ReleaseOps · Connectors

CI/CD connectors.

What each ReleaseOps connector reads, what it doesn't, and how to authorize. Every connector is read-only by default; write access (orchestrating approvals, creating Change Requests) is opt-in per system.

The model

Every connector authenticates with the minimum scopes required to read release telemetry. Write operations are opt-in per connector and per action class. Tokens never leave Axiom; they're encrypted at rest and never logged.

GitHub

  • Auth method: GitHub App installation (org-level)

What Axiom reads

  • · Branch protection rules
  • · Required reviewers
  • · Workflow runs + deployment events
  • · Pull requests + reviews
  • · Release tags + notes
  • · Repository configuration

What Axiom does NOT read

  • · Source code contents (Axiom never clones repos)
  • · Issue contents
  • · GitHub Secrets values
  • · Private user data

Org admin must approve the App installation if your org has restrictions. Webhook delivery is real-time.

GitLab

  • Auth method: Project or Group access token (scoped: api, read_repository)

What Axiom reads

  • · CI/CD pipelines + jobs
  • · Merge request reviews
  • · Protected branches
  • · Deployment history
  • · Project settings

What Axiom does NOT read

  • · File contents in repos
  • · Issue contents
  • · CI/CD variables values
  • · Personal user tokens

Self-hosted GitLab is supported via custom base URL. Token rotation supported via Settings → Connections.

Azure DevOps

  • Auth method: Service Connection (Personal Access Token, scopes: Code-Read, Build-Read, Release-Read)

What Axiom reads

  • · Build pipelines + runs
  • · Release pipelines + deployments
  • · Branch policies
  • · Pull request approvals
  • · Service connections (metadata)

What Axiom does NOT read

  • · Source code
  • · Pipeline variables (secret-marked)
  • · Work item details

Personal Access Tokens expire — Axiom warns 14 days before expiration and prompts for rotation.

Jenkins

  • Auth method: API token + Crumb (per Jenkins user with appropriate read permissions)

What Axiom reads

  • · Job/pipeline metadata
  • · Build history + statuses
  • · Pipeline definitions (Jenkinsfile metadata)
  • · Build artifacts metadata (not contents)

What Axiom does NOT read

  • · Build artifact contents
  • · Credentials store
  • · Jenkins user passwords

Network reachability required — Axiom polls Jenkins APIs. Self-hosted with reverse proxy supported via outbound webhook.

ArgoCD

  • Auth method: ArgoCD project token (scope: applications, get)

What Axiom reads

  • · Application sync state
  • · Deployment history
  • · Health status
  • · Project + cluster configuration

What Axiom does NOT read

  • · Manifest contents beyond app metadata
  • · Cluster credentials

Each Application sync registers as a release event. Sync failures surface in the activity feed.

ServiceNow

  • Auth method: OAuth 2.0 application + service account (scopes: change_request:read, change_request:write)

What Axiom reads

  • · Change Request status + approvals
  • · CR fields relevant to release

What Axiom does NOT read

  • · Other ServiceNow modules (Incident, Problem, CMDB) — opt-in separately

Axiom can auto-create CRs with risk justification + rollback strategy attached, and auto-close on verification.

Token rotation + revocation

  • Rotate any token from Dashboard → Settings → Connections → [connector] → Rotate
  • Revoke instantly by deleting the token in the source system (GitHub, GitLab, etc.) — Axiom detects the auth failure on next sync and surfaces it
  • Axiom proactively warns 14 days before any token expiration
  • Self-hosted instances: revoke at the network layer by blocking egress to Axiom's service IPs

Trust questions

What does each connector access?

Only release telemetry — pipelines, deployments, approvals, branch protection. Never source code or secret values.

Where are tokens stored?

Encrypted at rest with per-tenant keys. Never logged. Never transmitted to other tenants.

Is this safe for regulated environments?

Yes — read-only by default. Write scope is opt-in per connector. SOC 2 control mapping built in.

Can I revoke instantly?

Yes — delete the token in the source system or click Revoke in Axiom. Both work immediately.

What about self-hosted instances?

Supported for GitLab, Jenkins, Azure DevOps. ServiceNow self-hosted: contact us.

What if the connector fails to sync?

Sync failures surface in the connector panel of the ReleaseOps Command Center with the exact error and a fix link.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs