Automate Cerbos policy uploads with the cerbos-store-action GitHub Action

Keeping your authorization policies in sync with your codebase just got easier. We’re introducing the cerbos-store-action, a new GitHub Action that automates the upload of Cerbos policies directly to your Cerbos Hub Store as part of your CI/CD workflow, should you wish to have finer control over uploads than available with our native GitHub connector built into Hub.

Until now, teams used manual scripts or Docker commands to publish policies via cerbosctl. The new action wraps that entire process into a single, declarative step - bringing first-class Cerbos policy delivery automation to every repository.

Why this matters

As teams scale, authorization logic evolves alongside code. Teams need a reliable, repeatable way to publish changes to Cerbos Hub Stores whenever policy files change.

By using the cerbos-store-action, you can:

• Eliminate manual setup and CLI commands
• Automatically detect and publish changed policies
• Keep your Hub Store perfectly aligned with your repo revisions
• Integrate Cerbos into existing CI/CD workflows without custom scripting

It’s part of our growing set of GitHub Actions - alongside the cerbos-setup-action - designed to make policy management frictionless from development to production.

Before: manual Docker commands

Previously, uploading policy changes to Cerbos Hub required steps like this:

- name: Setup Cerbos (:dev)
  run: docker pull ghcr.io/cerbos/cerbosctl:${{env.CERBOS_VERSION}}

- name: Upload policies
  run: |
    docker run --rm \
      -e CERBOS_HUB_STORE_ID=${{ env.CERBOS_HUB_STORE_ID }} \
      -e CERBOS_HUB_CLIENT_ID=${{ secrets.CERBOS_HUB_CLIENT_ID }} \
      -e CERBOS_HUB_CLIENT_SECRET=${{ secrets.CERBOS_HUB_CLIENT_SECRET }} \
      -v "$PWD":/app \
      ghcr.io/cerbos/cerbosctl:${{env.CERBOS_VERSION}} \
      hub store replace-files /app/cerbos/policies

This worked, but it required managing Docker images and environment setup manually.

Now: one declarative action

The new cerbos-store-action replaces all of that with a single YAML block:

- name: Upload Cerbos policies
  uses: cerbos/cerbos-store-action@v1
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    store_id: ${{ secrets.CERBOS_HUB_STORE_ID }}
    client_id: ${{ secrets.CERBOS_HUB_CLIENT_ID }}
    client_secret: ${{ secrets.CERBOS_HUB_CLIENT_SECRET }}
    to_revision: HEAD
    from_revision: main
    subdir: policies # optional

The action will automatically:

• Install or verify the correct version of cerbosctl (if not already set up)
• Compare policy changes between the specified Git revisions
• Push the updated files to your configured Cerbos Hub Store

Works seamlessly with cerbos-setup-action

If your workflow already uses the cerbos-setup-action, this new action integrates cleanly. Together they provide end-to-end automation:

• cerbos-setup-action ensures the correct Cerbos binaries are installed.
• cerbos-store-action handles uploading your policy set to Hub.

Example combined workflow:

name: Deploy policies to Cerbos Hub
on:
  push:
    paths:
      - "cerbos/policies/**"

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Cerbos
        uses: cerbos/cerbos-setup-action@v1
        with:
          version: latest

      - name: Upload policies to Hub
        uses: cerbos/cerbos-store-action@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          store_id: ${{ secrets.CERBOS_HUB_STORE_ID }}
          client_id: ${{ secrets.CERBOS_HUB_CLIENT_ID }}
          client_secret: ${{ secrets.CERBOS_HUB_CLIENT_SECRET }}
          to_revision: HEAD
          from_revision: main
          subdir: cerbos/policies

Where to find it

The action is available now in the GitHub Marketplace: cerbos/cerbos-store-action

Full documentation and configuration examples are in the repository README.

If you’re interested in implementing externalized authorization - try out Cerbos for free, or book a call with a Cerbos engineer to see how our solution can help streamline access control in your organization.