CI/CD Integration — AI Agent in Your Pipeline

1

Why CI/CD?

Your AI agent shouldn't just help during development — it should be part of your pipeline. Auto-review PRs, triage issues, enforce standards. Every commit benefits from the same analysis quality, consistently, without developer overhead.

Three workflows that become automatic with Harness CI/CD:

PR Review — catch bugs, security issues, and style violations before merge
Issue Triage — classify severity, suggest labels, and propose fixes automatically
Standards Enforcement — run custom audits on every push

⚡

Native CI/CD — unique to Harness

No other coding agent has native CI/CD integration. Claude Code requires manual pipeline setup. Cursor is IDE-only. Aider and OpenHands have no CI runner. Harness ships with GitHub Actions support, webhook parsing, and GitHub Check Runs reporting out of the box.

python

# From harness.ci.runner
async def run_ci(
    *,
    mode: str | None = None,
    prompt: str | None = None,
    provider: str = "anthropic",
    model: str | None = None,
    sandbox: str = "process",
    check_name: str = "harness-agent",
) -> dict[str, Any]:
    """Run the CI agent. Auto-detects mode from GitHub webhook event if not specified."""

2

GitHub Actions Setup

Drop this workflow file into your repository. It triggers on pull requests and new issues, runs Harness in a sandboxed process, and reports results back via Check Runs and PR comments:

yaml .github/workflows/harness.yml

name: Harness AI Agent

on:
  pull_request:
    types: [opened, synchronize]
  issues:
    types: [opened]

permissions:
  contents: read
  pull-requests: write
  checks: write
  issues: write

jobs:
  harness:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Harness
        run: |
          pip install uv
          uv tool install harness-agent

      - name: Run Harness Agent
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          harness ci run

✓

That's the entire setup

Commit this file. Harness auto-detects the event type, runs the appropriate review or issue workflow, and posts results back to GitHub. No further configuration required to get started.

ℹ

Required secrets

Add ANTHROPIC_API_KEY in your repository Settings → Secrets and variables → Actions. GITHUB_TOKEN is provided automatically by GitHub Actions — no manual setup needed.

3

CI Configuration

Customize prompts, mode behavior, and runtime settings in .harness/ci.yml at the root of your repository:

yaml .harness/ci.yml

# .harness/ci.yml
provider: anthropic
model: claude-sonnet-4-20250514
sandbox: process
check_name: harness-agent
max_turns: 30
permission_mode: plan

review_prompt: |
  Review this pull request for:
  1. Code quality and best practices
  2. Security vulnerabilities
  3. Test coverage gaps
  4. Performance concerns
  Provide actionable feedback as PR comments.

issue_prompt: |
  Analyze this issue and:
  1. Classify severity (critical/high/medium/low)
  2. Suggest relevant labels
  3. Identify affected components
  4. Propose a solution approach

ℹ

Per-mode prompts

review_prompt is used when a pull request event is detected; issue_prompt is used when a new issue is opened. Both fields are optional — if omitted, Harness falls back to sensible built-in defaults. The max_turns and permission_mode fields apply globally to all CI runs from this config.

4

Auto-Detect Mode

When you run harness ci run with no arguments, Harness reads the GitHub webhook payload from the environment and picks the right mode automatically:

python

# Harness auto-detects the CI context from GitHub webhook events
# PR opened/updated  → review mode
# Issue opened       → issue mode
# Manual             → uses provided prompt

bash

# Automatic mode detection
harness ci run

# Override mode explicitly
harness ci run --mode review

# Custom prompt (overrides ci.yml prompt)
harness ci run --prompt "Run security audit on all changed files"

The full event routing flow:

GitHub Event

↓

Webhook Payload

↓

Auto-Detect Mode

↓

pull_request

↓

review mode

issues

↓

issue mode

manual

↓

Custom Prompt

↓

Run Agent (sandboxed, budgeted)

↓

Report Results

↓

GitHub Check Run
(pass/fail)

PR Comments
(inline)

Issue Labels
& Comments

5

PR Review Automation

When a pull request is opened or updated, Harness:

1

Reads the diff via git diff to understand exactly what changed
2

Reads each changed file for full context (not just the diff lines)
3

Posts inline review comments on the PR at the relevant line numbers
4

Creates a GitHub Check Run with a pass or fail status and summary

A typical PR review output looks like this:

AI Code Review

This PR adds user authentication with JWT tokens. Overall looks good with a few concerns.

