run 'make verify-with-proof' to generate a Gist that includes the Tree SHA line."
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+          echo "Gist Tree SHA: $GIST_TREE_SHA"
+          echo "PR Tree SHA: $PR_TREE_SHA"
+
+          if [ "$GIST_TREE_SHA" != "$PR_TREE_SHA" ]; then
+            echo ""
+            echo "❌ FAILED: Gist tree SHA does not match PR tree SHA."
+            echo "   This means your code changed after running 'make verify-with-proof'."
+            echo "   Please re-run 'make verify-with-proof' and push again."
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+          echo "✅ Gist tree SHA matches PR tree SHA"
+          echo "✅ Test-Gist trailer found and validated"
+          echo "valid=true" >> $GITHUB_OUTPUT
+
+      - name: Set default test-gist output for trusted contributors
+        id: test-gist-default
+        if: steps.author.outputs.trusted == 'true'
+        run: |
+          echo "Trusted contributor - Test-Gist not required"
+          echo "valid=not-required" >> $GITHUB_OUTPUT
+
+      - name: Verify results
+        run: |
+          TRUSTED="${{ steps.author.outputs.trusted }}"
+          TESTED_BY="${{ steps.tested-by.outputs.found }}"
+          TEST_GIST="${{ steps.test-gist.outputs.valid }}"
+          TEST_GIST_DEFAULT="${{ steps.test-gist-default.outputs.valid }}"
+
+          # Use default value for trusted contributors
+          if [ "$TRUSTED" == "true" ]; then
+            TEST_GIST="$TEST_GIST_DEFAULT"
-          # Use default value for trusted contributors
-          if [ "$TRUSTED" == "true" ]; then
-            TEST_GIST="$TEST_GIST_DEFAULT"
+          # Use default value for trusted contributors, with a defensive fallback
+          if [ "$TRUSTED" == "true" ]; then
+            if [ -z "$TEST_GIST_DEFAULT" ]; then
+              # In case the default step did not run or did not set an output
+              TEST_GIST="not-required"
+            else
+              TEST_GIST="$TEST_GIST_DEFAULT"
+            fi
-          # Use default value for trusted contributors
-          if [ "$TRUSTED" == "true" ]; then
-            TEST_GIST="$TEST_GIST_DEFAULT"
+          # Use default value for trusted contributors, with a defensive fallback
+          if [ "$TRUSTED" == "true" ]; then
+            if [ -z "$TEST_GIST_DEFAULT" ]; then
+              # In case the default step did not run or did not set an output
+              TEST_GIST="not-required"
+            else
+              TEST_GIST="$TEST_GIST_DEFAULT"
+            fi
+          fi
+
+          echo "========================================"
+          echo "Verification Summary"
+          echo "========================================"
+          echo "Author association: ${{ steps.author.outputs.association }}"
+          echo "Trusted contributor: $TRUSTED"
+          echo "Tested-By found: $TESTED_BY"
+
+          if [ "$TRUSTED" == "false" ]; then
+            echo "Test-Gist valid: $TEST_GIST"
+          else
+            echo "Test-Gist: not required (trusted contributor)"
+          fi
+          echo "========================================"
+
+          # Check Tested-By for everyone
+          if [ "$TESTED_BY" != "true" ]; then
+            echo ""
+            echo "❌ FAILED: Missing Tested-By trailer in commit message."
+            echo ""
+            echo "Please run 'make verify-with-proof' before pushing your changes."
+            echo "This will run tests and add the required trailers to your commit."
+            echo ""
+            exit 1
+          fi
+
+          # Check Test-Gist for new contributors only
+          if [ "$TRUSTED" == "false" ] && [ "$TEST_GIST" != "true" ]; then
+            echo ""
+            echo "❌ FAILED: New contributors must provide a valid Test-Gist."
+            echo ""
+            echo "Please run 'make verify-with-proof' before pushing your changes."
+            echo "This will:"
+            echo "  1. Run lint and tests"
+            echo "  2. Upload test logs to a Gist"
+            echo "  3. Add Tested-By and Test-Gist trailers to your commit"
+            echo ""
+            exit 1
+          fi
+
+          echo ""
+          echo "✅ All verification checks passed!"
@@ -127,6 +127,44 @@ This policy exists to:
 - PRs that look like low-effort AI slop will be closed.
 - Repeated violators may be banned from the project.
 
+
+
+### Verification Workflow
+
+To ensure contributors have actually run tests locally, we use a verification system.
+
+**Prerequisites:**
+- [GitHub CLI (`gh`)](https://cli.github.com/) installed and authenticated
+- At least one commit on your branch
- At least one commit on your branch
+- At least one commit on your branch
+- A clean working tree (all changes you want verified are staged and committed)
- At least one commit on your branch
+- At least one commit on your branch
+- A clean working tree (all changes you want verified are staged and committed)
+
+**For all contributors:**
+- Your commit must include a `Tested-By:` trailer showing you ran tests.
