CI check for AI-context risks: secrets in the tree, missing AI ignore files, and workspace hygiene — before Cursor, Copilot, Claude Code, and similar tools read your repo.
- uses: actions/checkout@v4
- uses: Offsend/ai-hygiene@v1
with:
fail-on: blockThat's it. The action installs offsend-cli and runs offsend check. No Homebrew, no extra setup.
Part of Offsend.
| Check | Example |
|---|---|
| Secrets & credentials | API keys, tokens, .env files committed to the repo |
| AI ignore / policy gaps | Missing or incomplete .cursorignore, .aiignore, and related files |
| Workspace hygiene | Paths and patterns that widen what AI tools can see |
Tune detectors and excludes with .offsend.yml in your repository.
Add this to your README after enabling the action:
[](https://offsend.io/)name: AI context check
on:
pull_request:
push:
branches: [main]
jobs:
offsend:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: Offsend/ai-hygiene@v1
with:
fail-on: block- uses: Offsend/ai-hygiene@v1
with:
staged: "true"
fail-on: block- uses: Offsend/ai-hygiene@v1
with:
fail-on: warn| Input | Default | Description |
|---|---|---|
path |
. |
Path to scan (relative to the workflow working directory) |
staged |
false |
Scan only git-staged files |
policy |
true |
Include AI ignore files and workspace policy checks |
fail-on |
block |
block · warn · none |
format |
text |
text · json |
quiet |
false |
Print only findings and errors |
version |
0.10.0 |
offsend-cli release to install |
- Runner:
ubuntu-latestormacos-latest - Linux:
x86_64/aarch64· macOS: universal binary
uses: Offsend/ai-hygiene@v1 # latest v1.x
uses: Offsend/ai-hygiene@v1.0.0 # exact releasechmod +x scripts/*.sh
OFFSEND_VERSION=0.10.0 ./scripts/install.sh
OFFSEND_PATH=. OFFSEND_POLICY=true ./scripts/run.shCI runs the action against fixtures on Ubuntu and macOS.
MIT — see LICENSE.