-
Notifications
You must be signed in to change notification settings - Fork 0
GitHub Required Checks and CI CD Enforcement
CAVRA now includes required-check templates for GitHub, GitLab CI, and Azure DevOps.
-
.github/workflows/cavra-governance.ymlcan be used as a protected-branch required check namedcavra-required-check. - The workflow validates policy packs, runs lint/tests, generates an evidence bundle, verifies evidence, verifies PR attestation, and uploads
cavra-required-check-evidence. -
examples/github-actions/cavra-required-check.ymlprovides a starter downstream workflow. -
examples/github-actions/cavra-enterprise-enforcement.ymlprovides trust-root, key-ID, retention, and signed-policy enforcement. -
examples/gitlab-ci/cavra-required-check.gitlab-ci.ymlprovides the same governance pattern for GitLab CI. -
examples/azure-pipelines/cavra-required-check.azure-pipelines.ymlprovides Azure Pipelines enforcement for Azure Repos Build validation policies.
Enable branch protection for main, require status checks before merge, and select cavra-required-check.
For Azure DevOps, create a pipeline from examples/azure-pipelines/cavra-required-check.azure-pipelines.yml, add CAVRA_EVIDENCE_SIGNING_KEY as a secret pipeline variable, then add the pipeline as a Required Azure Repos Build validation policy on the protected branch.
- As a platform engineer, I can make CAVRA a required merge check.
- As a reviewer, I can inspect PR attestation evidence before approving.
- As an auditor, I can prove governance ran before merge.
- As a security engineer, I can require trust-root signatures and retention thresholds.
Required checks turn CAVRA evidence and policy validation into a merge gate. This helps regulated teams adopt AI coding agents across GitHub, GitLab, and Azure DevOps without losing branch protection, review evidence, or auditability.
Go daemon lifecycle management, daemon evidence hooks, and public sandbox URL validation after deployment from main.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion