Docs // Scroll Gate · GitHub
Gate unsigned agent merges in GitHub Actions.
Add ssx360 check to pull requests — hosted verify maps to SLSA L1–2 commit provenance. Keys stay local; only envelope metadata hits SSX360.
Scroll Gate · GitHub Actions
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
Last verified against matrixscroll 0.5.1. Community tier includes 100 hosted verifications per day. Team+ unlocks org audit export.
Copy-paste
GitHub Actions workflow
Runs on every pull request targeting a protected branch. Fails when signatures are missing, invalid, or post-generation edits break envelope integrity.
name: Scroll Gate
on:
pull_request:
branches: [main]
jobs:
provenance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Matrix Scroll
run: pip install "matrixscroll==0.5.1"
- name: Scroll Gate verify
env:
SSX360_API_KEY: ${{ secrets.SSX360_API_KEY }}
run: ssx360 check --hosted --base origin/main --head HEADOne secret
Repository secret
Store your SSX360 API key as SSX360_API_KEY — never commit keys to the repo.
# Repository → Settings → Secrets → Actions SSX360_API_KEY=sk_live_... # Community or Team key from ssx360.com/settings
Full spec: SCROLL_GATE_V2.md · SLSA mapping