CI and GitHub Actions setup

Wire Signal Diff into your pipeline after deploy or on pull requests. This guide covers repository secrets, a minimal workflow, fail policies, automated PR risk reports, and optional agent routing—no repository docs required.

On this page

Prerequisites

Paid plan — CI triggers require API access. View plans and start a free trial if needed.
API key — Sign in and create a key on Developers → API keys. Copy it when shown; it cannot be retrieved later.
GitHub repository secrets — Add SIGNALDIFF_API_BASE_URL and SIGNALDIFF_CI_API_KEY under Settings → Secrets and variables → Actions.
Reachable sitemap — Your workflow needs a public sitemap URL after deploy, or use customer agent routing for internal targets.

Repository secrets

SIGNALDIFF_API_BASE_URL must be your site origin—not a path ending in /api.

Use the scheme and host only, for example https://signaldiff.dev. signal-diff-action calls POST {api_base_url}/api/trigger/ci. If you set https://example.com/api, the action posts to https://example.com/api/api/trigger/ci → 404.

Correct: https://signaldiff.dev. Wrong: https://signaldiff.dev/api.

Secret	Value
`SIGNALDIFF_API_BASE_URL`	Signal Diff site origin (e.g. `https://signaldiff.dev`)
`SIGNALDIFF_CI_API_KEY`	Your API key from Developers → API keys (shown once at creation)

Optional repository variable SIGNALDIFF_DEFAULT_SITEMAP_URL (e.g. https://example.com/sitemap.xml) when you trigger on pull_request without passing sitemap_url in the workflow.

Minimal workflow

Add a workflow file (for example .github/workflows/signal-diff.yml) using funkysi1701/signal-diff-action@v1.9. Run it after your site is reachable.

name: Signal Diff Crawl
on:
  pull_request:
  workflow_dispatch:

jobs:
  crawl:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: funkysi1701/signal-diff-action@v1.9
        with:
          api_base_url: ${{ secrets.SIGNALDIFF_API_BASE_URL }}
          api_key: ${{ secrets.SIGNALDIFF_CI_API_KEY }}
          sitemap_url: https://example.com/sitemap.xml
          fail_mode: error
          comment_on_pr: ${{ github.event_name == 'pull_request' }}
          collect_code_changes: true
          risk_score_enabled: true
          github_token: ${{ github.token }}

Pin a specific release tag (e.g. signal-diff-action@v1.9) in production. See the signal-diff-action README for all inputs, outputs, and advanced options (including inline_annotations).

Fail mode (`fail_mode`)

The action passes fail_mode to the API. After the crawl completes, the workflow fails when the policy is violated. Crawl execution failures (timeouts, unreachable sitemap) always fail the job regardless of mode.

Value	When the workflow fails	Typical use
`none`	Never, based on finding counts	Report-only runs, collecting baselines, or experimenting on staging
`error`	When `errorCount > 0`	Default release gate—block merges when SEO errors appear
`errorOrWarning`	When `errorCount > 0` or `warningCount > 0`	Stricter gates for high-risk pages or pre-production branches

For pull requests, prefer gating on new findings since the CI baseline—not raw totals alone. See Baselines and diffs.

Automated PR risk analysis

When comment_on_pr: true on pull-request runs, the action posts a decision-focused Signal Diff Report—not a crawl status notification. The report answers “should I merge this?” by combining SEO run-diff results with repository change signals. The same report is appended to the GitHub Actions step summary. Comment failures are best-effort and do not fail the workflow.

Report sections (from signal-diff-action@v1.7 onward):

Verdict — pass/fail for your fail_mode plus a severity label (Critical, Warning, Info, Improved, or Compared)
Summary table — rule-based risk score (0–10, Low/Medium/High), SEO errors/warnings, new vs resolved findings, files changed, pages crawled
Files requiring review — high-attention changed paths (auth, payment, migrations, production config, etc.) with human-readable reasons
SEO findings (vs baseline) — headline, impact summary, grouped new findings, baseline before/after counts (separate from repository changes)
Repository changes — GitHub compare link and file categorization (code, tests, config, …)
Links — Signal Diff scan URL and workflow run

Example output (abbreviated):

## Signal Diff Report

**Verdict:** Pass (fail_mode: error) · Compared

| Metric | Value |
| --- | --- |
| Risk score | Medium (4.2/10) |
| SEO errors | 0 |
| SEO warnings | 2 |
| New findings | 0 |
| Resolved | 1 |
| Files changed | 10 |
| Pages crawled | 24 |

### Files requiring review
- src/Auth/JwtProvider.cs — security-sensitive area

### SEO findings (vs baseline)
No new run-diff findings vs baseline. Baseline: 12 findings → current: 12.

### Repository changes
10 files changed (code: 8, tests: 1, config: 1)

Optional inputs (see the signal-diff-action README for defaults and full reference):

Input	Purpose
`risk_score_enabled`	Include rule-based PR risk score in the summary table (default `true`; no AI)
`inline_annotations`	Post inline review comments on high-risk changed files (default `false`; requires `collect_code_changes: true`)
`annotation_max_files`	Cap inline annotations when `inline_annotations` is enabled (default `3`)
`max_new_findings_in_comment`	Cap new run-diff findings listed in the SEO section (default `5`)

SEO URL findings are not mapped to repository lines—use the summary comment and scan link for on-site regressions. Inline annotations cover repository paths only (auth, payment, migrations, production config, etc.).

Permissions:

pull-requests: write — required when comment_on_pr or inline_annotations is enabled
contents: read — required for GitHub Compare and the code-change summary attached to the job

permissions:
  contents: read
  pull-requests: write

Agent routing in CI

Targets only reachable from your network (staging behind VPN, internal hosts) should use a customer agent instead of the default cloud crawl. Pass these action inputs (enroll agents on Customer agents first):

execution_mode: agent
agent_pool_id: production (must match the pool on your enrolled agent)

- uses: funkysi1701/signal-diff-action@v1.9
  with:
    api_base_url: ${{ secrets.SIGNALDIFF_API_BASE_URL }}
    api_key: ${{ secrets.SIGNALDIFF_CI_API_KEY }}
    sitemap_url: https://internal.example/sitemap.xml
    fail_mode: error
    execution_mode: agent
    agent_pool_id: production

Where to see results

Signal Diff dashboard — Full report at /scan/{jobId}; trigger shows as CI with repository, commit, branch, and pull request context when supplied.
GitHub Actions — Workflow logs and optional PR risk report comment.
Run diff — Compare against the prior CI run on the same repository and sitemap when available. See Baselines and diffs.

Troubleshooting

Symptom	Likely fix
404 on `/api/trigger/ci`	`SIGNALDIFF_API_BASE_URL` includes `/api`—use origin only
401 on trigger	Wrong or expired `SIGNALDIFF_CI_API_KEY`; rotate on Developers → API keys — see lifecycle guide
429 concurrent crawl limit	Wait for or cancel pending/running jobs on your organization (including customer-agent crawls). See concurrent crawl limits.
No PR risk report	Add `pull-requests: write`; confirm `comment_on_pr: true` on PR events
No code-change summary	Add `contents: read`; first run on a repo/sitemap has no baseline yet

More edge cases (WAF, health checks, webhooks, self-hosted Trigger:CiApiKey) are in the repository guide docs/github-action-seo-crawler-setup.md. See also the consolidated Troubleshooting guide.