GitHub Actions is the recommended CI platform for Vibgrate, with native SARIF integration for code scanning alerts and PR annotations.
Basic Workflow
Minimal setup that fails on critical drift issues:
name: Vibgrate Drift Scan
on:
push:
branches: [main]
pull_request:
jobs:
drift-scan:
name: Upgrade Drift Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
- name: Run Vibgrate Scan
run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
- name: Upload SARIF Results
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarif
Note: The if: always() ensures SARIF is uploaded even when the scan fails, so you can see findings in the PR.
With Vibgrate Cloud Push
Track drift trends across your organization:
- name: Run Vibgrate Scan
run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
- name: Upload SARIF Results
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarif
- name: Push to Vibgrate Cloud
if: github.ref == 'refs/heads/main'
env:
VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
run: npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json
Tip: Only push from the main branch to get clean trend data without PR noise.
With Baseline Gates
Prevent drift regression on pull requests:
- name: Run Vibgrate Scan with Gates
run: |
npx @vibgrate/cli scan \
--baseline .vibgrate/baseline.json \
--drift-budget 40 \
--drift-worsening 5 \
--format sarif \
--out vibgrate.sarif \
--fail-on error
This fails the PR if:
- Drift score exceeds 40 (budget gate)
- Drift increased by >5% compared to baseline (regression gate)
- Any error-level findings exist
Production-Ready Workflow
Complete workflow with all features:
name: Vibgrate Drift Governance
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 9 * * 1' # Weekly Monday scan
env:
NODE_VERSION: '20'
jobs:
drift-scan:
name: Upgrade Drift Analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Run Vibgrate Scan
id: scan
run: |
npx @vibgrate/cli scan \
--baseline .vibgrate/baseline.json \
--drift-budget 40 \
--drift-worsening 5 \
--format sarif \
--out vibgrate.sarif \
--fail-on error
continue-on-error: true
- name: Upload SARIF Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarif
- name: Push to Vibgrate Cloud (main only)
if: github.ref == 'refs/heads/main' && steps.scan.outcome == 'success'
env:
VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
run: npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json --strict
- name: Archive Scan Artifact
uses: actions/upload-artifact@v4
with:
name: vibgrate-scan-${{ github.sha }}
path: |
vibgrate.sarif
.vibgrate/scan_result.json
- name: Fail on Gate Violation
if: steps.scan.outcome == 'failure'
run: exit 1
Setting Up Secrets
For dashboard push, add your DSN as a repository secret:
- Go to Settings → Secrets and variables → Actions
- Click New repository secret
- Name:
VIBGRATE_DSN - Value: Your DSN from
vg dsn create
Example Templates
Find ready-to-use templates in the CLI package:
| Template | Use Case |
|---|---|
driftscore-ci.yml | JSON artifact + drift gate |
driftscore-sarif.yml | SARIF upload to code scanning |
driftscore-full.yml | Complete governance workflow |