+
+**For non-trusted contributors (not OWNER/MEMBER/COLLABORATOR):**
+- You must also include a `Test-Gist:` trailer with a link to your test logs.
+- The Gist contains your commit SHA, proving the tests were run on that specific commit.
+- This proves you actually ran tests, not just copied a line.
+
+**How to do this:**
+
+Before pushing your PR, run:
+```bash
+make verify-with-proof
+```
+
+This command will:
+1. Run lint and tests locally (fails if tests fail).
+2. Upload your test logs to a GitHub Gist (includes commit SHA).
+3. Add `Tested-By:` and `Test-Gist:` trailers to your commit.
+
+Then push with:
+```bash
+git push --force-with-lease
+```
+
+**Important:** If you modify your code after running `make verify-with-proof`, you must run it again. The CI will attempt to verify that the Gist's tree SHA matches your PR.
+
+
 ## Pull Request Limits for New Contributors
 
 To ensure high-quality code reviews and long-term codebase stability, we limit the number of simultaneous open PRs for new contributors.

@@ -253,3 +253,61 @@ repro-check:
 	$(MAKE) clean
 	$(MAKE) build-all-platforms
 	shasum -b -a 256 --strict --check ./sha256sum.combined.txt
+
+
+
-
-
+# Test with log capture - runs tests once and captures output
+# Fails if tests fail (no masking with || true)
+.PHONY: test-with-log
+test-with-log:
+	@echo "Running tests and capturing logs..."
+	@$(MAKE) test 2>&1 | tee test.log; \
+	EXIT_CODE=$${PIPESTATUS[0]}; \
+	if [ $$EXIT_CODE -ne 0 ]; then \
+		echo "❌ Tests failed. See test.log for details."; \
+		exit $$EXIT_CODE; \
+	fi; \
-	@$(MAKE) test 2>&1 | tee test.log; \
-	EXIT_CODE=$${PIPESTATUS[0]}; \
-	if [ $$EXIT_CODE -ne 0 ]; then \
-		echo "❌ Tests failed. See test.log for details."; \
-		exit $$EXIT_CODE; \
-	fi; \
+	@set -o pipefail; \
+	$(MAKE) test 2>&1 | tee test.log; \
+	TEST_EXIT_CODE=$${PIPESTATUS[0]}; \
+	TEE_EXIT_CODE=$${PIPESTATUS[1]}; \
+	if [ $$TEST_EXIT_CODE -ne 0 ]; then \
+		echo "❌ Tests failed. See test.log for details."; \
+		exit $$TEST_EXIT_CODE; \
+	fi; \
+	if [ $$TEE_EXIT_CODE -ne 0 ]; then \
+		echo "❌ Log capture failed (tee exited with $$TEE_EXIT_CODE). Test results may not be fully recorded."; \
+		exit $$TEE_EXIT_CODE; \
+	fi; \
-	@$(MAKE) test 2>&1 | tee test.log; \
-	EXIT_CODE=$${PIPESTATUS[0]}; \
-	if [ $$EXIT_CODE -ne 0 ]; then \
-		echo "❌ Tests failed. See test.log for details."; \
-		exit $$EXIT_CODE; \
-	fi; \
+	@set -o pipefail; \
+	$(MAKE) test 2>&1 | tee test.log; \
+	TEST_EXIT_CODE=$${PIPESTATUS[0]}; \
+	TEE_EXIT_CODE=$${PIPESTATUS[1]}; \
+	if [ $$TEST_EXIT_CODE -ne 0 ]; then \
+		echo "❌ Tests failed. See test.log for details."; \
+		exit $$TEST_EXIT_CODE; \
+	fi; \
+	if [ $$TEE_EXIT_CODE -ne 0 ]; then \
+		echo "❌ Log capture failed (tee exited with $$TEE_EXIT_CODE). Test results may not be fully recorded."; \
+		exit $$TEE_EXIT_CODE; \
+	fi; \
+	echo "✅ Tests passed."
+
+# Verify PR with proof for AI policy compliance
+# This target runs lint and tests, uploads logs to a Gist, and adds trailers to the commit.
+# Required for new contributors to prove tests were actually run locally.
