What are authorization solutions that automate policy uploads?

Authorization solutions that automate policy uploads refer to systems designed to automatically sync and publish access-control or authorization policies (for example ACLs, roles, permissions) from a version-controlled repository into a runtime environment or policy store. These solutions relieve teams from manually running scripts or CLI commands each time policies change. In context of our article: the cerbos-store-action is one such solution for the Cerbos Hub ecosystem.

How do authorization solutions integrate with CI/CD to automate policy uploads?

Authorization solutions integrate with CI/CD pipelines by providing automated steps or actions that trigger when policy files change. For example, you commit updated policies in your repository; the CI/CD workflow detects changes and triggers a deployment action that uploads to your policy store. In the case of our article, the cerbos‑store‑action is a GitHub Action that automates policy uploads for the Cerbos Hub store.

2243

Automate Cerbos policy uploads with the cerbos-store-action GitHub Action

Published by Alex Olivier on November 03, 2025

Keeping your authorization policies in sync with your codebase just got easier. We’re introducing the cerbos-store-action, a new GitHub Action that automates the upload of Cerbos policies directly to your Cerbos Hub Store as part of your CI/CD workflow, should you wish to have finer control over uploads than available with our native GitHub connector built into Hub.

Until now, teams used manual scripts or Docker commands to publish policies via cerbosctl. The new action wraps that entire process into a single, declarative step - bringing first-class Cerbos policy delivery automation to every repository.

Why this matters

As teams scale, authorization logic evolves alongside code. Teams need a reliable, repeatable way to publish changes to Cerbos Hub Stores whenever policy files change.

By using the cerbos-store-action, you can:

Eliminate manual setup and CLI commands
Automatically detect and publish changed policies
Keep your Hub Store perfectly aligned with your repo revisions
Integrate Cerbos into existing CI/CD workflows without custom scripting

It’s part of our growing set of GitHub Actions - alongside the cerbos-setup-action - designed to make policy management frictionless from development to production.

Before: manual Docker commands

Previously, uploading policy changes to Cerbos Hub required steps like this:

- name: Setup Cerbos (:dev)
  run: docker pull ghcr.io/cerbos/cerbosctl:${{env.CERBOS_VERSION}}

- name: Upload policies
  run: |
    docker run --rm \
      -e CERBOS_HUB_STORE_ID=${{ env.CERBOS_HUB_STORE_ID }} \
      -e CERBOS_HUB_CLIENT_ID=${{ secrets.CERBOS_HUB_CLIENT_ID }} \
      -e CERBOS_HUB_CLIENT_SECRET=${{ secrets.CERBOS_HUB_CLIENT_SECRET }} \
      -v "$PWD":/app \
      ghcr.io/cerbos/cerbosctl:${{env.CERBOS_VERSION}} \
      hub store replace-files /app/cerbos/policies

This worked, but it required managing Docker images and environment setup manually.

Now: one declarative action

The new cerbos-store-action replaces all of that with a single YAML block:

- name: Upload Cerbos policies
  uses: cerbos/cerbos-store-action@v1
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    store_id: ${{ secrets.CERBOS_HUB_STORE_ID }}
    client_id: ${{ secrets.CERBOS_HUB_CLIENT_ID }}
    client_secret: ${{ secrets.CERBOS_HUB_CLIENT_SECRET }}
    to_revision: HEAD
    from_revision: main
    subdir: policies # optional

The action will automatically:

Install or verify the correct version of cerbosctl (if not already set up)
Compare policy changes between the specified Git revisions
Push the updated files to your configured Cerbos Hub Store

Works seamlessly with `cerbos-setup-action`

If your workflow already uses the cerbos-setup-action, this new action integrates cleanly. Together they provide end-to-end automation:

cerbos-setup-action ensures the correct Cerbos binaries are installed.
cerbos-store-action handles uploading your policy set to Hub.

Example combined workflow:

name: Deploy policies to Cerbos Hub
on:
  push:
    paths:
      - "cerbos/policies/**"

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Cerbos
        uses: cerbos/cerbos-setup-action@v1
        with:
          version: latest

      - name: Upload policies to Hub
        uses: cerbos/cerbos-store-action@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          store_id: ${{ secrets.CERBOS_HUB_STORE_ID }}
          client_id: ${{ secrets.CERBOS_HUB_CLIENT_ID }}
          client_secret: ${{ secrets.CERBOS_HUB_CLIENT_SECRET }}
          to_revision: HEAD
          from_revision: main
          subdir: cerbos/policies

Where to find it

The action is available now in the GitHub Marketplace: cerbos/cerbos-store-action

Full documentation and configuration examples are in the repository README.

If you’re interested in implementing externalized authorization - try out Cerbos for free, or book a call with a Cerbos engineer to see how our solution can help streamline access control in your organization.