I already have test + deploy CI
Most teams: Phase 1 deploy works → add Guard workflows + one job to ci.yml.
Run API contract checks automatically after each deploy. This guide works from any machine — bookmark this page.
Most teams: Phase 1 deploy works → add Guard workflows + one job to ci.yml.
GitHub App + bootstrap PR creates workflows. Use Mac app Add Guard to my repo or guard-onboard-repo.sh.
Existing deploy CI (most teams): Mac app only — record endpoints, Session routing = staging, save deploy checkpoint. No GitHub App required. See existing pipeline guide.
New repo / bootstrap PR: also install the ProxyHawk GitHub App on your repo (needed for bootstrap PR only).
GET /api/v1/profile)staging (must match CI)owner/repo → Save deploy checkpointtest → deploy-staging → guard-checkpoint-stagingRepo → Settings → Secrets and variables → Actions (not Webhooks).
Variables (staging example — use the Variables tab, not Secrets):
STAGING_DEPLOY_PLATFORM = renderSTAGING_API_URL = your deployed API URL (e.g. https://sample-deploy-api.onrender.com)Secrets (staging example):
STAGING_DEPLOY_HOOK — Render deploy hook (Phase 1 deploy)PROXYHAWK_API_EMAIL + PROXYHAWK_API_PASSWORD — your ProxyHawk account (Guard CI)PROXYHAWK_GUARD_RUNNER_URL — optional override URL for prebuilt Guard runner binaryPROXYHAWK_GUARD_RUNNER_TOKEN — optional Bearer token when override URL requires authGET /api/health returns JSON with gitSha matching the deployed commit| Symptom | Fix |
|---|---|
INSTALL_GITHUB_APP | Bootstrap PR only — install GitHub App |
SAVE_DEPLOY_CHECKPOINT | Save deploy checkpoint in Mac app before bootstrap or first Guard run |
no active mapping | Deploy checkpoint not saved, or environment ≠ staging |
| Guard job skipped | Add guard-checkpoint-staging job with needs: deploy-staging |
| Login failed in CI | Set PROXYHAWK_API_EMAIL / PASSWORD; API defaults to api.proxyhawk.io |