Skip to content
Agent Package Manager

APM in CI/CD

APM integrates into your CI/CD pipeline to ensure agent context is always up to date and compiled correctly.

GitHub Actions

Section titled “GitHub Actions”

Use the official apm-action to install APM and run commands in your workflows:

.github/workflows/apm.yml
name: APM
on:
  push:
    branches: [main]
  pull_request:


jobs:
  compile:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4


      - name: Install APM & compile
        uses: microsoft/apm-action@v1
        with:
          commands: |
            apm install
            apm compile --verbose

Private Dependencies

Section titled “Private Dependencies”

For private repositories, pass a GitHub token:

      - name: Install APM & compile
        uses: microsoft/apm-action@v1
        with:
          commands: |
            apm install
            apm compile
        env:
          GITHUB_APM_PAT: ${{ secrets.APM_PAT }}

Verify Compiled Output

Section titled “Verify Compiled Output”

Add a check to ensure AGENTS.md stays in sync with apm.yml:

      - name: Check for drift
        run: |
          apm compile
          git diff --exit-code AGENTS.md CLAUDE.md || \
            (echo "Compiled output is out of date. Run 'apm compile' locally." && exit 1)

Azure Pipelines

Section titled “Azure Pipelines”
steps:
  - script: |
      curl -sSL https://raw.githubusercontent.com/microsoft/apm/main/install.sh | sh
      apm install
      apm compile
    displayName: 'APM Install & Compile'
    env:
      ADO_APM_PAT: $(ADO_PAT)

General CI

Section titled “General CI”

For any CI system with Python available:

Terminal window
pip install apm-cli
apm install
apm compile --verbose

Governance with apm audit

Section titled “Governance with apm audit”

Run apm audit --ci in pull requests to verify the lock file matches the installed state. This catches configuration drift before it reaches your default branch.

.github/workflows/apm-audit.yml
name: APM Audit
on: [pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: microsoft/apm-action@v1
        with:
          commands: |
            apm install
            apm audit --ci
        env:
          GITHUB_APM_PAT: ${{ secrets.APM_PAT }}

Configure this workflow as a required status check in your branch protection rules (or GitHub Rulesets) to block PRs that introduce config drift. See the Governance & Compliance page for policy details.

Pack & Distribute

Section titled “Pack & Distribute”

Use apm pack in CI to build a distributable bundle once, then consume it in downstream jobs without needing APM installed.

Pack in CI (build once)

Section titled “Pack in CI (build once)”
- uses: microsoft/apm-action@v1
  with:
    commands: |
      apm install
      apm pack --archive --target all
- uses: actions/upload-artifact@v4
  with:
    name: agent-config
    path: build/*.tar.gz

Consume in another job (no APM needed)

Section titled “Consume in another job (no APM needed)”
- uses: actions/download-artifact@v4
  with:
    name: agent-config
- run: tar xzf build/*.tar.gz -C ./

Or use the apm-action restore mode to unpack a bundle directly:

- uses: microsoft/apm-action@v1
  with:
    bundle: ./agent-config.tar.gz

See the Pack & Distribute guide for the full workflow.

Best Practices

Section titled “Best Practices”
  • Pin APM version in CI to avoid unexpected changes: pip install apm-cli==0.7.7
  • Commit apm.lock so CI resolves the same dependency versions as local development
  • Run apm compile in CI and fail the build if the output differs from what’s committed — this catches drift early
  • Use GITHUB_APM_PAT for private dependencies; never use the default GITHUB_TOKEN for cross-repo access