Azure DevOps Governance Gate

GOVERN Build extension

Install the GOVERN Build extension from the Azure DevOps Marketplace:

Marketplace → Search "GOVERN Build" → Archetypal AI → Install

Pipeline YAML (GOVERN Build task)

azure-pipelines.yml

trigger:
  branches:
    include:
      - main
      - develop

pr:
  branches:
    include:
      - main

variables:
  aiModel: 'claude-sonnet-4-20250514'

stages:
  - stage: Test
    jobs:
      - job: UnitTests
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'
          - script: npm ci && npm test
            displayName: Unit tests

  - stage: Govern
    dependsOn: Test
    jobs:
      - job: GovernBuild
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: GovernBuild@1
            displayName: GOVERN Build Gate
            inputs:
              apiKey: $(GOVERN_API_KEY)
              orgId: $(GOVERN_ORG_ID)
              model: $(aiModel)
              testPrompts: tests/govern/prompts.json
              failOn: flag
              outputFormat: junit
            env:
              ANTHROPIC_API_KEY: $(ANTHROPIC_API_KEY)

          - task: PublishTestResults@2
            condition: always()
            inputs:
              testResultsFormat: JUnit
              testResultsFiles: govern-junit.xml
              testRunTitle: GOVERN Build Results

          - task: PublishBuildArtifacts@1
            condition: always()
            inputs:
              pathToPublish: govern-results.json
              artifactName: govern-results

  - stage: Deploy
    dependsOn: Govern
    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
    jobs:
      - deployment: Production
        environment: production
        strategy:
          runOnce:
            deploy:
              steps:
                - script: ./deploy.sh

CLI-based approach (no extension)

- stage: Govern
  jobs:
    - job: GovernBuild
      pool:
        vmImage: ubuntu-latest
      steps:
        - script: npm install -g @archetypal-ai/govern-cli
          displayName: Install GOVERN CLI

        - script: |
            govern assess \
              --batch-file tests/govern/prompts.json \
              --model $(aiModel) \
              --fail-on-flag \
              --output junit > govern-junit.xml
          displayName: GOVERN Build Assessment
          env:
            GOVERN_API_KEY: $(GOVERN_API_KEY)
            GOVERN_ORG_ID: $(GOVERN_ORG_ID)

        - task: PublishTestResults@2
          condition: always()
          inputs:
            testResultsFormat: JUnit
            testResultsFiles: govern-junit.xml

Variable groups

Store GOVERN credentials in a variable group:

1. Pipelines → Library → Variable groups → New variable group
2. Name: govern-credentials
3. Add variables:
   • GOVERN_API_KEY (secret)
   • GOVERN_ORG_ID

Reference in pipeline:

variables:
  - group: govern-credentials

Branch policies

Add GOVERN Build as a required status check:

1. Repos → Branches → [branch] → Branch policies
2. Add status policy
3. Status name: GOVERN Build Gate
4. Policy requirement: Required

Now pull requests cannot complete without a passing GOVERN Build check.