Sign and verify your GitHub deploys against a ReleaseGate tenant. Outputs a DSSE-attested governance decision that an auditor can verify offline, without access to your infrastructure.
This Action is the customer-installable companion to ReleaseGate. Our security posture, subprocessor list, and SOC 2 status are documented in the main repo's trust page. Pricing is by conversation — email hello@releasegate.io for tier details and to start a design-partner pilot.
On every pull request (or workflow_dispatch), this Action:
- Runs ReleaseGate's deterministic decision gate against the PR using your tenant's policies.
- Signs the decision with your tenant's Ed25519 key, producing a DSSE-wrapped attestation.
- Uploads the attestation as a workflow artifact for offline verification.
- Optionally fails the workflow if the decision indicates a blocked or denied change.
- Email hello@releasegate.io to provision a tenant. You will receive a tenant identifier and an Ed25519 signing key. The design-partner phase is free; email hello@releasegate.io for tier details once you exit the pilot window.
- Add the tenant identifier and signing key as repository
secrets:
RELEASEGATE_TENANT_IDandRELEASEGATE_SIGNING_KEY. - Add
.github/workflows/releasegate.yml:
name: ReleaseGate
on:
pull_request:
branches: [main]
jobs:
releasegate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: releasegate/releasegate-action@v0.1.2
with:
tenant_id: ${{ secrets.RELEASEGATE_TENANT_ID }}
signing_key: ${{ secrets.RELEASEGATE_SIGNING_KEY }}| Input | Required | Description |
|---|---|---|
tenant_id |
yes | Your ReleaseGate tenant identifier. |
signing_key |
yes | Ed25519 PEM private key. Pass via a secret. |
pr_number |
no | PR to analyze. Defaults to the triggering PR. |
fail_on |
no | Comma-separated decision values that fail the Action. Default: BLOCK,FAIL,DENIED. |
releasegate_ref |
no | Git ref of the main releasegate repo to install. Pinned per Action release. |
| Output | Description |
|---|---|
decision |
The verdict (ALLOW, BLOCK, etc). |
decision_id |
Deterministic analysis-<sha256[:24]>. Same PR + same commit + same policy produces the same id. |
attestation_id |
Per-run unique id derived from the DSSE payload. |
Download the releasegate-attestation artifact from any workflow
run. Verify it with:
pip install "git+https://github.com/abishekgiri/change-risk-predictor-"
releasegate verify-dsse \
--dsse attestation.dsse.json \
--key-file your-public-key.pemNo ReleaseGate server access is required to verify.
- It does not yet support per-tenant custom policy directories. The Action uses the policy bundle compiled into the pinned engine (currently the standards bundle — SOC 2 CC8.1, ISO 27001 baseline policies). Custom policy authoring is on the roadmap for tenants who request it.
- It does not yet enforce signed-commit requirements on the PR.
- It does not yet integrate with Sigstore / Rekor public transparency logs (planned 2026 Q3).
- It does not yet support self-serve tenant signup; tenants are provisioned manually during the design-partner phase. Email hello@releasegate.io.
- It does not yet support Kubernetes admission control. See the main repo for the roadmap.
- Signing keys are passed via GitHub Actions secrets and never written to disk outside the runner's ephemeral workspace.
- The Action itself is open source and pinned to a specific commit of the main releasegate repo per release. Audit either repo at will.
- Security reports: security@releasegate.io. Subprocessor list and SOC 2 status are documented in the main repo's trust page.
MIT.
This Action follows semver. Pin to a specific tag (e.g.
releasegate/releasegate-action@v0.1.2) in production. The
releasegate_ref input pins the main engine SHA at the same time.