Skip to content
Warden

Organization Setup

Use this when one org-level setup should cover many repositories. The pattern is: set credentials once at the organization level, then run Warden from shared .github workflow conventions.

Organization Secrets

Section titled “Organization Secrets”

Go to Organization Settings > Secrets and variables > Actions, then add:

WARDEN_MODELstring
Fallback model selector for repos that do not set a model in warden.toml.
WARDEN_OPENAI_API_KEYsecret
OpenAI key for OpenAI Pi models.
WARDEN_ANTHROPIC_API_KEYsecret
Anthropic key for Anthropic Pi models or Claude runtime.
WARDEN_SENTRY_DSNoptional
Optional telemetry DSN.

GitHub App

Section titled “GitHub App”

For branded comments and org-wide repository access:

Terminal window
npx @sentry/warden setup-app --org your-org

The generated app uses these permissions:

  • contents: write
  • pull_requests: write
  • issues: write
  • checks: write
  • metadata: read

Add these org secrets after app creation:

WARDEN_APP_IDstring
GitHub App ID.
WARDEN_PRIVATE_KEYsecret
Full PEM private key contents.

Shared Workflow Pattern

Section titled “Shared Workflow Pattern”

Keep a canonical workflow in your org .github repository and have repos consume that convention.

.github/workflows/warden.yml
name: Warden


on:
  pull_request:
    types: [opened, synchronize, reopened]


jobs:
  warden:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}
      WARDEN_OPENAI_API_KEY: ${{ secrets.WARDEN_OPENAI_API_KEY }}
      WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
      WARDEN_SENTRY_DSN: ${{ secrets.WARDEN_SENTRY_DSN }}
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}


      - uses: actions/create-github-app-token@v2
        id: app-token
        with:
          app-id: ${{ secrets.WARDEN_APP_ID }}
          private-key: ${{ secrets.WARDEN_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}


      - uses: getsentry/warden@v0
        with:
          github-token: ${{ steps.app-token.outputs.token }}

Rollout

Section titled “Rollout”

Use organization rulesets to roll Warden out gradually:

  • Enforcement status: Evaluate while you are testing.
  • Target repositories: the repos you want covered.
  • Target branches: default branch.
  • Required workflows: select the Warden workflow.

If warden.toml is missing, Warden logs a warning and skips analysis. Once a repo adds warden.toml, it is analyzed normally.

Failure Behavior

Section titled “Failure Behavior”

Org-wide workflows still fail for real errors:

  • Missing authentication or GitHub token.
  • Invalid warden.toml.
  • Action runtime failures.