Secure answer key - use GitHub Secrets instead of committing

SECURITY FIX: Students would've seen the answer key!

Changes:
- Remove answer_key.json from git tracking
- Add .github/grading/answer_key.json to .gitignore
- Update autograding.yml to read answer key from GitHub Secret
- Create README_INSTRUCTOR.md with setup instructions

How it works now:
1. Instructor runs analysis, gets answers.json
2. Instructor adds answers.json as ANSWER_KEY_JSON GitHub Secret
3. GitHub Actions reads secret (students can't access it!)
4. Grading happens server-side with secret key
5. Students never see the answers

Instructor TODO:
- Run ./run-analysis.sh
- Run python3 answer_assignment.py
- Copy answers.json to GitHub Secret: ANSWER_KEY_JSON
- See .github/grading/README_INSTRUCTOR.md for details

Author: cosmelab

.github/grading/README_INSTRUCTOR.md

@@ -0,0 +1,123 @@
+# Instructor Setup: Automated Grading
+
+## How to Set Up the Answer Key (CRITICAL!)
+
+The answer key is stored as a **GitHub Secret** so students can't see it.
+
+### Step 1: Generate the Answer Key
+
+Run the analysis yourself to get the correct answers:
+
+```bash
+# Run the analysis on the class data
+./run-analysis.sh
+
+# Answer the questions interactively
+python3 answer_assignment.py
+
+# This creates answers.json with the CORRECT answers
+```
+
+### Step 2: Copy the Answer Key JSON
+
+```bash
+# Copy the contents of answers.json
+cat answers.json
+```
+
+**Copy the entire JSON output** (you'll need this in the next step)
+
+### Step 3: Add to GitHub Secrets
+
+**For the Template Repository:**
+
+1. Go to: https://github.com/cosmelab/dna-barcoding-analysis/settings/secrets/actions
+2. Click **"New repository secret"**
+3. Name: `ANSWER_KEY_JSON`
+4. Value: **Paste the entire JSON from answers.json**
+5. Click **"Add secret"**
+
+**For GitHub Classroom (ALL student repos):**
+
+You need to add the secret to EACH student repository, OR use GitHub Classroom's secret sync feature:
+
+1. Go to your GitHub Classroom assignment settings
+2. Under "Secrets", add the secret there
+3. It will sync to all student repositories
+
+**Alternative: Manual per-repo setup**
+
+If you don't use Classroom secrets:
+
+```bash
+# Use GitHub CLI to add secret to all student repos
+gh secret set ANSWER_KEY_JSON --body "$(cat answers.json)" -R cosmelab/dna-barcoding-analysis-STUDENT1
+gh secret set ANSWER_KEY_JSON --body "$(cat answers.json)" -R cosmelab/dna-barcoding-analysis-STUDENT2
+# ... repeat for all students
+```
+
+Or write a script:
+
+```bash
+#!/bin/bash
+ANSWER_KEY=$(cat answers.json)
+
+for repo in $(gh repo list cosmelab --json name -q '.[] | select(.name | startswith("dna-barcoding-analysis-")) | .name'); do
+  echo "Adding secret to $repo..."
+  gh secret set ANSWER_KEY_JSON --body "$ANSWER_KEY" -R cosmelab/$repo
+done
+```
+
+### Step 4: Verify It Works
+
+1. Make a test commit to a student repo
+2. Check the Actions tab
+3. The grading step should run and check answers
+
+## How the Grading Works
+
+1. Student runs `python3 answer_assignment.py` → creates `answers.json`
+2. Student commits and pushes `answers.json`
+3. GitHub Actions workflow runs:
+   - Checks tutorial complete
+   - Checks analysis complete
+   - **Grades answers.json against secret answer key**
+   - Returns feedback and score
+4. Student sees ✅ or ❌ in Actions tab
+
+## Updating the Answer Key
+
+If you need to update the answer key (e.g., fix a typo):
+
+1. Update your local `answers.json`
+2. Copy the new JSON
+3. Go to repository secrets
+4. Edit `ANSWER_KEY_JSON`
+5. Paste the new JSON
+6. Save
+
+The next time students push, they'll be graded against the new key.
+
+## Security
+
+- ✅ Answer key stored as GitHub Secret (encrypted)
+- ✅ Students cannot access secrets
+- ✅ Answer key not in git history
+- ✅ Answer key created in /tmp and deleted after grading
+- ✅ GitHub Classroom can sync secrets to all student repos
+
+## Troubleshooting
+
+**Error: "ANSWER_KEY_JSON secret not found"**
+- Make sure you added the secret to the repository
+- Check the secret name is exactly `ANSWER_KEY_JSON`
+- For Classroom, make sure secret sync is enabled
+
+**Students getting wrong grades**
+- Check your answer key JSON is valid
+- Run the analysis yourself to verify correct answers
+- Look at the Actions log for grading feedback
+
+**Need to disable auto-grading temporarily?**
+- Remove the secret (students will get "answers_graded=false")
+- Or comment out the grading step in `.github/workflows/autograding.yml`

.github/grading/answer_key.json

@@ -148,6 +148,8 @@ jobs:
 
     - name: Grade Assignment Answers
       id: grading
+      env:
+        ANSWER_KEY: ${{ secrets.ANSWER_KEY_JSON }}
       run: |
         echo "Grading assignment answers..."
 
@@ -157,10 +159,16 @@ jobs:
           exit 0
         fi
 
+        # Create answer key from secret
+        echo "$ANSWER_KEY" > /tmp/answer_key.json
+
         # Run grading script
-        python3 .github/grading/grade_answers.py answers.json .github/grading/answer_key.json
+        python3 .github/grading/grade_answers.py answers.json /tmp/answer_key.json
         GRADE_EXIT_CODE=$?
 
+        # Clean up answer key
+        rm /tmp/answer_key.json
+
         if [ $GRADE_EXIT_CODE -eq 0 ]; then
           echo "answers_graded=pass" >> $GITHUB_OUTPUT
         else

.github/workflows/autograding.yml

@@ -5,6 +5,9 @@ results/
 # Student answers - generated by answer_assignment.py
 answers.json
 
+# Answer key - instructors only (NOT for students!)
+.github/grading/answer_key.json
+
 # Instructor-only materials (not for students)
 .instructor/
 architecture.md