CI setup
agentlint init writes this workflow for you. Here's what it does and why there's no secret to manage.
The workflow
name: agentlint
on: [push, pull_request]
permissions:
id-token: write # OIDC — proves the run came from this repo
contents: read
jobs:
agentlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx -y @agentlinthq/cli@latest . --pushWhy no secret?
With id-token: write, the CLI fetches a GitHub OIDC JWT scoped to audience=agentlint and sends it alongside the report. The server verifies the token against GitHub's public keys and matches the repository claim to your project. The run lands tagged source=ci, provenance=oidc-verified — cryptographic proof it came from your repo's CI, with no AGENTLINT_TOKEN secret to rotate.
Outside GitHub Actions
Other CI vendors use the project token instead. Mint one on the project page and export it:
AGENTLINT_TOKEN=agl_proj_… npx -y @agentlinthq/cli@latest . --push
Gating merges
The CLI exits 1 when the local score is below 80. On the Pro plan you can also set an org-wide minimum score: when a pushed run falls below it and enforcement is on, the CLI exits 2 — so CI can tell a score regression apart from a policy breach.