+#
+# Prerequisites:
+#   - GitHub CLI (gh) installed and authenticated: https://cli.github.com/
+#   - At least one commit on your branch
+.PHONY: verify-with-proof
+verify-with-proof: lint test-with-log
+	@# Check that gh CLI is available
+	@if ! command -v gh >/dev/null 2>&1; then \
+		echo "❌ GitHub CLI (gh) not found. Install from: https://cli.github.com/"; \
-		echo "❌ GitHub CLI (gh) not found. Install from: https://cli.github.com/"; \
+		echo "❌ GitHub CLI (gh) not found. Install from: https://cli.github.com/"; \
+		echo "   After installing, run 'gh auth login' to authenticate."; \
-		echo "❌ GitHub CLI (gh) not found. Install from: https://cli.github.com/"; \
+		echo "❌ GitHub CLI (gh) not found. Install from: https://cli.github.com/"; \
+		echo "   After installing, run 'gh auth login' to authenticate."; \
+		exit 1; \
+	fi
+	@# Check that there's a commit to amend
+	@if ! git rev-parse --verify HEAD >/dev/null 2>&1; then \
+		echo "❌ No commit to amend. Please commit your changes first, then run 'make verify-with-proof'."; \
+		exit 1; \
+	fi
+	@echo "✅ Lint and tests passed. Uploading proof to Gist..."
+	@# Use tree SHA - it represents the code content and doesn't change when amending commit message
+	@TREE_SHA=$$(git rev-parse HEAD^{tree}); \
+	echo "Tree SHA: $$TREE_SHA" > test.log.tmp; \
+	echo "---" >> test.log.tmp; \
+	cat test.log >> test.log.tmp; \
+	mv test.log.tmp test.log; \
+	GIST_URL=$$(gh gist create test.log -d "Test logs for Jaeger tree $$TREE_SHA" --public); \
-	GIST_URL=$$(gh gist create test.log -d "Test logs for Jaeger tree $$TREE_SHA" --public); \
+	GIST_URL=$$(gh gist create test.log -d "Test logs for Jaeger tree $$TREE_SHA"); \
-	GIST_URL=$$(gh gist create test.log -d "Test logs for Jaeger tree $$TREE_SHA" --public); \
+	GIST_URL=$$(gh gist create test.log -d "Test logs for Jaeger tree $$TREE_SHA"); \
+	if [ -z "$$GIST_URL" ]; then \
+		echo "❌ Failed to create Gist. Make sure 'gh' CLI is authenticated."; \
+		echo "   test.log kept for manual inspection."; \
+		exit 1; \
+	fi; \
+	NAME=$$(git config user.name); \
+	EMAIL=$$(git config user.email); \
-	EMAIL=$$(git config user.email); \
+	EMAIL=$$(git config user.email); \
+	if [ -z "$$NAME" ]; then \
+		echo "❌ git config user.name is not set or empty. Please configure it before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
+	if [ -z "$$EMAIL" ]; then \
+		echo "❌ git config user.email is not set or empty. Please configure it before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
+	if ! echo "$$EMAIL" | grep -Eq '^[^@[:space:]]+@[^@[:space:]]+\.[^@[:space:]]+'; then \
+		echo "❌ git config user.email ('$$EMAIL') does not look like a valid email address."; \
+		echo "   Please set a valid email before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
-	EMAIL=$$(git config user.email); \
+	EMAIL=$$(git config user.email); \
+	if [ -z "$$NAME" ] || [ -z "$$EMAIL" ]; then \
+		echo "❌ Git user.name and/or user.email are not set."; \
+		echo "   Please configure your git identity, for example:"; \
+		echo "     git config --global user.name \"Your Name\""; \
+		echo "     git config --global user.email \"you@example.com\""; \
+		echo "   Then re-run: make verify-with-proof"; \
+		exit 1; \
+	fi; \
-	EMAIL=$$(git config user.email); \
+	EMAIL=$$(git config user.email); \
+	if [ -z "$$NAME" ]; then \
+		echo "❌ git config user.name is not set or empty. Please configure it before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
+	if [ -z "$$EMAIL" ]; then \
+		echo "❌ git config user.email is not set or empty. Please configure it before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
+	if ! echo "$$EMAIL" | grep -Eq '^[^@[:space:]]+@[^@[:space:]]+\.[^@[:space:]]+'; then \
+		echo "❌ git config user.email ('$$EMAIL') does not look like a valid email address."; \
+		echo "   Please set a valid email before running 'make verify-with-proof'."; \
+		exit 1; \
+	fi; \
-	EMAIL=$$(git config user.email); \
+	EMAIL=$$(git config user.email); \
+	if [ -z "$$NAME" ] || [ -z "$$EMAIL" ]; then \
+		echo "❌ Git user.name and/or user.email are not set."; \
+		echo "   Please configure your git identity, for example:"; \
+		echo "     git config --global user.name \"Your Name\""; \
+		echo "     git config --global user.email \"you@example.com\""; \
+		echo "   Then re-run: make verify-with-proof"; \
+		exit 1; \
+	fi; \
+	git commit --amend --no-edit \
+		--trailer "Tested-By: $$NAME <$$EMAIL>" \
+		--trailer "Test-Gist: $$GIST_URL"; \
+	rm -f test.log; \
+	echo "✅ Commit amended with Tested-By and Test-Gist trailers."; \
+	echo "   Gist URL: $$GIST_URL"; \
+	echo ""; \
+	echo "Now run: git push --force-with-lease"