GitHub Integration Change control for regulated environments
BETA
Seal Logo GitHub Logo

Seal GitHub App for Change Control

Connect GitHub with Seal for automated change control and compliance in regulated environments

Ensure Compliance

FDA, 21 CFR & GxP ready

Automate Workflows

Sync PRs and Issues

Implement Now

Configuration & setup

Built for Regulated Software Development

This integration bridges the gap between modern development workflows and strict regulatory requirements, designed specifically for organizations in regulated industries.

Software as Medical Device (SaMD)

Meet FDA requirements with comprehensive documentation of all code changes. Automatically create and maintain traceability between requirements, change orders, and code implementations to satisfy 21 CFR Part 820 and IEC 62304 compliance.

GxP Regulated Environments

Ensure compliance with Good Practice regulations including 21 CFR Part 11, EU Annex 11, and ISO 13485 by maintaining complete, timestamped audit trails of every change with proper review and approval workflows.

See Integration Features

Integration Features

Choose which GitHub integrations you want to set up with Seal to simplify your development and compliance workflow:

Pull Request Integration

Automatically creates or updates Seal change control instances from GitHub PRs that match configured branch patterns. Monitors Seal status to automate GitHub actions.

  • GitHub → Seal Sync: PR open/edit/sync events update the linked Seal entity's title and fields.
  • Seal → GitHub Automation (Monitoring Required):
    • When Seal entity is `FINISHED` with `Approved` tag: Approves the GitHub PR.
    • When Seal entity is `FINISHED` with `Rejected` tag: Closes the GitHub PR and adds a comment.
  • PR Close → Seal Update: When a PR is closed in GitHub, updates the linked Seal entity's status tag to `Closed` (if entity is in `DRAFT`).
  • Automated status checks and comments on PRs (configurable).
  • Complete traceability from code changes to approvals via linked entities.
  • *(Optional Workflow):* Example GitHub Action provided for code snapshotting (see Step 4).

Issue Tracking (Optional)

Syncs GitHub Issues matching specific labels with Seal entities for defect tracking or linking requirements.

  • Automatic creation/update of Seal entities from labeled GitHub issues.
  • Sync key issue details (title, description, labels, link) to the Seal entity.
  • Update a dedicated 'GitHub Status' field in Seal based on issue state changes (Closed, Reopened, Labeled, Unlabeled).
  • Add a comment to the GitHub Issue linking to the newly created Seal entity (on first sync).
  • Configurable with label-based filtering (`issueLabelRegex`).
View Implement Now

Implement Now

Follow these step-by-step instructions to integrate GitHub with Seal and streamline your regulatory compliance workflow.

Getting Started: This comprehensive setup guide includes core functionality and optional features. Each optional component is clearly marked, so you can focus on just the parts you need.
Before You Begin: You'll need admin access to both your GitHub organization and Seal account.

Prepare Your Seal Environment

First, configure your Seal account with the necessary templates and permissions:

  1. Create a Change Control Template in Seal (Required for PR Sync):
    • Required Fields: Add fields corresponding to the data synced from GitHub. Recommended names:
      • Description of Change (Text/Rich Text)
      • PR Number (Text or Number)
      • PR Link (Text/URL)
      • Repository Name (Text)
      • Repository ID (Text)
      • PR Title (Text)
    • Required Status Tags (for Monitoring): If using the automated PR approval/rejection monitoring, configure your template's workflow status states to include Status Tags named exactly:
      • Approved
      • Rejected
  2. Create an Issue Tracking Template in Seal (Optional - Required for Issue Sync):
    • Required Fields: Add fields corresponding to the data synced from GitHub Issues. Field names **must match exactly**:
      • GitHub Issue Number (Text or Number)
      • GitHub Issue Title (Text)
      • Issue Description (Text/Rich Text)
      • GitHub Issue Link (Text/URL)
      • GitHub Issue Labels (Text)
      • Repository Name (Text)
      • GitHub Status (**Single Select** Type): Must have options with these exact values:
        • Unresolved
        • Resolved in Main
        • Untagged
  3. Entity Lookup Strategy (Important):
    • The app primarily finds existing entities by searching the main **Entity Title** for specific markers:
      • PRs: `(#PR_NUMBER)` (e.g., `My Feature (#123)`)
      • Issues: `(REPO_NAME#ISSUE_NUMBER)` (e.g., `Fix Login Bug (my-repo#45)`)
  4. Publish both templates - Templates must be published to be accessible via API.
  5. Generate a Seal API token:
  6. Collect Seal IDs & URLs:
    • Copy the **Template ID** for each template from its URL.
    • Note your Seal **Organization ID** and **Organization Name** (from URL/Settings).
    • Note your Seal **Platform Base URL** (e.g., us.platform.seal.run) and **API Base URL** (e.g., https://us.backend.seal.run/api/).
Field names must match exactly what's specified in the configuration.

Install the GitHub App

  1. Go to the GitHub Marketplace:
  2. Choose Installation Scope:
    • Select "All repositories" or choose specific repositories
    • For a production setup, we recommend starting with a single test repository
  3. Authorize the Installation with your GitHub credentials
  4. Verify Installation in your GitHub organization settings under "GitHub Apps"
The GitHub App requires specific permissions to function correctly. Review the permissions during installation.

Configure GitHub Secrets & Repository File

Set up the necessary secrets and configuration file in your GitHub organization/repository:

  1. Configure GitHub Secrets: Add the following secrets at the Organization or Repository level (Repository secrets override Org secrets):
    • SEAL_API_TOKEN: Your Seal API token generated earlier.
  2. Create Configuration File: Create .github/seal-change-control-config.yml in your repository.
  3. Add your configuration using the template below (replace placeholders): 
# .github/seal-change-control-config.yml

# --- Core Settings (Required) ---
sealTemplateId: "YOUR_SEAL_CHANGE_CONTROL_TEMPLATE_ID"
sealApiBaseUrl: "https://YOUR_SEAL_API_BASE_URL/" # Must end with /
platformBaseUrl: "YOUR_SEAL_PLATFORM_BASE_URL" # e.g., us.platform.seal.run

# --- Branch Filtering (Required for PR Sync) ---
sourceBranchRegex: "^YOUR_FEATURE_BRANCH_PATTERN$" # e.g., "^feature/" or "^(feature/|hotfix/|chore/)" for multiple
targetBranchRegex: "^YOUR_RELEASE_BRANCH_PATTERN$" # e.g., "^main$" or "^(main|develop|release/.*)$" for multiple

# --- Issue Tracking (Optional - Required for Issue Sync) ---
issueSyncTemplateId: "YOUR_SEAL_ISSUE_TEMPLATE_ID" # Required if syncing issues
issueLabelRegex: "(bug|defect|seal)" # Regex for labels to trigger issue sync

# --- User Feedback Configuration (Optional) ---
# --- Testing ---
isTesting: true # Set true for detailed logs during setup, false for production
The Seal API Token and Org ID are configured via GitHub Secrets, not directly in this file.

Optional: Setup Automated Workflows via GitHub Actions

Note: This section describes optional, example GitHub Action workflows, not built-in features of the Seal GitHub App itself. You need to implement these Actions in your repository if you require these specific automations.
Branch Patterns: GitHub Actions use glob patterns (like 'feature/*', 'main') and multiple patterns are added as separate array entries. This is different from Seal's regex patterns which use the | operator. Common example: trigger on both 'r[0-9]+.x' AND 'feature/*' branches.

Enhance your integration by adding GitHub Actions for tasks like snapshotting code or uploading build artifacts directly to Seal.

Example 1: Codebase Snapshot using Docker Action

This action creates a ZIP archive of your PR's codebase and uploads it to a specified field in the corresponding Seal entity.

  1. Add Field in Seal: Add a "Reference" type field (e.g., Code Snapshot) to your Seal Change Control template. Enable "Allow Multiple" if desired.
  2. Create Workflow File: Add this workflow to .github/workflows/codebase_snapshot.yml.
  3. Configure Secrets: Ensure the SEAL_API_TOKEN secret is configured in GitHub.
  4. (Optional) Create File Type in Seal: You might need to create a file type (e.g., GitHub-Artifacts) in Seal Admin settings if the action specifies one (seal_file_type_title).
# .github/workflows/codebase_snapshot.yml
name: Codebase Snapshot via Image

on:
  pull_request:
    # Trigger on PRs targeting specific branches, e.g., release branches
    branches:
      - 'r[0-9]+.x' # Release branches like r1.x, r2.x
      - 'feature/*' # All feature branches
      - 'main' # Main branch
      - 'develop' # Develop branch

# Required permissions for the action
permissions:
  contents: read
  pull-requests: read
  packages: read # Needed to read docker image from GHCR

jobs:
  codebase_snapshot_via_image:
    runs-on: ubuntu-latest
    steps:
      # Step 1: Checkout code (needed for the action to archive)
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Recommended for accurate snapshot

      # Step 2: Run the Docker container action
      - name: Create and Upload Seal Snapshot
        # Use the specific Docker image from GHCR
        uses: docker://ghcr.io/opvia/codebase-snapshot-action:latest # Use a specific version tag in production
        with:
          # Seal API Configuration
          seal_api_token: ${{ secrets.SEAL_API_TOKEN }}
          seal_api_base_url: 'https://YOUR_SEAL_API_BASE_URL/' # e.g., https://us.backend.seal.run/api/
          
          # Seal Template and Field Configuration
          seal_template_id: 'YOUR_SEAL_CHANGE_CONTROL_TEMPLATE_ID' # From Step 1
          seal_snapshot_field_name: 'Code Snapshot' # Field created in Seal
          seal_file_type_title: 'GitHub-Artifacts' # Optional: Categorizes file in Seal

          # Snapshot Configuration
          exclude_patterns: '.git/* node_modules/* dist/* build/*' # Space-separated
          archive_type: 'zip' # Or 'tar.gz'
Entity Lookup: This action typically finds the Seal entity using a **Computed Title** format like ${Repository Name}-${PR Number}. Ensure this is configured on your Seal Change Control template if using this action.

Example 2: Upload Release Artifacts using Repository Action

This action uploads specified build artifacts (like binaries, documentation PDFs) from your workflow run to a Seal entity.

  1. Add Field in Seal: Add a "Reference" type field (e.g., Release Artifact(s)) to your Seal Change Control template. Enable "Allow Multiple".
  2. Create Workflow File: Add this workflow to .github/workflows/upload_artifacts.yml (or integrate steps into your existing build/release workflow).
  3. Configure Secrets: Ensure the SEAL_API_TOKEN secret is configured in GitHub.
  4. (Optional) Create File Type in Seal: Define a relevant file type (e.g., GitHub-Artifacts) in Seal Admin settings if using seal_file_type_title.
# .github/workflows/upload_artifacts.yml
name: Upload Release Artifacts to Seal

on:
  pull_request: # Or on: release, workflow_dispatch, etc.
    branches:
      - 'r[0-9]+.x' # Release branches like r1.x, r2.x
      - 'feature/*' # All feature branches
      - 'main' # Main branch
      - 'develop' # Develop branch

# Required permissions
permissions:
  contents: read
  pull-requests: read

jobs:
  build_and_upload_artifacts:
    runs-on: ubuntu-latest
    steps:
      # Step 1: Checkout code
      - name: Checkout Code
        uses: actions/checkout@v4

      # Step 2: Build your project / Generate artifacts (Example)
      # - name: Build Project
      #   run: npm run build # Replace with your build command
      # - name: Create Dummy Artifact
      #   run: echo "Release artifact content" > release_artifact.txt

      # Step 3: Use the Seal GitHub Action to upload
      - name: Upload Artifacts to Seal
        # Use the action directly from its repository
        uses: opvia/seal-github-actions/.github/actions/upload-artifacts@main # Use specific ref/tag
        with:
          # Seal API Configuration
          seal_api_token: ${{ secrets.SEAL_API_TOKEN }}
          seal_api_base_url: 'https://YOUR_SEAL_API_BASE_URL/'

          # Seal Template and Field Configuration
          seal_template_id: 'YOUR_SEAL_CHANGE_CONTROL_TEMPLATE_ID'
          seal_field_name: 'Release Artifact(s)' # Field created in Seal
          seal_file_type_title: 'GitHub-Artifacts' # Optional: Categorizes files

          # --- Specify Artifacts to Upload ---
          # Use glob patterns relative to the workspace root
          artifact_patterns: dist/**/*.js,docs/*.pdf,release_artifact.txt # Add more patterns as needed

Test the Integration

Verify everything works by testing the complete PR workflow:

  1. Create a test branch that matches your sourceBranchRegex pattern
  2. Make a simple change and commit it to your test branch
  3. Create a pull request targeting a branch that matches your targetBranchRegex
  4. Wait for GitHub Actions to complete if you're testing artifact tracking
  5. Check the PR comments - You should see a comment with a link to the Seal change control instance
  6. Verify in Seal that a new change order was created with the correct information

Verification checklist:

☐ GitHub App installed & authorized
☐ Relevant PR creates/updates Seal entity
☐ Relevant PR receives status check (if enabled)
☐ Relevant PR receives comment linking to Seal (if enabled)
☐ Closing relevant PR updates Seal status tag & adds comment
☐ Issue with relevant label creates/updates Seal entity
☐ Closing/Labeling/Unlabeling relevant Issue updates Seal 'GitHub Status' field
☐ Monitoring: Approving Seal entity approves GitHub PR (if enabled)
☐ Monitoring: Rejecting Seal entity closes GitHub PR & adds comment (if enabled)
☐ (Optional) Code snapshot / Artifact upload Actions run and link files to Seal entity
Testing in isTesting: true mode provides detailed logs to help troubleshoot any issues.

Troubleshooting

Common Installation Issues
  • PR doesn't create a Seal change control instance
    • Verify branch patterns match your sourceBranchRegex and targetBranchRegex
    • Check that your Seal API token has proper permissions
    • Ensure the template ID is correct and the template is published
    • Check GitHub App logs for detailed error messages
  • Template not found errors
    • Confirm your template IDs are correct in the configuration
    • Make sure templates are published in Seal, not just saved as drafts
  • Field updates fail
    • Verify field names match exactly what's in your configuration
    • Check field permissions in Seal to ensure they allow API updates
  • Authentication failures
    • Regenerate your API token and update the configuration
    • Verify the API token hasn't expired
    • Confirm the sealApiBaseUrl is correct for your region
Viewing Logs

When isTesting: true is set, detailed logs will be available:

  • Check PR comments for detailed debugging information
  • GitHub Action logs will contain integration diagnostic messages
  • For detailed API interaction logs, contact Seal support

Production Deployment

Once you've verified everything works correctly, finalize your production setup:

  1. Update configuration to disable test mode: 
    isTesting: false  # Change to false for production use
  2. Consider security best practices:
    • Limit repository access to authorized personnel
    • Implement regular API token rotation
  3. Extend to additional repositories as needed
  4. Document your configuration for your organization
  5. Train your team on how to use the integration
Looking for future enhancements? Contact your Seal representative for information about upcoming features on our roadmap.