Every pull request that touches a RepoKernel-governed repo can be automatically validated before merge. The officialDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/xantorres/repokernel/llms.txt
Use this file to discover all available pages before exploring further.
rk-validate composite GitHub Action installs Node 20 and repokernel, runs rk validate, posts a sticky PR comment with severity counts, emits inline file annotations on every finding, and uploads the full JSON findings as a workflow artifact. Repos without repokernel.config.yaml are skipped gracefully — the action exits neutral so you can add it to an org-wide reusable workflow without blocking teams that haven’t adopted RepoKernel yet.
Quick start
Add the workflow file
Create That’s the complete workflow. The action handles Node setup and
.github/workflows/repokernel.yml in your repository:repokernel installation itself — no matrix, no separate toolchain step.Set permissions
The
pull-requests: write permission is required to post and update the sticky PR comment. If you set comment-on-pr: false, you can drop that permission and keep only contents: read.Pin versions for reproducibility
Pin both the action ref and the
version input together so upgrades are explicit and auditable. See the Pinning section for the exact syntax.Inputs
| Input | Default | Purpose |
|---|---|---|
fail-on | P0,P1 | Severity threshold for failure. Comma list collapses to least-severe. Use P0 for warn-only, P0,P1,P2 for strict. |
working-directory | . | Directory containing repokernel.config.yaml. Set when RepoKernel governs a sub-tree. Must resolve under GITHUB_WORKSPACE. |
version | latest | npm version of repokernel. Pin to a specific release (e.g. 1.33.1) for reproducible CI. |
json-artifact | true | Upload rk-findings.json as a workflow artifact (14-day retention). |
comment-on-pr | true | Post a sticky comment with severity counts and the first 25 findings. Requires pull-requests: write. |
treat-runtime-as | failure | How to treat EXIT_RUNTIME (2) — tool or environment crash, not a project-state breach. failure blocks the PR; neutral exits 0 with stderr surfaced in the step summary. |
Outputs
| Output | Description |
|---|---|
exit-code | 0 on success or skip; 1 on findings breach; 2 on runtime error. |
findings-json | Path to rk-findings.json (empty string when skipped). |
Behavior matrix
| Repo state | rk validate exit | Action result |
|---|---|---|
repokernel.config.yaml absent | not run | Neutral exit 0; skip message in summary; no comment; no artifact |
| Validate runs cleanly | 0 | Exit 0; “OK” summary and comment |
| Validate finds breaches | 1 | Exit 1; GitHub annotations; summary table; PR comment |
| Validate fails to run | 2 | Exit 2; stderr in summary. Set treat-runtime-as: neutral to convert to neutral exit 0. |
Pinning
Pin both the action ref and theversion input:
Required permissions
| Permission | Why |
|---|---|
contents: read | Read the PR’s file tree. |
pull-requests: write | Post and update the sticky PR comment. Only required when comment-on-pr: true (the default). |
Using the exit code in downstream steps
The action already exits non-zero onEXIT_FINDINGS, so most workflows don’t need to inspect exit-code directly. It’s useful when you want to chain additional reporting — for example, uploading findings to a SARIF dashboard:
Self-hosting and forks
The action is a single composite YAML — no marketplace listing, nothing to compile, nothing to publish. Pointuses: at any fork or feature branch directly:
Alternative for non-GitHub CI
If you’re running on GitLab CI, Jenkins, CircleCI, or another platform, the equivalent invocation is:0 clean, 1 findings breach, 2 runtime error. See the action source for a complete working reference.
Known limitations
- No per-rule overrides yet. A single
fail-onthreshold applies to the whole report. Per-rule severity overrides are on the product backlog. - Best-effort line annotations. JSON findings include
fileand a stablelinefallback when the source file is available. Some project-level findings still point at the nearest owning file rather than an exact field. - Public npm install per run. The action installs
repokernelfrom npm on every run — there is no Docker image. For air-gapped CI, fork the action and replace the install step with a private mirror.