Skip to content
FlagLint

GitHub Actions

Use scan for inventory/reporting and validate --format sarif for direct-SDK policy enforcement.

Inventory Report

Section titled “Inventory Report”
name: FlagLint Inventory


on: [pull_request]


jobs:
  inventory:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npx flaglint scan ./src --format html --output flaglint-inventory.html

Blocking Enforcement with SARIF

Section titled “Blocking Enforcement with SARIF”
name: FlagLint Policy


on: [pull_request]


jobs:
  validate:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20


      - name: Validate no direct LaunchDarkly evaluation calls
        id: flaglint
        run: |
          npx flaglint validate ./src \
            --no-direct-launchdarkly \
            --bootstrap-exclude "src/provider/setup.ts" \
            --format sarif \
            --output flaglint-validation.sarif


      - name: Upload validation SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: flaglint-validation.sarif

Do not set continue-on-error: true on the blocking validation step. The job should fail when violations exist. if: always() belongs on the upload step so GitHub can still ingest SARIF after the validation step fails.

Rule ID

Section titled “Rule ID”
flaglint.direct-launchdarkly

Feedback

Section titled “Feedback”