Loadingβ¦
Action Gate Β· decionis/govern
Govern high-risk actions before they execute.
GitHub Actions runs the code. Decionis decides whether the run is authorized. Evaluate deploys, AI-generated changes, and infra mutations against policy, approvals, and risk β then allow, block, or escalate before execution. Shadow mode never fails your build.
No credit card, no call. Or browse the source at github.com/decionis/govern.
.github/workflows/deploy.yml
- uses: decionis/govern@v1
with:
api-key: ${{ secrets.DECIONIS_API_KEY }}
org-id: ${{ secrets.DECIONIS_ORG_ID }}
workflow-key: github_deploy_approval
action: production-deploy # what's being gated
mode: shadow # records the verdict; never fails the build
comment-pr: 'true' # posts the verdict + verify link on the PRDrop it in, push, watch the verdicts. Zero risk in shadow mode.
The question every pipeline now faces
AI agents now open PRs, edit workflows, and trigger deploys.
Claude Code, Copilot, Cursor, Codex, OpenHands. The hard question is no longer who wrote this code β it's should this action be allowed to execute? That's the Action Gate.
Claude CodeCopilotCursorCodexOpenHands
Action Gate
One verdict before execution β allow, block, or escalate. Composable into any later step.
Shadow Mode
Records what would have been blocked without ever failing a build. Observe, then enforce.
Decision Dossiers
A signed, verifiable record of why it happened, who approved it, and which policy applied.
Every reviewer sees the verdict
With comment-pr, the action posts a single, self-updating comment β re-runs edit it in place, so the thread never fills with bot spam. The signed verify link unfurls as an OG card in Slack, Teams, and LinkedIn.
- Signed, tamper-evident proof on every run
- Allow / block / escalate β composable in later steps
- Sticky comment, never spammy
π‘οΈgithub-actions bot commented Β· now
π‘οΈ Decionis Β· Blocked
π Governed step β Blocked
Verdict
block
Policy
github_deploy_approval@v4
Reason
change_window_closed
π Verify this decision β signed, tamper-evident proof.
π‘οΈ Governed by Decionis Β· gate your own deploys with decionis/govern
Shadow-first rollout
Observe first. Enforce when you're convinced.
Shadow mode records what would have been blocked without ever failing a build. When you're convinced, wrap the command in run: β Decionis executes it only if authorized. No skippable if: to delete: the command runs through the gate or not at all.
enforce mode
- uses: decionis/govern@v1
with:
api-key: ${{ secrets.DECIONIS_API_KEY }}
org-id: ${{ secrets.DECIONIS_ORG_ID }}
workflow-key: github_deploy_approval
action: production-deploy
mode: enforce
run: ./deploy.sh # runs ONLY if Decionis authorizes itRecipes for the gates teams actually want
AI-generated PRs
Gate Claude Code / Copilot / Cursor changes before merge.
gate-ai-agent-pr.ymlProduction deploy
Block a deploy on a high blast-radius change.
gate-deploy.ymlTerraform apply
Gate apply on the plan's create/destroy counts.
gate-terraform.ymlTagged release
Require a verdict before a release ships.
gate-release.ymlDependabot auto-merge
Auto-merge dep PRs only on an allow verdict.
auto-merge-dependabot.ymlPR shadow check
Comment the would-be verdict without failing.
gate-pr-comment.yml
Show your pipeline is governed β and let other devs discover the check. Paste this into your README: