The EAA pipeline
ariada-org/ariada is a reusable
GitHub Actions workflow
that audits a public site against the
European Accessibility Act 2025, generates an
EN 301 549
art. 7 accessibility statement, and emits
machine-readable
VPAT-JSON
evidence — all from a single
uses: line. Five stops, one workflow,
EUPL-1.2.
Five stops
1. Scan — shipped
The workflow installs Node 22 + pnpm,
@axe-core/cli, and
@ariada-org/wcag-rules-extended, then runs the
combined ruleset against every path in
pages:. Coverage is
WCAG 2.2 AA
plus EAA Annex I sectoral scope (e-commerce
checkout, banking digital channels,
accessibility-statement pages) and Nordic-language
locales (sv / nb / da / fi).
2. PR comment — v0.2 target
On pull_request events, the job posts a
summary comment with the violation totals grouped by
impact level (minor / moderate
/ serious / critical) and a
delta against the base branch. The current release
uploads the raw report as an artefact; the inline
violations-summary comment with per-rule grouping ships
in the next minor.
3. Statement generator — shipped
When emit-statement: true, the workflow
renders an HTML accessibility-statement file shaped to
Directive (EU) 2016/2102 art. 7
and the EN 301 549 v3.2.1 disclosure
template. The output is a static document the caller
drops at /accessibility/ on their own
site — no hosted dependency, no tracking.
4. Evidence emitter — shipped
With emit-evidence: true, the workflow
also writes vpat.json in
VPAT 2.5 INT
shape and accessibility.json shaped for
the .well-known/ discovery path. Both
files map every reported violation to a WCAG 2.2
Success Criterion and an EN 301 549 clause,
so downstream procurement tools can diff and verify
mechanically.
5. Penalty estimator — shipped
The evidence bundle includes a per-jurisdiction € exposure estimate — severity-weighted violation counts crossed with each member-state EAA-implementing law's fine ranges and turnover-cap formula (initial coverage: 11 EU member states). The estimate is advisory, machine-readable, and intended as input to remediation prioritisation, not as legal advice.
Try it
Add one file to your repo at
.github/workflows/eaa-audit.yml:
name: EAA audit
on:
push:
branches: [main]
pull_request:
jobs:
audit:
uses: ariada-org/ariada/.github/workflows/eaa-audit.yml@v1
with:
site-url: 'https://example.com'
pages: '/,/about/,/checkout/,/accessibility/'
fail-on: 'serious,critical'
emit-statement: true
emit-evidence: true
pack-version: 'next' The first run takes about three minutes; cached runs finish in roughly ninety seconds for a five-page audit. The workflow uses GitHub-hosted Ubuntu runners by default and does not require an Ariada account, an API key, or any commercial dependency.
Full input reference and example workflows
(single-page, multi-page, monorepo) ship in the
ariada-org/ariada repository
— published with the first tagged release.
Inputs at a glance
site-url— base URL to scan,https://only.pages— comma-separated path list (default/).fail-on— impact levels that fail the job (defaultserious,critical).emit-statement— emit the accessibility-statement HTML (defaulttrue).emit-evidence— emitvpat.json+accessibility.json(defaulttrue).pack-version— npm dist-tag or semver of@ariada-org/wcag-rules-extended(defaultnext).runner— GitHub-hosted runner label (defaultubuntu-latest).
Limitations
The pipeline is honest about what it does not do:
- Public URLs only. The scanner reaches whatever a GitHub-hosted runner can reach. Localhost, intranet, VPN-only, and IP-allowlisted sites are out of scope. For pre-deployment scanning of private builds, invoke the rule pack directly inside your own CI.
- Static-DOM model. The scanner runs
headless Chromium via
@axe-core/cli; it executes JavaScript during page load but does not interact with the page (no clicks, no form fills, no logged-in views). For scripted-scenario auditing of checkout flows or post-auth pages, use the rule pack with a Playwright or Puppeteer harness. - Detection, not remediation. The workflow reports and documents; it does not patch code or write commits. Turning a finding into a fix is the caller's job.
- GitHub-hosted runner network.
GitHub's runner IP ranges occasionally trip
site-level rate limiters or
WAF rules.
Sites that block GitHub IPs should use
runner: self-hosted. - Advisory penalty estimate. The per-jurisdiction € exposure number is a heuristic for remediation prioritisation. It is not a legal opinion and does not substitute for advice from a licensed lawyer in the relevant member state.
Links
- Source —
github.com/ariada-org/ariada(v0.1 release candidate — live) - Rule pack — @ariada-org/wcag-rules-extended
- License — EUPL-1.2