|
150 | 150 | - Use hand-rolled yaml for deterministic outcode, like CI gates. |
151 | 151 | **Context:** The branch maintenance plan defines 6 new workflows. Elizabeth asked whether gh-aw could replace hand-rolled YAML implementations. |
152 | 152 |
|
153 | | -**Decision — Phased adoption (hybrid approach):** |
154 | | - |
155 | | -**Convert to gh-aw (Phase 1 — Advisory Workflows):** |
156 | | -- `squad-triage-advisor.yml` → gh-aw LabelOps pattern |
157 | | -- `external-pr-advisor.yml` → gh-aw PR event pattern |
158 | | -- `squad-clarify-advisor.yml` → gh-aw LabelOps pattern |
159 | | - |
160 | | -**Keep as Traditional YAML (Deterministic Gates):** |
161 | | -- `block-workflow-changes.yml` — CI gate, needs deterministic pass/fail |
162 | | -- `squad-history-protection.yml` — CI gate, needs deterministic pass/fail |
163 | | -- `squad-dashboard.yml` — Scheduled report, mostly data aggregation |
164 | | - |
165 | | -**Rationale:** |
166 | | -1. Advisory workflows benefit most from AI reasoning (intelligent comment generation vs brittle templates) |
167 | | -2. CI gates must be deterministic — AI non-determinism is unacceptable for security controls |
168 | | -3. safe-outputs architecture aligns with Two-Tier labeling policy |
169 | | -4. gh-aw eliminates ~200 lines of github-script per advisory workflow |
170 | | - |
171 | | -**Prerequisites:** |
172 | | -- [ ] `gh aw` CLI extension installed in CI |
173 | | -- [ ] Team evaluates gh-aw lock.yml compilation in local dev |
174 | | -- [ ] Determine if safe-outputs can enforce Tier-2 label blocking adequately |
175 | | -- [ ] Evaluate AI response quality for triage recommendations |
| 153 | +**Decision:** |
| 154 | +- Use gh-aw LabelOps pattern, event pattern for advising. |
| 155 | +- Use hand-rolled yaml for deterministic outcode, like CI gates. |
176 | 156 |
|
177 | 157 | **Impact:** Reduces maintenance burden for advisory workflows; eliminates keyword-matching brittleness in triage; no change to security posture. |
178 | 158 |
|
|
202 | 182 | - V14: Compiled output tampering (must be in CODEOWNERS) |
203 | 183 | - V15: Framework supply chain (low probability, monitor GitHub advisories) |
204 | 184 |
|
205 | | -**Tier-1/Tier-2 Label Security:** `blocked: ["squad:*", "go:*", "priority:*"]` provides equivalent or stronger protection than current policy. Gaps: re-application prevention (add to agent instructions), glob pattern completeness (use both `allowed` and `blocked`). |
| 185 | +**Label Security:** `blocked: ["squad:*", "go:*", "priority:*"]` provides equivalent or stronger protection than current policy. Gaps: re-application prevention (add to agent instructions), glob pattern completeness (use both `allowed` and `blocked`). |
206 | 186 |
|
207 | 187 | **New Guardrails Required (MANDATORY for adoption):** |
208 | 188 | 1. Comment provenance banner — All gh-aw-generated comments must include visible "🤖 Generated by gh-aw workflow: {name}" header |
|
0 commit comments