Fail-closed admission gate for GitHub Actions
AI Admissibility Action is the public GitHub Action surface for external pre-execution admission. The technical workflow slug remains pinfloyd/cnp-action so existing GitHub Action usage does not break.
It is designed to stop execution when required admission context is missing, invalid, or incomplete.
- A fail-closed gate for GitHub automation.
- A public Action-facing surface for external admission evaluation.
- A way to make one thing clear fast: execution must not continue on missing admission context.
- Not a scanner.
- Not a post-hoc reporting layer.
- Not a generic security toolbox.
- Not a self-authorizing policy loop.
- Checks for required admission inputs.
- Rejects incomplete or invalid runtime context.
- Fails closed instead of silently continuing.
jobs:
admission-check:
runs-on: ubuntu-latest
steps:
- uses: pinfloyd/[email protected]
with:
authority-url: https://example-authority.company.tld/admit
authority-pubkey: sha256:replace-with-pinned-authority-pubkey
policy-id: ai-secrets-v1
trust-verdict: PASSauthority-url- external authority endpoint URL.authority-pubkey- pinned authority public key or pinned authority identity value used by the caller.policy-id- policy identifier expected by the admission flow.trust-verdict- runtime trust verdict; must bePASSfor the Action to proceed beyond preflight checks.
For real commercial use above the public GitHub surface, use the canonical inquiry entry:
GitHub is not checkout. The public Action surface is an evaluation / understanding path, not the commercial fulfillment path.
Pre-run policy is necessary. External admission is the stronger boundary.
Platform-native controls improve the executor. External admission separates execution from authority.
If execution can proceed without an external allow decision, the system has policy, but not external admission authority.
No Admission = No Execution.
Learn more: