The governance-first execution primitive for Salesforce DevOps.
GlassOps Runtime is a specialized GitHub Action wrapper that provides a governed, secure, and observable execution environment for Salesforce CLI operations. It enforces policy before execution, bootstraps the environment, manages identity securely, and emits a cryptographic deployment contract.
Use GlassOps Runtime in your GitHub Actions workflow to securely interact with Salesforce:
steps:
- name: Initialize GlassOps Runtime
uses: glassops-platform/glassops-runtime@v1
with:
# Identity
client_id: ${{ secrets.SF_CLIENT_ID }}
jwt_key: ${{ secrets.SF_JWT_KEY }}
username: ${{ vars.SF_USERNAME }}
instance_url: https://login.salesforce.com
# Governance
enforce_policy: "true" # Enforce freeze windows & rulesGlassOps Runtime looks for a devops-config.json file in your repository root to define governance policies and runtime settings.
{
"governance": {
"enabled": true,
"analyzer": {
"enabled": true,
"opinionated": true,
"severity_threshold": 1,
"rulesets": ["Security", "Performance"]
},
"freeze_windows": [
{
"day": "Friday",
"start": "17:00",
"end": "23:59"
},
{
"day": "Saturday",
"start": "00:00",
"end": "23:59"
},
{
"day": "Sunday",
"start": "00:00",
"end": "23:59"
}
]
},
"runtime": {
"cli_version": "latest",
"node_version": "20"
}
}| Requirement | Specification |
|---|---|
| Node.js | v20+ (managed via node_version) |
| Salesforce CLI | sf (v2.x) |
| Auth Method | JWT-OAuth 2.0 (Strict Identity) |
| Protocol Schema | Zod-validated Deployment Contract v1.0 |
GlassOps Runtime executes in 6 Strictly Defined Phases:
Phase 0: Cache Retrieval: Restores the environment from the Protocol-Linked Cache to minimize bootstrap latency.
Phase 1: Policy Phase: Evaluates governance windows using a UTC-deterministic engine to ensure global policy consistency.
Phase 2: Bootstrap Phase: Installs the CLI version explicitly defined in your governance policy to prevent version drift.
Phase 3: Static Analysis (BR-003): (Optional) Executes sf code-analyzer against the codebase. Enforces quality gates by failing execution if critical violations are found, strictly rejecting deprecated sf scanner usage.
Phase 4: Identity Phase: Securely authenticates the session and resolves the Identity Contract.
Phase 5: Contract Validation: Normalizes session metadata into the machine-readable Deployment Contract v1.0.
Phase 6: Output Signal: Emits the glassops_ready primitive to authorize downstream execution.
GlassOps Runtime maintains strict alignment between business requirements and technical implementation.
- Requirements Traceability Matrix (RTM): Maps business processes (e.g., BR-003) to test scenarios.
- Test Coverage Matrix (TCM): Maps test scenarios to actual test files and coverage status.
We welcome contributions! Please see CONTRIBUTING.md for guidelines on how to build, test, and submit PRs.
Apache-2.0