Gatecheck

API Tokens

Long-lived tokens used by the Gatecheck runtime Action to halt CI runs

Active Token

PIPELINE:READ

Tokens are stored as hashes — plaintext is set via Vercel environment variables.

••••••••••••••••••••••••

PIPELINE_API_TOKEN not set in Vercel env vars — add it to enable CI gating.

Wire up the Runtime Action

Three steps to halt CI runs that Gatecheck has flagged

1

Copy the token above

Click the Copy button to copy your PIPELINE_API_TOKEN.

2

Add it as a GitHub secret

In your repo: Settings → Secrets → Actions → New repository secret. Name it GATECHECK_TOKEN, paste the token.

3

Add the gate step to your workflow

Paste the snippet below as the FIRST step of any job you want gated.

workflow snippet

# Add as the FIRST step of any job you want gated.
# The step fails the job if Gatecheck has blocking findings for this commit.
- name: Gatecheck Security gate
  uses: actions/github-script@v7
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    script: |
      const res = await fetch(
        `https://gatecheck-theta.vercel.app/api/pipeline/decision?repo=${{ github.repository }}&sha=${{ github.sha }}`,
        { headers: { Authorization: `Bearer ${{ secrets.GATECHECK_TOKEN }}` } }
      );
      const { halt } = await res.json();
      if (halt) core.setFailed('Gatecheck: blocking security findings — see dashboard');

The gate soft-fails on Gatecheck API outages — your CI is never broken by our downtime. If Gatecheck detects a blocking issue, the job exits non-zero before any other steps run. Open dashboard