GitHub Action
Drop the runtime agent into any workflow with a composite action. A pre-step starts the agent before your build; a post-step stops it, signs the trace, and (optionally) gates the job. Each job gets its own keypair, so the resulting attestation is bound to that exact run.
Minimal usage
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: dpndncy/agent-action@v1
with:
server: https://dpndncy.example.com
token: ${{ secrets.DPNDNCY_TOKEN }}
# ... your normal build steps ...The action runs as a pre/post pair around everything after it — no other changes to your steps.
Options
| Input | Purpose |
|---|---|
mode | observe (default) or enforce (deny non-allowlisted egress). |
fail-on | Fail the job on block / warn / review verdicts. |
verify-checksum | Verify the agent binary’s SHA-256 before running it. |
allowlist | Path to an egress allowlist for enforce mode. |
Keys & verification
By default the action generates a per-job RSA keypair and signs the trace with it; the public key is published with the run so anyone can verify the attestation offline with dpndncy-verify. Use a shared keypair instead if you want one stable verification key across runs.
CAP_BPF).On completion
A PR-comment summary reports the captured events, decisions, and the signed trace digest. The full attestation is retrievable from the server or the run artifacts.