dpndncY

GitHub Action

Drop the runtime agent into any workflow with a composite action. A pre-step starts the agent before your build; a post-step stops it, signs the trace, and (optionally) gates the job. Each job gets its own keypair, so the resulting attestation is bound to that exact run.

Minimal usage

.github/workflows/build.yml
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: dpndncy/agent-action@v1
        with:
          server: https://dpndncy.example.com
          token: ${{ secrets.DPNDNCY_TOKEN }}
      # ... your normal build steps ...

The action runs as a pre/post pair around everything after it — no other changes to your steps.

Options

InputPurpose
modeobserve (default) or enforce (deny non-allowlisted egress).
fail-onFail the job on block / warn / review verdicts.
verify-checksumVerify the agent binary’s SHA-256 before running it.
allowlistPath to an egress allowlist for enforce mode.

Keys & verification

By default the action generates a per-job RSA keypair and signs the trace with it; the public key is published with the run so anyone can verify the attestation offline with dpndncy-verify. Use a shared keypair instead if you want one stable verification key across runs.

Works on self-hosted runners
The agent needs a Linux kernel with BTF (standard on GitHub-hosted runners). On self-hosted runners, ensure the runner user can load BPF programs (privileged or CAP_BPF).

On completion

A PR-comment summary reports the captured events, decisions, and the signed trace digest. The full attestation is retrievable from the server or the run artifacts.

See also