GitHub Action

Deslint GitHub Action — the merge gate for AI-generated code.

Every pull request gets a Design Health Score, inline violation review, one-click suggestions for provably safe fixes, and a Sigstore-verified attestation that the trailer hasn't lied. Same deterministic engine your agent already calls locally — re-run at the merge gate so nothing slips through between commit and review.

Drop into `.github/workflows/deslint.yml`

The Action posts a PR comment and — when configured — fails the check. No servers, no API keys beyond the built-in GITHUB_TOKEN, no code egress.

name: Deslint Design Review on: pull_request: branches: [main] jobs: deslint: runs-on: ubuntu-latest permissions: contents: read pull-requests: write steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # blame + token-drift need full history - uses: jaydrao215/deslint/action@main with: github-token: ${{ secrets.GITHUB_TOKEN }} min-score: 80 # fail when score drops below floor suggest-fixes: 'true' # one-click PR suggestions agent-scorecard: 'true' # blame-based attribution token-drift: 'true' # designSystem diff strict-trailer: 'false' # set true to fail on trailer mismatch require-signed: 'false' # set true to gate on Sigstore signature

What lands in the PR

Design Health Score on every PR

A pass/warn/fail banner at the top of the PR comment — reviewers see the score, design debt estimate, and a sorted top-violations table before they open the diff. Configurable `min-score` input fails the check when the score drops below a floor.

One-click PR suggestions for safe fixes

Autofixes that are provably visually lossless — e.g. swapping `bg-[#1A5276]` for `bg-primary` when the token resolves to the same hex, or wrapping a `transition-all` with `motion-safe:` — render as GitHub `suggestion` blocks. A reviewer commits the change with one click. Heuristic fixes render as read-only code blocks with a `deslint fix` nudge, so no pixel change ever ships without a human seeing it.

Sigstore attestation verification

When the PR author ran `deslint attest` and committed the sidecar, the Action re-verifies the `.deslint/attestation.json` bundle against Sigstore — matching signer identity, issuer, and the trailer's reproducible claim against a fresh scan of the HEAD ref. Pin an acceptable signer with `signer-identity` / `signer-issuer`.

Per-agent scorecard

`git blame` attributes each inline violation to the agent that authored the offending line — Claude, Cursor, Codex, Copilot, Windsurf, or a human contributor — and renders a sorted table in the PR comment. Only commits belonging to the PR count; violations the PR merely touched are excluded so humans aren't punished for inherited debt.

Design-token drift diff

Compares `designSystem` tokens between the PR base and head. A silent `colors.primary` rename — "#1A5276" → "#2C3E50" — ripples through every consumer with no visible diff; the Action surfaces it as a side-by-side markdown table so a reviewer can't miss it.

Inline review comments

Every violation becomes a review comment anchored at the exact line and column. Up to `max-inline-comments` per PR (default 25) so a large refactor doesn't drown the review.

Every input

Defaults are chosen so a plain uses: jaydrao215/deslint/action@main posts a useful PR comment without any tuning. Override any input when you want stricter gating.

Input	Default	Meaning
github-token	—	GITHUB_TOKEN (or a PAT). Required to post PR comments.
min-score	0	Fail the check when the Design Health Score drops below this value.
fail-on	error	Which severity triggers an exit-1. One of: error / warning / any / never.
inline-review	true	Post per-violation review comments anchored to line+column.
suggest-fixes	true	Render provably safe autofixes as GitHub suggestion blocks.
max-inline-comments	25	Cap on review comments per PR so large refactors stay readable.
strict-trailer	false	When true, a lying or missing `Deslint-Compliance` trailer fails the job.
require-signed	false	When true, an unsigned or tampered attestation fails the job.
signer-identity	—	Regex matching the Sigstore cert SAN that signed the attestation.
signer-issuer	—	Expected OIDC issuer (exact match) for the Sigstore bundle.
agent-scorecard	true	Attribute violations to authoring agents via `git blame`.
token-drift	true	Diff `designSystem` tokens between base and head refs.
config-path	.deslintrc.json	Alternative config path if the rcfile lives outside the repo root.
working-directory	.	Subdirectory to scan — useful for monorepos.
file-patterns	—	Comma-separated glob filter for which files to scan.

Why verify at the merge gate

The trailer can lie. deslint attest writes a claim into the commit trailer; the Action re-runs the scan against the head ref and fails when the committed claim doesn't match the real score. Works for both AI-authored and human-authored diffs.
Visible reviewer surface. Inline review comments sit on the lines they're about. One-click suggestions let a reviewer commit a fix without switching context.
Runs on GitHub-hosted runners. No API keys beyond the default GITHUB_TOKEN, no third-party services to authorize. Safe inside enterprise firewalls.

Full workflow setup guide Run the same checks locally (CLI)MCP server for pre-PR checks