PolicyStrata

CI Gate

Run Agent Assurance in CI and block data-touching agents before production.

CI Pattern

Run self-hosted checks in CI, upload evidence, then use the runner exit code to decide whether the release job continues.

.github/workflows/agent-assurance.yml
name: Agent Assurance

on:
  pull_request:
  workflow_dispatch:

jobs:
  assurance:
    runs-on: ubuntu-latest
    env:
      ASSURANCE_API_URL: https://app.policystrata.com
      ASSURANCE_INGEST_TOKEN: ${{ secrets.ASSURANCE_INGEST_TOKEN }}
      ASSURANCE_PROJECT: support-bi-copilot
    steps:
      - uses: actions/checkout@v4
      - uses: oven-sh/setup-bun@v2
      - run: bun install --frozen-lockfile
      - run: docpull sync --source customer-support-docs --out .assurance/docpull
      - run: policystrata scan --suite customer-data-access --out .assurance/policystrata
      - run: agent-assurance evidence upload --project "$ASSURANCE_PROJECT"

Blocking Policy

agent-assurance gate \
  --block-on tenant_scope_required,pii_minimization_failed,rls_drift \
  --fail-on missing_citation

Checks Output

OutputUse
Job statusBlocks merge or deploy
JSON artifactMachine-readable gate result
JUnitCI test summary
SARIFSecurity dashboard import
Evidence packRelease review and audit

Recommended release rule

Require an Agent Assurance check on pull requests that change prompts, retrieval config, agent tools, SQL generation, policy files, data access paths, or schema bindings.

On this page