GitHub Release Gates

Evidence-backed release governance for AI-generated software

Enterprise Skills classifies each change's risk, requires the right evidence, and posts one explainable, commit-bound release decision as a required check — then proves exactly why every commit was allowed into production. Setup is four required steps, about ten minutes, plus one optional step for agent-produced evidence.

  1. 1

    Install the GitHub App

    Install Enterprise Skills Release Governor on the repositories you want governed. Permissions are minimal: checks (write), pull requests, contents, and metadata (read).

  2. 2

    Add your license key as a repository secret

    In your repo: Settings → Secrets and variables → Actions → New repository secret. Name it ES_LICENSE_KEY with the license key from your purchase email. The key never appears in workflow files. Active-repository limits follow your plan (Pro 3 · Team 10 · Enterprise contract-defined).

  3. 3

    Add the Release Governor workflow

    Create .github/workflows/release-governor.yml:

    name: Release Governor
    on:
      pull_request:
        types: [opened, synchronize, reopened]
    permissions:
      contents: read
      id-token: write
    jobs:
      govern:
        runs-on: ubuntu-latest
        steps:
          - uses: actions/checkout@v4
            with:
              ref: ${{ github.event.pull_request.head.sha }}
              fetch-depth: 0
          - uses: actions/setup-node@v4
            with:
              node-version: 20
          - name: Activate license
            run: |
              mkdir -p ~/.enterprise-skills
              node -e "require('fs').writeFileSync(require('os').homedir()+'/.enterprise-skills/license.json', JSON.stringify({ key: process.env.ES_LICENSE_KEY }))"
            env:
              ES_LICENSE_KEY: ${{ secrets.ES_LICENSE_KEY }}
          - name: Govern and post the decision
            run: npx --yes enterprise-skills@^3.11.0 govern --post --pr "$PR_NUMBER" --base "origin/$BASE_REF"
            env:
              PR_NUMBER: ${{ github.event.number }}
              BASE_REF: ${{ github.base_ref }}

    The Governor reads commit-bound evidence from .project-ai/skill-outputs/ — produced by your reviewing agent for each change. Missing evidence for a required domain fails closed; evidence from an earlier commit is rejected as stale.

  4. 4

    Optional — produce semantic evidence automatically

    When a change requires evidence no CI tool produces mechanically — API compatibility, migration safety, observability/rollback readiness — you can let your own coding agent produce it in CI instead of relying on a reviewer to commit it. Add this step before the govern step, with your model credentials as a secret:

          # Optional: auto-produce semantic evidence before governing.
          # Runs ONLY the agents this diff's risk classification requires.
          - name: Semantic domain agents
            run: npx --yes enterprise-skills@^3.11.0 agents run --yes --base "origin/$BASE_REF" --agent-cmd "claude -p \"{prompt}\" --permission-mode acceptEdits"
            env:
              BASE_REF: ${{ github.base_ref }}
              ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

    The same risk classification the Governor uses selects which agents run — a docs change runs none, a migration runs migration-safety — and each agent must write schema-valid evidence while touching nothing else, or the step fails closed. Any agent CLI works via --agent-cmd; we never pick a vendor for you. Agent output is evidence, never policy — the deterministic Governor still makes the only decision.

  5. 5

    Make the check required

    Repo Settings → Rules → Rulesets → New branch ruleset: target your default branch and require the status check enterprise-skills/release-governor. From that moment, merges block until a fresh, passing decision exists for the exact head commit.

What you get on every PR

  • Deterministic risk classification of the actual diff (database migration, auth, API contract, infrastructure, dependencies, UI) selecting only the required evidence domains — never every check on every change.
  • One explainable PASS/FAIL bound to the exact commit, with per-domain evidence states and the policy version that decided it.
  • An Ed25519-countersigned, append-only record — browse it in your Release Records and verify offline against the published public key.

Need a license? See plans. Questions? Help hub.