Skip to content

GitHub Required Checks and CI CD Enforcement

Huzefaaa2 edited this page Jun 12, 2026 · 26 revisions

Required Checks and CI/CD Enforcement

CAVRA can run as a required branch-protection or build-validation check so AI-assisted changes cannot merge without policy validation, evidence verification, and PR attestation verification.

Delivered Workflow

The repository workflow .github/workflows/cavra-governance.yml is now structured as a required-check candidate:

  • Check name: cavra-required-check
  • Trigger: pull requests and manual workflow dispatch
  • Controls: policy-pack validation, CAVRA policy inventory, Ruff linting, pytest, evidence bundle generation, evidence verification, PR attestation verification, and evidence artifact upload
  • Artifact: cavra-required-check-evidence

To enforce it on main, add cavra-required-check to required status checks in GitHub branch protection.

For AI coding agents, this check is part of the anti-bypass model documented in AI-Agent-Enforcement-And-Anti-Bypass-Model.md. Agent prompts and local wrappers are not enough; protected branches and required checks must reject work that lacks CAVRA evidence.

Run cavra agent enforcement-readiness --json to inspect whether the repository has the expected CAVRA enforcement files and exported platform controls.

Repository Setup

  1. Go to repository settings.
  2. Open Branches.
  3. Edit the main branch protection rule.
  4. Enable Require status checks to pass before merging.
  5. Select cavra-required-check.
  6. Keep required review, stale review dismissal, conversation resolution, and force-push protection enabled.

For production evidence signatures, add CAVRA_EVIDENCE_SIGNING_KEY as a GitHub Actions secret. Without the secret, the sample workflow uses a deterministic demo HMAC key so template validation still works in local and open-source demonstration repositories.

Reusable Templates

Copy one of these templates into downstream repositories:

  • examples/github-actions/cavra-required-check.yml: starter GitHub required check that validates a policy pack, creates evidence if none exists, verifies the bundle, verifies PR attestation, and uploads evidence.
  • examples/github-actions/cavra-aispm-review-packet-validation.yml: AISPM replay-to-policy review packet gate that validates cavra-replay-policy-review-packet.json, uploads validation reports, and fails closed when replay-derived policy or fixture changes lack a packet.
  • examples/github-actions/cavra-enterprise-enforcement.yml: stricter GitHub workflow for signed policy packs, trust-root evidence verification, key IDs, retention minimums, and artifact enforcement.
  • examples/github-actions/cavra-release-governance-go-runtime.yml: Go daemon release-governance gate that validates a typed release_governance request and uploads daemon evidence.
  • examples/gitlab-ci/cavra-required-check.gitlab-ci.yml: GitLab CI equivalent for teams that want the same governance control outside GitHub.
  • examples/gitlab-ci/cavra-aispm-review-packet-validation.gitlab-ci.yml: GitLab CI AISPM replay-to-policy review packet gate for merge-request pipelines.
  • examples/gitlab-ci/cavra-release-governance-go-runtime.gitlab-ci.yml: GitLab CI release-governance gate using the same typed Go daemon request.
  • examples/azure-pipelines/cavra-required-check.azure-pipelines.yml: Azure Pipelines equivalent for Azure Repos Build validation branch policies.
  • examples/azure-pipelines/cavra-aispm-review-packet-validation.azure-pipelines.yml: Azure Pipelines AISPM replay-to-policy review packet gate for Build validation policies.
  • examples/azure-pipelines/cavra-release-governance-go-runtime.azure-pipelines.yml: Azure Pipelines release-governance gate for protected release branches or environment checks.

Before marking a replay-to-policy gate production-ready, export cavra-replay-policy-ci-gate-readiness.json from the AISPM dashboard and run:

cavra aispm validate-ci-gate-readiness cavra-replay-policy-ci-gate-readiness.json --repo-root .

The validator checks the public-safe readiness packet, required check name, expected CI template paths, review-packet linkage, and installed repository template files. Automated branch-protection write-back remains an Enterprise capability.

Azure DevOps Setup

  1. Copy examples/azure-pipelines/cavra-required-check.azure-pipelines.yml into the repository.
  2. Create an Azure Pipeline from that YAML file.
  3. Add CAVRA_EVIDENCE_SIGNING_KEY as a secret pipeline variable for production evidence signatures.
  4. Open Azure Repos branch policies for the protected target branch.
  5. Add a Build validation policy that selects the CAVRA pipeline.
  6. Set Policy requirement to Required and use the display name cavra-required-check.

Azure Repos PR validation is enforced through branch policies. The CAVRA pipeline disables direct YAML trigger and pr triggers so the protected branch Build validation policy is the merge gate.

User Stories

  • As a platform engineer, I can make CAVRA a required merge check so AI-assisted pull requests cannot bypass governance.
  • As a reviewer, I can open the CAVRA evidence artifact and inspect the PR attestation before approving.
  • As a platform engineer, I can require replay-to-policy review packets before generated policy drafts or replay fixtures merge.
  • As a platform engineer, I can validate replay-to-policy CI gate readiness before marking the required check production-ready.
  • As an auditor, I can prove that policy validation, evidence verification, and attestation verification ran before merge.
  • As a security engineer, I can require trust-root signatures and retention thresholds for regulated repositories.

Enterprise Challenge Solved

Required checks convert CAVRA from advisory tooling into a merge gate. Enterprises can standardize AI coding controls across GitHub, GitLab, and Azure DevOps repositories, preserve evidence for audits, and prevent undocumented AI-generated changes from merging without verifier-ready attestation.

Next

The next recommended implementation step is production release-signing operations, key rotation, and emergency revocation evidence.

Clone this wiki locally