Skip to main content
Version: 1.14

Integrating with GitHub Actions


This section describes how you can use GitHub Actions to automate tasks.

The project scaffolding already includes all the GitHub actions you need. You can find the Actions in the .github/workflows/test.yml and .github/workflows/release.yml files.

You can adapt these principles to use a different CI system.


Automation of the unit tests and of the end-to-end tests works out of the box. It uses the jobs defined in .github/workflows/test.yml.


The project scaffolding has a release job in .github/workflows/release.yml.

This job performs the following steps:

  • Checkout code
  • Build the WebAssembly policy
  • Push the policy to an Open Container Initiative (OCI) registry
  • Create a new GitHub Release

To enable the job, adjust the oci-target action input for the reusable workflow (reusable-release-policy-go.yml) called in the release.yml file.

The job acts differently based on the commit that triggered its execution.

Regular commits lead to the creation of an OCI artifact called <policy-name>:latest. A GitHub release isn't created for these commits.

Creating a tag that matches the v* pattern leads to:

  • Creation of an OCI artifact called <policy-name>:<tag>.
  • Creation of a GitHub release named Release <full tag name>. The release includes the assets, the source code of the policy, and the WebAssembly binary.

An example

Assume a policy named safe-labels and that it needs publishing as

The contents of the jobs.push-to-oci-registry.env section of ci.yml should look like:

runs-on: ubuntu-latest
WASM_BINARY_NAME: policy.wasm

Pushing a tag named v0.1.0 leads to the creation and publishing of the OCI artifact called

It creates a GitHub release named Release v0.1.0. The release includes the following assets:

  • Source code compressed as zip and tar.gz
  • A file named policy.wasm; this is the actual WebAssembly policy