Integration

CI / CD integration

Wire CodeLedger into your GitHub Actions workflow to get risk signals, drift detection, and evidence gap warnings on every pull request — automatically.

Quick setup

One command generates the workflow files for your repo:

npx codeledger setup-ci

This writes .github/workflows/codeledger.yml and posts an annotated PR comment on every pull request. Manual setup is below if you prefer to control the YAML directly.

What PR check emits

codeledger ci pr-check derives three deterministic signals from the PR diff — no LLMs, no sampling.

Risk

Low · Medium · High

Additive point model across 11 risk drivers (auth, shared core, migrations, CI/deploy, etc.)

Drift

None · Detected

Bypassed shared wrappers, layer violations, contract shape shifts, forbidden dependencies.

Evidence Gaps

None · Detected

Production changes without tests, missing contract validation, uncovered failure branches.

Example PR comment:

🛡️ CodeLedger Review

Risk: Medium
Drift: None
Evidence Gaps: Detected

Suggested focus:
- Validate new rate-limit middleware has integration test coverage
- Check timeout is set on the outbound Redis call added in gateway.ts
- Review shared auth helper bypass in session.ts:142

Why this matters:
- Production change without test coverage creates regression risk
- Outbound calls without timeouts can cascade under load

Optional details:
- Risk drivers: auth_surface_touched, shared_core
- Drift signals: none
- Evidence gaps: missing_test_coverage, uncovered_failure_branch

GitHub Actions workflow

# .github/workflows/codeledger.yml
name: CodeLedger Review

on:
  pull_request:
    branches: [main, develop]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Run CodeLedger PR review
        run: |
          npx codeledger ci pr-check \
            --base ${{ github.base_ref }} \
            --head ${{ github.sha }} \
            --comment-file /tmp/codeledger-comment.md

      - name: Post PR comment
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          header: codeledger-pr-review-intel
          path: /tmp/codeledger-comment.md

ℹ️

The sticky-pull-request-comment action upserts the comment on every push — one comment per PR, always up to date.

Blocking mode

By default, pr-check is advisory — it posts a comment but never fails the check. To block merges on High risk or Evidence Gaps detected, add --mode block:

      - name: Run CodeLedger PR review (blocking)
        run: |
          npx codeledger ci pr-check \
            --mode block \
            --use-test-map

⚠️

Enable blocking mode only after you have triaged your baseline — so legacy PRs don't get incorrectly blocked on their first run.

Audit CI

codeledger audit runs evidence-driven implementation checks. Add it as a separate job that posts a sticky verdict comment:

      - name: Run CodeLedger audit
        run: |
          npx codeledger audit \
            --scope cli-surface \
            --fail-on fail \
            --pr-comment \
            --out /tmp/audit-comment.md

--fail-on fail exits with code 20 on a FAIL verdict. Use --fail-on partial to also block on PARTIAL.

Customise risk thresholds

Add a .codeledger/risk-config.json to extend the default categories or override point thresholds:

{
  "version": "codeledger/risk-config/v1",
  "categories": {
    "auth": ["packages/billing-auth/"],
    "shared_core": ["packages/payments-shared/"]
  },
  "thresholds": { "low_max": 2, "medium_max": 6 }
}

Related docs

Review Intelligence

What verify detects and how to triage

Truth Audit

Signed implementation certificates