Add governance to my CI/CD
You live in your terminal and your CI/CD pipeline. You want API governance without opening a dashboard.
What you need
Section titled “What you need”- An Apiway tenant (register free — £1,000 credit included)
- A CI/CD pipeline (GitHub Actions, GitLab CI, Azure Pipelines, Jenkins — anything that can make HTTP calls)
- Your OpenAPI specs in your repository
The pipeline
Section titled “The pipeline”-
Add a governance check to your pipeline
On every pull request that changes an OpenAPI spec, call the platform API:
# GitHub Actions example- name: Check API governancerun: |curl -X POST https://core.api.apiway.net/v1/programmes/validate \-H "Authorization: Bearer ${{ secrets.APIWAY_TOKEN }}" \-H "Content-Type: application/json" \-d '{"specification": "'$(base64 -w0 openapi.yaml)'"}'The platform returns:
- Compliance score against your design standards
- Breaking change detection against the previous version
- Security analysis (missing auth, open endpoints)
- Recommendations for improvement
-
Fail the build on violations
Set your quality gate:
- name: Enforce governancerun: |SCORE=$(curl -s https://core.api.apiway.net/v1/programmes/{id}/compliance \-H "Authorization: Bearer ${{ secrets.APIWAY_TOKEN }}" \| jq '.score')if [ "$SCORE" -lt 80 ]; thenecho "API compliance score $SCORE is below threshold (80)"exit 1fiBreaking changes? Build fails. Missing security? Build fails. Non-compliant naming? Build fails. All before a human reviewer even looks at it.
-
Auto-deploy on merge
When the PR merges, deploy through the full pipeline:
- name: Deploy APIif: github.ref == 'refs/heads/main'run: |curl -X POST https://core.api.apiway.net/v1/programmes \-H "Authorization: Bearer ${{ secrets.APIWAY_TOKEN }}" \-H "Content-Type: application/json" \-d '{"name": "Orders API","specification": "'$(base64 -w0 openapi.yaml)'"}'Governance, security, deployment, activation — all automated. The 8-step pipeline runs without a single click.
-
Use MCP for local development
Before you even push, your AI coding assistant can check governance:
“Check if my Orders API spec passes governance”
“Deploy my updated Payments API to staging”
“Show me which consumers are subscribed to the Orders API”
The assistant calls the same platform API. Same governance. Same rules. Different interface.
Example: full pipeline
Section titled “Example: full pipeline”name: API Governanceon: pull_request: paths: ['**/openapi.yaml', '**/openapi.json'] push: branches: [main] paths: ['**/openapi.yaml', '**/openapi.json']
jobs: governance: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Validate & score id: validate run: | RESULT=$(curl -s -X POST https://core.api.apiway.net/v1/programmes/validate \ -H "Authorization: Bearer ${{ secrets.APIWAY_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{"specification": "'$(base64 -w0 openapi.yaml)'"}')
echo "score=$(echo $RESULT | jq '.score')" >> $GITHUB_OUTPUT echo "$RESULT" | jq '.findings[]'
- name: Enforce quality gate if: github.event_name == 'pull_request' run: | if [ "${{ steps.validate.outputs.score }}" -lt 80 ]; then echo "::error::API governance score ${{ steps.validate.outputs.score }}/100 — below threshold" exit 1 fi
- name: Deploy if: github.ref == 'refs/heads/main' run: | curl -X POST https://core.api.apiway.net/v1/programmes \ -H "Authorization: Bearer ${{ secrets.APIWAY_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{ "name": "Orders API", "specification": "'$(base64 -w0 openapi.yaml)'" }'What you got
Section titled “What you got”- Automated quality gate — every spec change checked before merge
- Breaking change detection — caught in the PR, not in production
- Zero UI dependency — everything via API calls in your pipeline
- Same governance — CI/CD, CLI, MCP, and UI all enforce the same rules
- Audit trail — every check, every deploy, every approval recorded
Next steps
Section titled “Next steps”- Ship to production — understand the full 8-step pipeline
- Govern existing APIs — bring your current APIs under governance
- Secure for AI agents — agents can trigger the same pipeline