Install Workflow
Detailed setup for BYO keys, scan, Playwright, and SBOM modes, and Sentinelayer-managed model routing.
- install
- managed-mode
Production setup checklist:
Required
- workflow file
- sentinelayer_token input
Optional
- status_poll_token
- fallback provider configuration
Recommended mode profiles
- action defaults: scan_mode deep, playwright_mode off, sbom_mode off
- PR profile: scan_mode deep + playwright_mode baseline + sbom_mode baseline
- audit profile: scan_mode audit + playwright_mode audit + sbom_mode audit
PR comment commands (manual deep actions)
- `/omar baseline`
- `/omar deep-scan`
- `/omar full-depth`
- `/omar fix-plan`
- `/omar report`
Enterprise verification
Run attestation checks before release promotion:
```bash
gh attestation verify ./dist/sentinelayer-web.zip -R <owner>/<repo>
cosign verify-attestation --type spdx oci://registry/<owner>/<image>:<tag>
```
Validation
- branch protection requires Omar Gate
- run outputs and artifacts are present
Structured Answers
Do I need both provider key and Sentinelayer token?
No. The action bridge requires sentinelayer_token. Provider/model routing is managed by Sentinelayer runtime policy.
Are baseline and deep comments automatic on every PR?
No. Automatic execution is the Omar Gate check run. Additional comments are manual, on-demand triggers.
How do I verify release provenance before promotion?
Use gh attestation verify for the built artifact and cosign verify-attestation for Sigstore-backed artifacts or containers.