CI/CD Integration
How to run TameFlare-governed agents in CI/CD pipelines. The proxy model works in any environment that supports HTTP_PROXY — GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.
GitHub Actions example
name: Agent test with TameFlare
on: [push]
jobs:
test-agent:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.22'
- name: Install TameFlare
run: |
git clone https://github.com/tameflare/tameflare.git /tmp/TameFlare
cd /tmp/TameFlare && pnpm install
- name: Start control plane
run: |
cd /tmp/TameFlare
pnpm dev &
# Wait for control plane
until curl -sf http://localhost:3000/api/health > /dev/null; do sleep 1; done
- name: Initialize gateway
run: |
cd /tmp/TameFlare
npx tf init
- name: Configure connectors
env:
GITHUB_TOKEN: ${{ secrets.AGENT_GITHUB_TOKEN }}
run: |
cd /tmp/TameFlare
npx tf connector add github --token-env GITHUB_TOKEN
npx tf permissions set \
--gateway "CI Bot" \
--connector github \
--action "github.issue.*" \
--decision allow
- name: Run agent through TameFlare
run: |
cd /tmp/TameFlare
npx tf run --name "CI Bot" python ${{ github.workspace }}/my_agent.py
- name: Check results
run: |
cd /tmp/TameFlare
npx tf logs --last 20Tip
Store connector API tokens as GitHub Actions secrets. Use
--token-env to read them without exposing in shell history or logs.Docker-based CI
If your CI environment uses Docker, run TameFlare as a sidecar:
# docker-compose.ci.yml
services:
TameFlare-web:
build: ./apps/web
ports: ["3000:3000"]
environment:
- SIGNING_KEY_PRIVATE=${SIGNING_KEY_PRIVATE}
- SIGNING_KEY_PUBLIC=${SIGNING_KEY_PUBLIC}
healthcheck:
test: ["CMD", "curl", "-sf", "http://localhost:3000/api/health"]
interval: 5s
retries: 10
TameFlare-gateway:
build: ./apps/gateway-v2
ports: ["9443:9443"]
environment:
- CONTROL_PLANE_URL=http://TameFlare-web:3000
depends_on:
TameFlare-web:
condition: service_healthy
agent:
build: ./my-agent
environment:
- HTTP_PROXY=http://TameFlare-gateway:9443
- HTTPS_PROXY=http://TameFlare-gateway:9443
- SSL_CERT_FILE=/certs/ca.crt
depends_on:
- TameFlare-gateway
volumes:
- ./certs:/certs:roEphemeral container pattern
For short-lived CI jobs, use a disposable TameFlare instance:
#!/bin/bash
# ci-agent-test.sh
# 1. Start TameFlare in background
pnpm dev &
AAF_PID=$!
until curl -sf http://localhost:3000/api/health > /dev/null; do sleep 0.5; done
# 2. Initialize and configure
npx tf init
npx tf connector add github --token-env GITHUB_TOKEN
npx tf permissions set --gateway "CI" --connector github --action "github.*" --decision allow
# 3. Run agent
npx tf run --name "CI" python my_agent.py
EXIT_CODE=$?
# 4. Collect logs
npx tf logs --last 50 > TameFlare-traffic.log
# 5. Cleanup
kill $AAF_PID
exit $EXIT_CODEKey considerations
Health check before running agents
Always wait for both the control plane and gateway to be ready:
# Control plane
until curl -sf http://localhost:3000/api/health > /dev/null; do sleep 0.5; done
# Gateway
until curl -sf http://localhost:9443/health > /dev/null; do sleep 0.5; doneEphemeral signing keys
In CI, you typically don't need persistent ES256 signing keys. Auto-generated ephemeral keys are fine since the instance is short-lived. For production CI (long-running agents), set SIGNING_KEY_PRIVATE and SIGNING_KEY_PUBLIC.
Action limits in CI
CI runs count toward your action limit. For high-volume CI pipelines, consider:
- Using the Starter tier's 1,000 actions/month for testing
- Upgrading to Pro (10,000 actions/month) for production CI
- Using
monitorenforcement level in CI to log without blocking
Artifact collection
Save tf logs as CI artifacts for debugging:
# GitHub Actions
- name: Upload tf logs
if: always()
uses: actions/upload-artifact@v4
with:
name: TameFlare-logs
path: /tmp/TameFlare/.TameFlare/gateway.dbNext steps
- Quick Start — local setup guide
- Architecture — deployment topologies
- Environment Variables — configuration reference