CI/CD & Automation
Use the same explicit workflow in automation that you use locally: initialize, capture, run dataset workflows, publish.
Authentication
HF_TOKEN is the preferred CI path:
export HF_TOKEN=hf_...
You do not need to run opentraces auth login when HF_TOKEN is already set in the environment.
Recommended Pattern
For headless runs, seed from a JSONL file produced earlier in the pipeline:
opentraces init --agent claude-code
opentraces dataset new my-import --rows-file rows.jsonl --schema schema.json
opentraces dataset review approve my-import --all
opentraces dataset publish my-import --to my-org/dataset
Workflow-driven runs (opentraces dataset new my-dataset --workflow my-workflow --schema schema.json, then opentraces dataset run my-dataset) have two
executors. --executor current-agent is the human/agent-in-the-loop path: it
writes RUN.md instructions and executes no script, so it needs a live agent
session and is not a CI pattern by itself. --executor script is the
deterministic CI path: it subprocess-runs the workflow package's
scripts/build_rows.py with the run packet on OT_RUN_PACKET/
OT_DATASET_OUTPUT, under an isolated-subprocess primitive (allowlisted env,
redirected $HOME) with no live agent required — this is the executor CI
should use for a workflow-backed dataset:
opentraces dataset run my-dataset --executor script --json
Before executing, the run re-verifies the installed workflow package's digest
against the digest the dataset pinned; a mismatch warns by default or, under
--strict, fails the run before anything executes:
opentraces dataset run my-dataset --executor script --strict --json
The historical claude-code-headless executor value was a permanent stub
that never produced rows; it has been removed (the workflow engine collapse,
seal-family M1) and dataset run --executor now only accepts
current-agent/script. The value stays readable on old serialized records
so they still deserialize, and a recurring dataset schedule trigger stored
against the removed value is coerced onto script when its next run command
is regenerated.
Health Checks
Run these before a gated publish:
opentraces doctor
opentraces doctor --security
opentraces status --short
opentraces status is the fleet bucket safety dashboard: it reports how many captured traces are cleared for sync versus still unscanned, and the "safe to sync" verdict is structurally impossible while any trace is unscanned. --short prints a stable, scriptable one-line summary (clean / not-cleared / empty) suitable for a CI gate; use --json for the full opentraces.bucket.status.v1 envelope.
If you rely on optional integrations, configure them explicitly in automation:
opentraces setup trufflehog --enable
opentraces setup privacy-filter --enable
Those commands assume the required binary or endpoint is already available. LLM row review is no longer configured through setup llm-review (that command is hidden but still callable); the canonical row-review surface is opentraces dataset review / opentraces dataset publish, which apply LLM verdicts as part of the dataset workflow when the workflow requires it.
GitHub Actions Example
- name: Install opentraces
run: pipx install opentraces
- name: Initialize project
env:
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: opentraces init --agent claude-code
- name: Create dataset from prepared rows
env:
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: |
opentraces dataset new ci-dataset --rows-file rows.jsonl --schema schema.json
- name: Approve and publish
env:
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: |
opentraces dataset review approve ci-dataset --all
opentraces dataset remote create ci-dataset my-org/dataset --private
opentraces dataset publish ci-dataset
Notes
- Use
--private(the default fordataset remote create) for proprietary codebases - Use
dataset publish --to owner/datasetfor one-shot destination overrides - Use
dataset publish --check-onlyto validate gates without uploading - Optional LLM review runs inside the workflow; rows arrive at
publishalready verdicted when the workflow requires it