GitHub Action that gates PRs touching an evidence-bundle manifest. Retrieves the previous version via git show <base.sha>:<manifest-path>, diffs against HEAD via evidence-bundle-diff, posts the structured diff as a PR comment, and fails the build on breaking changes (item hash rewritten, item removed, signature removed/changed, purpose changed, expiry shortened).
Fourth in the per-protocol diff Action quintet (agent-card / mcp-tool-card / prompt-provenance / evidence-bundle / otel-genai).
Part of the Kinetic Gain Suite.
name: Evidence Bundle gate
on:
pull_request:
paths: ["bundles/**/manifest.json"]
jobs:
evidence-bundle-diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # needed so the Action can `git show base.sha:path`
- uses: mizcausevic-dev/evidence-bundle-diff-action@v0.1-shipped
with:
manifest-path: bundles/case-123/manifest.json
fail-on-breaking: trueImportant: Your
checkoutstep must usefetch-depth: 0so the Action can resolve the base SHA. Otherwise the previous version retrieval returns null and the diff is reported as "new manifest".
| input | required | default | description |
|---|---|---|---|
manifest-path |
✓ | — | Path (relative to repo root) to the evidence-bundle manifest JSON file. |
base-sha |
pull_request.base.sha |
Override the base SHA. | |
comment-on-pr |
auto |
auto posts only on pull_request events. |
|
fail-on-breaking |
true |
Fail when the diff is BREAKING. | |
fail-on-any-change |
false |
Fail on ANY diff (frozen-bundle workflow). | |
github-token |
${{ github.token }} |
Token used to post the PR comment. |
| output | description |
|---|---|
breaking |
true iff the diff is BREAKING. |
change-count |
Number of changes detected. |
new-manifest |
true iff the file didn't exist at base SHA (newly added manifest). |
Same change reasons as evidence-bundle-diff — breaking reasons include item-hash-changed, item-removed, signature-removed, signature-signer-changed, signature-algorithm-changed, bundle-id-changed, bundle-version-changed, bundle-purpose-changed, bundle-expires-shortened.
- New manifest (file didn't exist at base SHA) → no diff, exits 0, sets
new-manifest=true. - Malformed previous version → warns and treats as new manifest.
- manifest-path doesn't exist on disk → exits 1 with a clear error.
- Non-PR context (push, manual dispatch) → skips PR comment; still emits diff to logs.
evidence-bundle-diff— the library this wraps.evidence-bundle-fleet-summary-action— fleet-level companion.evidence-bundle-builder·evidence-bundle-readme-generator·evidence-bundle-spec— full evidence-bundle family.- Sibling diff actions:
agent-card-diff-action·mcp-tool-card-diff-action·prompt-provenance-diff-action· otel-genai-diff-action (forthcoming).