Skip to content
GOVERN Developer

GitLab CI

Include template

GOVERN provides an official GitLab CI/CD template:

include:
  - remote: 'https://raw.githubusercontent.com/archetypal-ai/govern-ci/main/gitlab/govern.gitlab-ci.yml'

Basic pipeline

.gitlab-ci.yml
include:
  - remote: 'https://raw.githubusercontent.com/archetypal-ai/govern-ci/main/gitlab/govern.gitlab-ci.yml'


variables:
  GOVERN_MODEL: "claude-sonnet-4-20250514"
  GOVERN_TEST_PROMPTS: "tests/govern/prompts.json"
  GOVERN_FAIL_ON: "flag"


stages:
  - test
  - govern
  - deploy


unit-tests:
  stage: test
  script:
    - npm ci && npm test


govern-assessment:
  stage: govern
  extends: .govern-assess
  variables:
    GOVERN_API_KEY: $GOVERN_API_KEY
    GOVERN_ORG_ID: $GOVERN_ORG_ID

Manual template (without include)

govern-assessment:
  stage: govern
  image: archetypal/govern-cli:latest
  variables:
    GOVERN_API_KEY: $GOVERN_API_KEY
    GOVERN_ORG_ID: $GOVERN_ORG_ID
  script:
    - govern assess
        --batch-file ${GOVERN_TEST_PROMPTS}
        --model ${GOVERN_MODEL}
        --fail-on-flag
        --output json | tee govern-results.json
  artifacts:
    reports:
      junit: govern-junit.xml
    paths:
      - govern-results.json
    expire_in: 30 days
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == "main"'

GitLab Security Dashboard integration

Output results in the GitLab security scanning format:

govern-assessment:
  script:
    - govern assess
        --batch-file tests/govern/prompts.json
        --output gitlab-security > gl-govern-report.json
  artifacts:
    reports:
      sast: gl-govern-report.json

Environment-specific policies

govern-staging:
  extends: .govern-assess
  environment: staging
  variables:
    GOVERN_MODE_OVERRIDE: "flag"  # Less strict in staging
  only:
    - develop


govern-production:
  extends: .govern-assess
  environment: production
  variables:
    GOVERN_MODE_OVERRIDE: "block"  # Strict in production
  only:
    - main

Variables reference

VariableRequiredDescription
GOVERN_API_KEYYesGOVERN API key (set in CI/CD variables, masked)
GOVERN_ORG_IDYesOrganization ID
GOVERN_MODELYesModel ID
GOVERN_TEST_PROMPTSYesPath to prompts JSON
GOVERN_FAIL_ONNoblock, flag, or never
GOVERN_MODE_OVERRIDENoOverride org policy mode

Set GOVERN_API_KEY and GOVERN_ORG_ID as masked CI/CD variables in Settings → CI/CD → Variables. Never hardcode these values.