CI Gate
Run Agent Assurance in CI and block data-touching agents before production.
CI Pattern
Run self-hosted checks in CI, upload evidence, then use the runner exit code to decide whether the release job continues.
name: Agent Assurance
on:
pull_request:
workflow_dispatch:
jobs:
assurance:
runs-on: ubuntu-latest
env:
ASSURANCE_API_URL: https://app.policystrata.com
ASSURANCE_INGEST_TOKEN: ${{ secrets.ASSURANCE_INGEST_TOKEN }}
ASSURANCE_PROJECT: support-bi-copilot
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
- run: bun install --frozen-lockfile
- run: docpull sync --source customer-support-docs --out .assurance/docpull
- run: policystrata scan --suite customer-data-access --out .assurance/policystrata
- run: agent-assurance evidence upload --project "$ASSURANCE_PROJECT"Blocking Policy
agent-assurance gate \
--block-on tenant_scope_required,pii_minimization_failed,rls_drift \
--fail-on missing_citationChecks Output
| Output | Use |
|---|---|
| Job status | Blocks merge or deploy |
| JSON artifact | Machine-readable gate result |
| JUnit | CI test summary |
| SARIF | Security dashboard import |
| Evidence pack | Release review and audit |
Recommended release rule
Require an Agent Assurance check on pull requests that change prompts, retrieval config, agent tools, SQL generation, policy files, data access paths, or schema bindings.