Skip to content
/ policy-linter-action Public

One-line CI gate for agent-treasury safety. Fails your workflow if guardrails are missing (selector+chainId allowlists, spend caps (hour/day), timelock + quorum for escalations, pause + logging)

License

MIT license
1 star 0 forks Branches Tags Activity
Star

Amara-ops/policy-linter-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Agent Treasury Policy Linter — GitHub Action

CI

One-line CI gate for agent-treasury safety. Fails your workflow if guardrails are missing:

  • selector+chainId allowlists
  • spend caps (hour/day)
  • timelock + quorum for escalations
  • pause + logging

This Action fetches the compiled CLI from the main repo and runs it on your policy.json.

Links

Usage

jobs:
  policy_lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Amara-ops/policy-linter-action@v0
        with:
          policy: path/to/policy.json
          report: policy.report.json     # optional (default: policy.report.json)
          strict: 'true'                 # optional, treats warnings as errors
          # version: v0                  # optional, linter tag/branch (defaults to v0)

Inputs

  • policy (required): path to policy JSON
  • report (optional): path to write JSON report (default: policy.report.json)
  • strict (optional): 'true' to fail on warnings (default: 'false')
  • version (optional): linter ref in main repo (default: v0)
  • sarif (optional): path to write SARIF output
  • artifact (optional): repo-relative path to anchor SARIF findings (defaults to policy path)

GitHub Code Scanning (SARIF)

What it is

  • GitHub Code Scanning ingests SARIF and shows alerts in Security → Code scanning alerts and on PRs.
  • Public repos: free. Private repos: requires GitHub Advanced Security.

When to use

  • If you want policy issues visible in GitHub’s Security UI/PR checks, not just as a CI failure.

How to enable with this Action

name: Policy Lint
on: [push, pull_request, workflow_dispatch]

permissions:
  contents: read
  security-events: write  # required to upload SARIF

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Run the linter and emit SARIF
      - uses: Amara-ops/policy-linter-action@v0
        with:
          policy: policies/agent/policy.json
          report: policy.report.json
          sarif: policy.sarif
          artifact: policies/agent/policy.json   # repo-relative path recommended
          strict: 'false'                        # set 'true' to block on warnings
          # version: v0                          # optional; defaults to v0

      # Upload SARIF to Code Scanning
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: policy.sarif

Notes

  • artifact sets which file the alert is attached to; defaults to the policy input. Use repo-relative paths for best results.
  • If you don’t need Code Scanning, omit sarif/artifact and just use report.

License

MIT

About

One-line CI gate for agent-treasury safety. Fails your workflow if guardrails are missing (selector+chainId allowlists, spend caps (hour/day), timelock + quorum for escalations, pause + logging)

Topics

security linter ethereum base agents optimism policy-as-code github-actions

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v0.1.1 - Optional SARIF output + robustness (no breaking changes) Latest
Oct 7, 2025
+ 1 release

Packages

No packages published