GitHub Action
Add SidClaw governance checks to CI/CD workflows with the official GitHub Action.
GitHub Action
The sidclawhq/governance-action@v1 GitHub Action evaluates agent actions against SidClaw policies during CI/CD workflows. Use it to gate deployments, database migrations, or any automated operation that should require policy evaluation or human approval.
Quick Start
name: Deploy with Governance
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Governance check
id: governance
uses: sidclawhq/governance-action@v1
with:
api-key: ${{ secrets.SIDCLAW_API_KEY }}
agent-id: ${{ secrets.SIDCLAW_AGENT_ID }}
operation: deploy
target-integration: production
data-classification: confidential
- name: Deploy
if: steps.governance.outputs.decision == 'allow'
run: ./deploy.shInputs
| Input | Required | Default | Description |
|---|---|---|---|
api-key | Yes | — | SidClaw API key (store in GitHub Secrets) |
agent-id | Yes | — | Agent ID in SidClaw |
operation | Yes | — | The operation being performed (e.g., deploy, merge, delete) |
target-integration | Yes | — | The target system (e.g., production, staging, database) |
resource-scope | No | * | Scope of the resource (e.g., production-cluster) |
data-classification | No | internal | Data classification: public, internal, confidential, restricted |
api-url | No | https://api.sidclaw.com | SidClaw API URL (for self-hosted instances) |
wait-for-approval | No | true | If approval is required, wait for it before continuing |
timeout | No | 300 | Timeout in seconds when waiting for approval |
Outputs
| Output | Description |
|---|---|
decision | Policy decision: allow, approval_required, deny |
trace-id | SidClaw trace ID for this evaluation |
approval-id | Approval request ID (only if approval_required) |
How Approval Works
When the policy evaluates to approval_required:
- The action creates a GitHub Check Run on the commit with status "pending"
- The check run includes Approve and Deny buttons visible in the GitHub PR UI
- A reviewer can approve from:
- The GitHub Check Run buttons directly
- The SidClaw dashboard
- Slack/Telegram (if chat integrations are configured)
- Once approved, the workflow continues; if denied, the step fails
Examples
Gate Database Migrations
- name: Check migration governance
id: governance
uses: sidclawhq/governance-action@v1
with:
api-key: ${{ secrets.SIDCLAW_API_KEY }}
agent-id: ${{ secrets.SIDCLAW_AGENT_ID }}
operation: migrate
target-integration: database
resource-scope: production
data-classification: restricted
- name: Run migration
if: steps.governance.outputs.decision == 'allow'
run: npx prisma migrate deployBlock Without Waiting
For fire-and-forget checks where you want to log the decision but not block:
- name: Log governance decision
uses: sidclawhq/governance-action@v1
with:
api-key: ${{ secrets.SIDCLAW_API_KEY }}
agent-id: ${{ secrets.SIDCLAW_AGENT_ID }}
operation: build
target-integration: ci
wait-for-approval: 'false'Self-Hosted SidClaw
- name: Governance check
uses: sidclawhq/governance-action@v1
with:
api-key: ${{ secrets.SIDCLAW_API_KEY }}
agent-id: ${{ secrets.SIDCLAW_AGENT_ID }}
operation: deploy
target-integration: production
api-url: https://sidclaw.internal.company.comGitHub App
The SidClaw GitHub App enhances the action by providing:
- Check Run status updates on PRs
- Interactive Approve/Deny buttons in the GitHub UI
- Webhook callbacks for approval decisions
Install it on your organization at github.com/apps/sidclaw-governance.
Setup
- Create a SidClaw API key at Settings > API Keys in the dashboard
- Add secrets to your GitHub repository:
SIDCLAW_API_KEYandSIDCLAW_AGENT_ID - Add the action to your workflow YAML
- (Optional) Install the SidClaw GitHub App for Check Run integration