-
Notifications
You must be signed in to change notification settings - Fork 0
GitHub Required Checks and CI CD Enforcement
CAVRA can run as a required branch-protection or build-validation check so AI-assisted changes cannot merge without policy validation, evidence verification, and PR attestation verification.
The repository workflow .github/workflows/cavra-governance.yml is now structured as a required-check candidate:
- Check name:
cavra-required-check - Trigger: pull requests and manual workflow dispatch
- Controls: policy-pack validation, CAVRA policy inventory, Ruff linting, pytest, evidence bundle generation, evidence verification, PR attestation verification, and evidence artifact upload
- Artifact:
cavra-required-check-evidence
To enforce it on main, add cavra-required-check to required status checks in GitHub branch protection.
For AI coding agents, this check is part of the anti-bypass model documented in AI-Agent-Enforcement-And-Anti-Bypass-Model.md. Agent prompts and local wrappers are not enough; protected branches and required checks must reject work that lacks CAVRA evidence.
Run cavra agent enforcement-readiness --json to inspect whether the repository has the expected CAVRA enforcement files and exported platform controls.
- Go to repository settings.
- Open Branches.
- Edit the
mainbranch protection rule. - Enable Require status checks to pass before merging.
- Select
cavra-required-check. - Keep required review, stale review dismissal, conversation resolution, and force-push protection enabled.
For production evidence signatures, add CAVRA_EVIDENCE_SIGNING_KEY as a GitHub Actions secret. Without the secret, the sample workflow uses a deterministic demo HMAC key so template validation still works in local and open-source demonstration repositories.
Copy one of these templates into downstream repositories:
-
examples/github-actions/cavra-required-check.yml: starter GitHub required check that validates a policy pack, creates evidence if none exists, verifies the bundle, verifies PR attestation, and uploads evidence. -
examples/github-actions/cavra-aispm-review-packet-validation.yml: AISPM replay-to-policy review packet gate that validatescavra-replay-policy-review-packet.json, uploads validation reports, and fails closed when replay-derived policy or fixture changes lack a packet. -
examples/github-actions/cavra-enterprise-enforcement.yml: stricter GitHub workflow for signed policy packs, trust-root evidence verification, key IDs, retention minimums, and artifact enforcement. -
examples/github-actions/cavra-release-governance-go-runtime.yml: Go daemon release-governance gate that validates a typedrelease_governancerequest and uploads daemon evidence. -
examples/gitlab-ci/cavra-required-check.gitlab-ci.yml: GitLab CI equivalent for teams that want the same governance control outside GitHub. -
examples/gitlab-ci/cavra-aispm-review-packet-validation.gitlab-ci.yml: GitLab CI AISPM replay-to-policy review packet gate for merge-request pipelines. -
examples/gitlab-ci/cavra-release-governance-go-runtime.gitlab-ci.yml: GitLab CI release-governance gate using the same typed Go daemon request. -
examples/azure-pipelines/cavra-required-check.azure-pipelines.yml: Azure Pipelines equivalent for Azure Repos Build validation branch policies. -
examples/azure-pipelines/cavra-aispm-review-packet-validation.azure-pipelines.yml: Azure Pipelines AISPM replay-to-policy review packet gate for Build validation policies. -
examples/azure-pipelines/cavra-release-governance-go-runtime.azure-pipelines.yml: Azure Pipelines release-governance gate for protected release branches or environment checks.
Before marking a replay-to-policy gate production-ready, export
cavra-replay-policy-ci-gate-readiness.json from the AISPM dashboard and run:
cavra aispm validate-ci-gate-readiness cavra-replay-policy-ci-gate-readiness.json --repo-root .The validator checks the public-safe readiness packet, required check name, expected CI template paths, review-packet linkage, and installed repository template files. Automated branch-protection write-back remains an Enterprise capability.
- Copy
examples/azure-pipelines/cavra-required-check.azure-pipelines.ymlinto the repository. - Create an Azure Pipeline from that YAML file.
- Add
CAVRA_EVIDENCE_SIGNING_KEYas a secret pipeline variable for production evidence signatures. - Open Azure Repos branch policies for the protected target branch.
- Add a Build validation policy that selects the CAVRA pipeline.
- Set Policy requirement to Required and use the display name
cavra-required-check.
Azure Repos PR validation is enforced through branch policies. The CAVRA pipeline disables direct YAML trigger and pr triggers so the protected branch Build validation policy is the merge gate.
- As a platform engineer, I can make CAVRA a required merge check so AI-assisted pull requests cannot bypass governance.
- As a reviewer, I can open the CAVRA evidence artifact and inspect the PR attestation before approving.
- As a platform engineer, I can require replay-to-policy review packets before generated policy drafts or replay fixtures merge.
- As a platform engineer, I can validate replay-to-policy CI gate readiness before marking the required check production-ready.
- As an auditor, I can prove that policy validation, evidence verification, and attestation verification ran before merge.
- As a security engineer, I can require trust-root signatures and retention thresholds for regulated repositories.
Required checks convert CAVRA from advisory tooling into a merge gate. Enterprises can standardize AI coding controls across GitHub, GitLab, and Azure DevOps repositories, preserve evidence for audits, and prevent undocumented AI-generated changes from merging without verifier-ready attestation.
The next recommended implementation step is production release-signing operations, key rotation, and emergency revocation evidence.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion