$ agentlint

CI setup

agentlint init writes this workflow for you. Here's what it does and why there's no secret to manage.

The workflow

name: agentlint
on: [push, pull_request]

permissions:
  id-token: write   # OIDC — proves the run came from this repo
  contents: read

jobs:
  agentlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx -y @agentlinthq/cli@latest . --push

Why no secret?

With id-token: write, the CLI fetches a GitHub OIDC JWT scoped to audience=agentlint and sends it alongside the report. The server verifies the token against GitHub's public keys and matches the repository claim to your project. The run lands tagged source=ci, provenance=oidc-verified — cryptographic proof it came from your repo's CI, with no AGENTLINT_TOKEN secret to rotate.

Outside GitHub Actions

Other CI vendors use the project token instead. Mint one on the project page and export it:

AGENTLINT_TOKEN=agl_proj_… npx -y @agentlinthq/cli@latest . --push

Gating merges

The CLI exits 1 when the local score is below 80. On the Pro plan you can also set an org-wide minimum score: when a pushed run falls below it and enforcement is on, the CLI exits 2 — so CI can tell a score regression apart from a policy breach.

CI setup — agentlint docs