Prove what agents did in your GitHub Actions runners.
Your team runs agents and automation in GitHub Actions self-hosted runners. Probity wraps each job in a per-task microVM and signs a tamper-evident record of every action, collected from outside the job's reach and kept long after Actions' 90-day logs expire, in the SIEM your security team already runs.
Agents in your runners can do anything a job can.
Self-hosted runners execute workflow jobs, including coding-agent steps, on machines you manage, with the job's secrets and network access. And GitHub keeps those logs for only 90 days.
A job can reach every secret and system the workflow can.
Agent steps run with full job permissions on your runners.
Actions logs are gone in 90 days, and are the agent's own account.
Wrap your self-hosted runner jobs in Probity.
Grounded in the vendor's own documentation, not a bolt-on. GitHub's self-hosted runner docs ↗
Keep jobs on your self-hosted runners
Self-hosted runners already execute workflow jobs on hardware you control, from on-prem to your own cloud. Whatever agent or automation a job runs, it runs on your machine. Probity changes none of your workflows.
Run each job in a Probity microVM
Register the runner so jobs execute inside a Probity per-task microVM with a host sensor the job cannot reach. Every process, file read/write, network call and MCP call is captured from the host, not from the job's own console log.
Keep one signed record after the logs expire
GitHub Actions logs are gone in 90 days. Probity turns each run into a signed, append-only record and streams it to the SIEM and object store you already run under the retention policy your evidence controls require.
Your pipelines keep moving. Your security team can prove it.
- Keep agent and automation jobs on your self-hosted runners.
- No workflow rewrite, Probity wraps the runner.
- Full job permissions and network access, unchanged.
- A tamper-evident record of every run, collected from the host.
- Retained long after Actions' 90-day logs expire.
- Lands in your SIEM for incident review and applicable Article 12 or NYDFS evidence controls.
Every self-hosted runner job, fully recorded.
Seven classes of behavioral evidence per GitHub Actions run, protected by one tamper-evident integrity chain.
Process activity
Every spawn, argument, and exit code.
File reads
Every path opened, secrets included.
File writes
Every file created or modified.
Network calls
Every outbound destination and method.
MCP tool calls
Every tool the agent invoked.
Syscall surface
The kernel calls it was allowed.
Session identity
Which scoped token, expiring per task.
One signed record per Actions run, streamed to the SIEM and object store you already run.
Your Actions logs vanish in 90 days. Your audit trail can't.
Article 12 applies to high-risk AI systems, and NYDFS Part 500 applies to covered entities. For every team, GitHub Actions' 90-day logs create an evidence gap long before the next incident or examination.
Private beta. Twelve deployments.
Probity is in private beta: the first cohort is limited to twelve deployments, each reviewed and onboarded by a NOFire AI founder.
Questions first? Write to contact@nofire.ai.