kolm  /  integrations  /  GitHub Actions

kolm in CI.

Three reference workflows: compile-on-PR, verify-on-merge, and release-with-binder. Each one wires kolm into your existing GitHub repo, blocks merges on quality regression, posts receipts as PR comments, and ships signed artifacts to releases.

Runner ubuntu-22.04Verifier offlineMin minutes 2

Workflow 1 . verify on PR

Block merges on K-score regression.

Drop this in `.github/workflows/kolm-verify.yml`. When someone opens a PR that touches a recipe, the workflow compiles, signs, verifies, and comments the receipt on the PR. The merge button is blocked if any artifact misses its K-score floor.

name: kolm verify
on:
  pull_request:
    paths: ['recipes/**']

jobs:
  verify:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: '20' }
      - run: npm install -g kolm
      - name: compile + verify
        env:
          KOLM_API_KEY: ${{ secrets.KOLM_API_KEY }}
        run: |
          for r in recipes/*.recipe.json; do
            kolm compile --from "$r" --out "artifacts/$(basename $r .recipe.json).kolm"
            kolm verify "artifacts/$(basename $r .recipe.json).kolm"
          done
      - uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const receipts = fs.readdirSync('artifacts').filter(f => f.endsWith('.receipt.json'));
            const body = receipts.map(r => {
              const j = JSON.parse(fs.readFileSync(`artifacts/${r}`));
              return `**${r}** . K=${j.k_score} . CID \`${j.cid}\``;
            }).join('\n');
            github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body });

Workflow 2 . release with binder

Ship a one-page audit PDF with every release.

On a GitHub release event, attach the .kolm, the receipt, and a single-page binder PDF that lists CID + recipe + base model + K-score. The PDF is the artifact your auditor signs.

name: kolm release
on:
  release:
    types: [published]

jobs:
  release:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g kolm
      - name: compile + sign + bind
        env:
          KOLM_API_KEY: ${{ secrets.KOLM_API_KEY }}
        run: |
          mkdir -p out
          for r in recipes/*.recipe.json; do
            base=$(basename $r .recipe.json)
            kolm compile --from "$r" --out "out/${base}.kolm"
            kolm verify "out/${base}.kolm" --binder "out/${base}.binder.pdf"
          done
      - uses: softprops/action-gh-release@v2
        with:
          files: |
            out/*.kolm
            out/*.receipt.json
            out/*.binder.pdf

Workflow 3 . scheduled re-verify

Re-verify last-quarter's artifacts on a schedule.

Quarterly cron that re-runs `kolm verify` against every artifact in `releases/`. If a verifier-side change ever rejects an artifact you previously shipped, you find out before your auditor does.

name: kolm reverify
on:
  schedule: [{ cron: '0 4 1 */3 *' }]
  workflow_dispatch: {}

jobs:
  reverify:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g kolm
      - run: |
          for art in releases/**/*.kolm; do
            kolm verify "$art" || { echo "FAIL: $art" >&2; exit 1; }
          done
CheckpointIf the verifier rejects an old artifact, that is the moment to investigate before the artifact ever reaches an auditor or a customer.
Walkthrough tutorial →RS-1 spec →