Skip to content

sengol-io/sengol-github-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

sengol-github-action

GitHub Action that runs a Sengol evaluation suite and gates CI/CD on compliance obligations.

The action installs sengol, runs sengol run-suite against your sengol.yaml, and writes the results to either the GitHub Actions step summary or a JUnit XML file. Workflow-command ::error:: annotations are emitted alongside both modes so failed obligations surface inline on the PR diff. Your pipeline fails when an obligation pass rate falls below its declared threshold.

Usage

Minimal — runs the suite, fails the workflow when the gate fails, writes a markdown summary to the run page:

- uses: sengol-io/sengol-github-action@v0.1.0
  with:
    config: sengol.yaml
  env:
    SENGOL_AUDIT_URI: ${{ secrets.SENGOL_AUDIT_URI }}
    SENGOL_SIGNING_KEY: ${{ secrets.SENGOL_SIGNING_KEY }}
    SENGOL_TENANT_ID: ${{ secrets.SENGOL_TENANT_ID }}
    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

JUnit XML output (for surfacing failures in test-report integrations):

- uses: sengol-io/sengol-github-action@v0.1.0
  with:
    output-format: junit
    junit-output-path: eval-results.xml
  env:
    SENGOL_AUDIT_URI: ${{ secrets.SENGOL_AUDIT_URI }}
    SENGOL_SIGNING_KEY: ${{ secrets.SENGOL_SIGNING_KEY }}
    SENGOL_TENANT_ID: ${{ secrets.SENGOL_TENANT_ID }}

Inputs

Input Required Default Description
config no sengol.yaml Path to your sengol.yaml.
python-version no 3.11 Python version installed before pip install sengol.
sengol-version no (latest) Pin a specific release (e.g. 0.2.0).
fail-on-gate-failure no true Exit non-zero when the gate fails.
output-format no github-summary One of github-summary, junit.
junit-output-path no eval-results.xml Path for JUnit XML when output-format=junit.

Outputs

Output Description
passed "true" / "false" — gate verdict for downstream steps. Always set.
score GoldScore (0.0–1.0) for the evaluation period. Empty string ('') when GoldScore is not configured.
report_url Path or URL to the generated PDF evidence pack. Empty string ('') when PDF generation is not enabled.

GitHub Actions composite action note: All declared outputs are resolved by the runner even when the underlying step does not emit a value, producing an empty string rather than a truly absent output. Check with != '' rather than testing for absence:

- if: steps.sengol.outputs.score != ''
  run: echo "Score is ${{ steps.sengol.outputs.score }}"

The SDK's write_outputs() never writes an empty string to $GITHUB_OUTPUT — the empty string consumers see is the GitHub Actions runner's own default for unmapped outputs.

Required secrets

The action does not inject defaults for audit-store credentials — your workflow must supply:

  • SENGOL_AUDIT_URI — Postgres URI (or memory:// for ephemeral local runs)
  • SENGOL_SIGNING_KEY — 32-byte HMAC key for signing audit records
  • SENGOL_TENANT_ID — tenant identifier
  • ANTHROPIC_API_KEY — only when your suite includes LLM-judge evaluators

License

Apache 2.0. See LICENSE.

About

GitHub Action — AI governance evaluation gate for CI/CD pipelines

Topics

ci-cd github-actions ai-governance osfi llm-evaluation

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 — Initial release Latest
May 16, 2026

Packages

 
 
 

Contributors