🔴

Critical: SQL injection in auth.py:45

Current code uses string interpolation in a query. Use parameterized queries instead.

🟠

Warning: Missing token expiry in jwt_handler.py:23

JWT tokens should have an expiration time to limit the impact of token leakage.

🟢

Suggestion: Add type hints to login() in routes.py:12

Adding type annotations improves IDE support and catches type errors early.

python auth.py (example fix)

# Current (vulnerable)
query = f"SELECT * FROM users WHERE username = '{username}'"

# Suggested fix (parameterized)
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))

▶

Test it on a real PR

Open a PR in a repo where you have added the workflow. Within 60 seconds you will see a "harness-agent" check appear and inline comments on any issues found.

6

Issue Triage

When a new issue is opened, Harness analyzes the report, classifies severity, suggests labels, identifies affected components, and proposes a solution approach — all as an issue comment:

AI Issue Analysis

High severity bug auth security

Components: src/auth/, src/middleware/

The reported login failure appears to be caused by a race condition in the session validation middleware when multiple requests arrive simultaneously.

Suggested Fix

Add mutex lock on session validation
Implement idempotent session creation
Add retry logic in the client

ℹ

Labels are applied automatically

If your repository has matching labels configured, Harness applies them directly via the GitHub API. No manual triage needed for straightforward issues.

7

Security Best Practices

⚠

Never expose API keys in workflow files

Always use GitHub Secrets. Any key committed to a workflow file is visible in your git history and to anyone with repository access.

Follow this security checklist when setting up Harness in CI:

1

Store API keys as GitHub Secrets (ANTHROPIC_API_KEY) — never hardcode them
2

Use process or docker sandbox mode — never none in CI
3

Set max_turns in .harness/ci.yml to cap how long each CI run can execute
4

Limit permissions scope — only grant what is needed (pull-requests: write)
5

Use read-only permission mode where possible for review-only tasks

yaml .github/workflows/harness.yml (secure env block)

# Secure configuration
env:
  ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
  # Never use: ANTHROPIC_API_KEY: "sk-ant-..."

Mode	Isolation	Recommended for
`none`	No isolation	Local development only
`process`	Subprocess with restricted env	GitHub Actions, GitLab CI
`docker`	Full container isolation	High-security environments

In process mode, the agent runs in a child process with a minimal environment — only the variables you explicitly pass are available. File system access is scoped to the checked-out repository.

8

GitLab CI & Bitbucket Pipelines

Harness CI works with any pipeline that can run a shell command. Below are ready-to-use configurations for the three most common platforms:

yaml .github/workflows/harness.yml

name: Harness AI Agent

on:
  pull_request:
    types: [opened, synchronize]
  issues:
    types: [opened]

permissions:
  contents: read
  pull-requests: write
  checks: write
  issues: write

jobs:
  harness:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Harness
        run: |
          pip install uv
          uv tool install harness-agent

      - name: Run Harness Agent
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          harness ci run

yaml .gitlab-ci.yml

harness-review:
  image: python:3.12
  stage: review
  script:
    - pip install uv && uv tool install harness-agent
    - harness ci run --mode review
  variables:
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

ℹ

GitLab setup

Add ANTHROPIC_API_KEY in Settings → CI/CD → Variables. Set it to masked and protected to prevent exposure in logs.

yaml bitbucket-pipelines.yml

pipelines:
  pull-requests:
    '**':
      - step:
          name: Harness AI Review
          image: python:3.12
          script:
            - pip install uv && uv tool install harness-agent
            - harness ci run --mode review

ℹ

Bitbucket setup

Add ANTHROPIC_API_KEY in Repository settings → Repository variables. Mark it as secured so it is masked in pipeline logs.

✓

Same harness binary, any platform

The harness ci run command works identically across GitHub Actions, GitLab CI, and Bitbucket Pipelines. Platform-specific behavior (Check Runs vs MR notes) is auto-detected from environment variables.

9

Next Steps

You now have Harness running in CI, automatically reviewing PRs and triaging issues across GitHub, GitLab, and Bitbucket. The next tutorial covers enterprise and production deployment: multi-tenant setups, audit logging, SSO, and self-hosted model configurations.

→

Tutorial 10: Enterprise Production

Multi-tenant deployment, audit logging, SSO integration, self-hosted model routing, and compliance configuration for enterprise environments.