Workflow
This is the GitHub Actions layer, not warden.toml. warden.toml controls
which skills run and how findings are reported. The workflow controls when
GitHub starts Warden, which credentials are available, and which action inputs
are passed.
warden init generates a split analyze/report starter workflow. Add a GitHub App
token step immediately before reporting when you want branded comments.
name: Warden
permissions: contents: write pull-requests: write checks: write
on: pull_request: types: [opened, synchronize, reopened, labeled]
env: WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }} WARDEN_OPENAI_API_KEY: ${{ secrets.WARDEN_OPENAI_API_KEY }} WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
jobs: warden: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }}
- name: Analyze id: warden-analyze uses: getsentry/warden@v0 with: mode: analyze
- name: Report uses: getsentry/warden@v0 with: mode: report findings-file: ${{ steps.warden-analyze.outputs.findings-file }}Global Workflow With Layered Config
Section titled “Global Workflow With Layered Config”Put the workflow file in your org .github repository to run Warden everywhere
with one mandatory workflow definition. Add the second checkout when you want a
shared base warden.toml.
name: Warden
permissions: contents: write pull-requests: write checks: write
on: pull_request: types: [opened, synchronize, reopened, labeled]
env: WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }} WARDEN_OPENAI_API_KEY: ${{ secrets.WARDEN_OPENAI_API_KEY }} WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
jobs: warden: runs-on: ubuntu-latest steps: - name: Checkout target repository uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout org GitHub repo uses: actions/checkout@v4 with: repository: ${{ github.repository_owner }}/.github path: .warden-org
- name: Analyze id: warden-analyze uses: getsentry/warden@v0 with: mode: analyze base-config-path: .warden-org/warden.toml base-skill-root: .warden-org
- name: Report uses: getsentry/warden@v0 with: mode: report findings-file: ${{ steps.warden-analyze.outputs.findings-file }} base-config-path: .warden-org/warden.toml base-skill-root: .warden-orgThe first checkout is the repository being reviewed. The second checkout provides the org-wide base config and local shared skills.
If the target repo also has a root warden.toml, Warden loads it in the same
run. Repo-local config can add skills and repo-local defaults, but it does not
weaken org-enforced base skills.
Split Analyze and Report
Section titled “Split Analyze and Report”The recommended workflow runs analysis and reporting as separate action steps. This keeps long analysis runs from holding GitHub write credentials. GitHub App installation tokens expire after 1 hour, and a long analysis run can outlive a token that was created before Warden starts.
Use mode: analyze first. It runs skills and writes a structured findings file
without creating checks, posting comments, or resolving stale comments. Then
create the GitHub App token and run mode: report against that findings file.
Split modes are only supported for pull request workflows. Report mode reloads
warden.toml, applies the report step’s current reporting settings, creates
completed checks, and posts comments.
jobs: warden: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }}
- name: Analyze id: warden-analyze uses: getsentry/warden@v0 with: mode: analyze
- name: Create Warden app token id: warden-token uses: actions/create-github-app-token@v3 with: app-id: ${{ secrets.WARDEN_APP_ID }} private-key: ${{ secrets.WARDEN_PRIVATE_KEY }}
- name: Report uses: getsentry/warden@v0 with: mode: report findings-file: ${{ steps.warden-analyze.outputs.findings-file }} github-token: ${{ steps.warden-token.outputs.token }}If you use config-path, base-config-path, base-skill-root, or action-level
reporting inputs such as fail-on, report-on, request-changes,
fail-check, or max-findings, pass the intended values to the report step.
Report mode reads config again from the checkout and applies the report step’s
inputs; the findings file does not store a copy of warden.toml.
Required Status Checks
Section titled “Required Status Checks”If Warden is a required status check, require the core warden check or a
per-skill check like warden: security-review.
Keep workflow-level paths and paths-ignore filters off required Warden
workflows. Let Warden start, then let warden.toml decide which triggers match.
For each configured pull request trigger, Warden creates a check run. Triggers
that do not actually run for the current event complete as neutral.
Action Inputs
Section titled “Action Inputs”mode- Action mode. Default:
runfor compatibility. New pull request workflows should useanalyzeandreportto split analysis from GitHub write reporting. findings-file- Structured findings file to read in
mode: report. Usually thefindings-fileoutput from the analyze step. github-token- GitHub token for posting comments. Default:
GITHUB_TOKEN. anthropic-api-key- Anthropic API key input. Prefer
WARDEN_ANTHROPIC_API_KEYenv for new workflows. base-config-path- Path to a base
warden.tomlloaded before repo config. base-skill-root- Repo root containing local shared skills used by the base config.
config-path- Path to the repo-local config. Default:
warden.toml. fail-on- Minimum severity to fail the check.
report-on- Minimum severity to post comments.
max-findings- Maximum findings to report. Default:
50. request-changes- Whether to request changes on PR reviews. Default:
false. fail-check- Whether to fail the check run. Default:
false. parallel- Maximum concurrent matched trigger executions and file analyses unless
runner.concurrencyis set. Default:5.