CI/CD Workflows

Archodex makes it easy to observe service interactions in CI/CD workflow runs. These workflows often involve service control-plane interactions to create, update, or delete resources through APIs, SDKs, and Infrastructure-as-Code tools.

Instrumenting GitHub Actions

The Archodex Agent is easily added to GitHub Actions-compatible CI/CD workflows using the archodex-agent-action:

name: Example Workflow

on:
  workflow_dispatch:

env:
  VAULT_ADDR: https://vault.acme.com:8200

jobs:
  build:
    steps:
      - name: Archodex Agent
        uses: archodex/archodex-agent-action@v1

      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Retrieve Secrets from Vault
        id: secrets
        uses: hashicorp/vault-action@v3
        with:
          ... <Vault credentials> ...
          secrets: secret/data/db_creds password

Inputs

- name: Archodex Agent
  uses: archodex/archodex-agent-action@v1
  with:
    # Archodex Report API Key
    # Type: String
    # Default: <unset>
    #
    # Providing a Report API Key enables the Agent to send observed service
    # interactions to an Archodex backend service. The agent will only log
    # observed service interactions if left unset.
    #
    # Example:
    report_api_key: ${{ secrets.ArchodexReportApiKey }}

    # Log Observed Service Interactions
    # Type: Boolean
    # Default: true
    #
    # Use this setting to disable logging of observed service interactions at
    # workflow completion.
    #
    # Example:
    log_report: false

    # Archodex Service Endpoint
    # Type: String (URL)
    # Default: <unset>
    #
    # Use this setting to specify a custom Archodex Service Endpoint. This should
    # only be set when using a self-hosted Archodex account.
    service_endpoint:

    # Enable Built-in Archodex Rulesets
    # Type: Array of Archodex Ruleset IDs
    # Default: []
    #
    # Many built-in rulesets are disabled by default. This setting is used to
    # enable rulesets. See built-in ruleset docs for details on which rulesets
    # are enabled by default.
    #
    # Example:
    enable_rulesets:
      - hashicorp_vault@v1

    # Disable Built-in Archodex Rulesets
    # Type: Array of Archodex Ruleset IDs
    # Default: []
    #
    # Some built-in rulesets are enabled by default. This setting is used to
    # override and disable these rulesets. See built-in ruleset docs for details
    # on which rulesets are enabled by default.
    #
    # Example:
    disable_rulesets:
      - github_actions@v1

    # Use additional rulesets from paths or URLs
    # Type: Array of file paths or URLs
    # Default: []
    #
    # Use this setting to extend Archodex Agent instrumentation by providing
    # additional Rulesets.
    #
    # Example:
    additional_rulesets:
      - archodex/internal_db_service.yaml
      - https://gist.githubusercontent.com/acme/b62773ab7cc817d9d55e2c76c5477715/raw/acme_dns_service.yaml

    # Provide values for Ruleset Inputs
    # Type: Map of Ruleset IDs to Input/Value maps
    # Default: {}
    #
    # Use this setting to provide input values for Rulesets. Note that many
    # values may already be captured through environment variables. Values
    # specified here take precedence over values from environment variables.
    ruleset_input:
      hashicorp_vault@v1:
        VaultAddr: vault.acme.com

Instrumenting Other CI/CD Workflows

The Archodex Agent is easy to use in any CI/CD workflow. Simply following the instructions for other environments to start the Archodex Agent in a container running in the background of your workflow execution. Ensure the Archodex Agent container is properly shutdown at the end of the workflow to send the final report of observed service interactions. This may or may not occur automatically on different CI/CD systems.