ProbityGitHub Actions

Integration · GitHub Actions

Prove what agents did in your GitHub Actions runners.

Your team runs agents and automation in GitHub Actions self-hosted runners. Probity wraps each job in a per-task microVM and signs a tamper-evident record of every action, collected from outside the job's reach and kept long after Actions' 90-day logs expire, in the SIEM your security team already runs.

Works with GitHub Actions self-hosted runners. GitHub's self-hosted runner docs ↗

The problem

Agents in your runners can do anything a job can.

Self-hosted runners execute workflow jobs, including coding-agent steps, on machines you manage, with the job's secrets and network access. And GitHub keeps those logs for only 90 days.

A job can reach every secret and system the workflow can.

Agent steps run with full job permissions on your runners.

Actions logs are gone in 90 days, and are the agent's own account.

How it integrates

Wrap your self-hosted runner jobs in Probity.

Grounded in the vendor's own documentation, not a bolt-on. GitHub's self-hosted runner docs ↗

1

Keep jobs on your self-hosted runners

Self-hosted runners already execute workflow jobs on hardware you control, from on-prem to your own cloud. Whatever agent or automation a job runs, it runs on your machine. Probity changes none of your workflows.

2

Run each job in a Probity microVM

Register the runner so jobs execute inside a Probity per-task microVM with a host sensor the job cannot reach. Every process, file read/write, network call and MCP call is captured from the host, not from the job's own console log.

3

Keep one signed record after the logs expire

GitHub Actions logs are gone in 90 days. Probity turns each run into a signed, append-only record and streams it to the SIEM and object store you already run under the retention policy your evidence controls require.

GitHub Actions+ any other agent you runGUEST · microVMrunner jobSESSION · supporting detailBOUNDARY · evidenceHOST · evidence0x9f2cok0x9f2dok0x9f2eflaggedsigned · append-only

What you get

Your pipelines keep moving. Your security team can prove it.

For engineering

  • Keep agent and automation jobs on your self-hosted runners.
  • No workflow rewrite, Probity wraps the runner.
  • Full job permissions and network access, unchanged.

For security & compliance

  • A tamper-evident record of every run, collected from the host.
  • Retained long after Actions' 90-day logs expire.
  • Lands in your SIEM for incident review and applicable Article 12 or NYDFS evidence controls.

What's captured

Every self-hosted runner job, fully recorded.

Seven classes of behavioral evidence per GitHub Actions run, protected by one tamper-evident integrity chain.

Process activity

Every spawn, argument, and exit code.

File reads

Every path opened, secrets included.

File writes

Every file created or modified.

Network calls

Every outbound destination and method.

MCP tool calls

Every tool the agent invoked.

Syscall surface

The kernel calls it was allowed.

Session identity

Which scoped token, expiring per task.

Exports to

One signed record per Actions run, streamed to the SIEM and object store you already run.

Splunk
CrowdStrike
Datadog
Elastic
Grafana
Snowflake

Compliance

Your Actions logs vanish in 90 days. Your audit trail can't.

Evidence debt starts nowYou cannot reconstruct an unrecorded agent session later

Article 12 applies to high-risk AI systems, and NYDFS Part 500 applies to covered entities. For every team, GitHub Actions' 90-day logs create an evidence gap long before the next incident or examination.

Private beta. Twelve deployments.

Probity is in private beta: the first cohort is limited to twelve deployments, each reviewed and onboarded by a NOFire AI founder.

No sales process. Reviewed by a founder within one business day.

Questions first? Write to contact@nofire.ai.