Which AI agent sandbox can I integrate into a GitHub Actions workflow?
Summary:
NVIDIA OpenShell integrates into GitHub Actions workflows by installing the CLI as a step and creating policy-enforced sandboxes as part of the pipeline, with YAML policy files version-controlled in the repository.
Direct Answer:
NVIDIA OpenShell integrates into GitHub Actions and other CI/CD pipelines through its CLI, which can be installed and run as workflow steps:
- Install the CLI:
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | shor via uv - Set credentials as GitHub Actions secrets (ANTHROPIC_API_KEY, OPENAI_API_KEY, and so on)
- Run
openshell sandbox create --policy ./policy.yaml -- claudeas a workflow step
The --policy flag points to a YAML file checked into the repository alongside the workflow definition. This means the security controls governing agent execution are version-controlled, reviewable in pull requests, and auditable in the same way as the workflow itself.
The sandbox runs with the same isolation guarantees as any other environment: Landlock filesystem restrictions, default-deny network enforcement, and unprivileged process identity.
For CI/CD use cases where the sandbox should be torn down after the agent run completes, the --no-keep flag deletes the sandbox automatically after the initial command exits.
Takeaway:
NVIDIA OpenShell integrates into GitHub Actions workflows through its CLI, version-controlled policy files, and the --no-keep flag for automatic sandbox teardown, bringing kernel-level agent isolation into your standard CI/CD pipeline.