Add DriftGuard to GitHub Actions

Fail CI when production dependencies lack DriftGuard watches — start with a non-blocking preview, then enforce on merge.

Prerequisites: A DriftGuard API key (Pro+ for enforce mode), a repository with declared API/MCP dependencies, and the OSS composite actions from kioie/driftguard.

Two-stage rollout

  1. Preview — surface gaps

    drift-coverage-preview logs unwatched URLs without failing the build.

  2. Enforce — gate merges

    drift-coverage fails when coverage is incomplete.

  3. Optional — ToolChange + MockDrift

    Lint MCP manifests and replay agent drift in the same workflow.

Step 1 — Add the API key secret

In GitHub, open SettingsSecrets and variablesActions and create DRIFTGUARD_API_KEY with your live key from /activate.

GitHub Actions workflow YAML referencing DriftGuard composite action
Sample workflow YAML — use CI setup wizard for repo-specific YAML.

Step 2 — Preview workflow (non-blocking)

Add a job that scans your repo for external URLs and reports missing watches:

name: DriftGuard coverage
on: [pull_request]

jobs:
  coverage-preview:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: kioie/driftguard/.github/actions/drift-coverage-preview@v0
        env:
          DRIFTGUARD_API_KEY: ${{ secrets.DRIFTGUARD_API_KEY }}

Or generate a starter workflow from the CI setup wizard — it imports repo scan results and prints the YAML.

Step 3 — Enforce workflow

When preview output is clean, switch to the enforce action:

  coverage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: kioie/driftguard/.github/actions/drift-coverage@v0
        env:
          DRIFTGUARD_API_KEY: ${{ secrets.DRIFTGUARD_API_KEY }}

The job fails with a list of unwatched dependencies and links to create watches in console.

GitHub PR checks showing DriftGuard coverage failure listing unwatched URLs
Enforce mode — PR check fails with unwatched dependency list (MED-4).

Step 4 — ToolChange manifest lint (optional)

For MCP-heavy repos, export tools.json and lint on every PR:

      - uses: kioie/driftguard/.github/actions/toolchange@v0
        with:
          manifest: path/to/tools.json

Full walkthrough: ToolChange how-to.

Step 5 — MockDrift replay (optional)

Gate agent integration tests with cloud fixtures from a hosted watch:

      - uses: kioie/driftguard/.github/actions/mockdrift@v0
        env:
          DRIFTGUARD_API_KEY: ${{ secrets.DRIFTGUARD_API_KEY }}
        with:
          simulate-drift: YOUR_WATCH_ID
          pytest-args: tests/test_agent_drift.py

See MockDrift how-to for the seven-step guide with screenshots.

Walkthrough video

Video walkthrough — preview → enforce coverage gate (~5 min)

Next steps

  • CI setup wizard
  • Coverage assert reference
  • GitHub Actions integration (OSS)