-
Notifications
You must be signed in to change notification settings - Fork 0
GitHub Required Checks and CI CD Enforcement
CAVRA now includes required-check templates for GitHub, GitLab CI, and Azure DevOps.
-
.github/workflows/cavra-governance.ymlcan be used as a protected-branch required check namedcavra-required-check. - The workflow validates policy packs, runs lint/tests, generates an evidence bundle, verifies evidence, verifies PR attestation, and uploads
cavra-required-check-evidence. -
examples/github-actions/cavra-required-check.ymlprovides a starter downstream workflow. -
examples/github-actions/cavra-enterprise-enforcement.ymlprovides trust-root, key-ID, retention, and signed-policy enforcement. -
examples/gitlab-ci/cavra-required-check.gitlab-ci.ymlprovides the same governance pattern for GitLab CI. -
examples/azure-pipelines/cavra-required-check.azure-pipelines.ymlprovides Azure Pipelines enforcement for Azure Repos Build validation policies.
Enable branch protection for main, require status checks before merge, and select cavra-required-check.
For Azure DevOps, create a pipeline from examples/azure-pipelines/cavra-required-check.azure-pipelines.yml, add CAVRA_EVIDENCE_SIGNING_KEY as a secret pipeline variable, then add the pipeline as a Required Azure Repos Build validation policy on the protected branch.
- As a platform engineer, I can make CAVRA a required merge check.
- As a reviewer, I can inspect PR attestation evidence before approving.
- As an auditor, I can prove governance ran before merge.
- As a security engineer, I can require trust-root signatures and retention thresholds.
Required checks turn CAVRA evidence and policy validation into a merge gate. This helps regulated teams adopt AI coding agents across GitHub, GitLab, and Azure DevOps without losing branch protection, review evidence, or auditability.
continued release-governance record parity as new evidence metadata kinds are added.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion