๐ EU Parliament Monitor โ CI/CD Workflows
๐ก๏ธ Automated Security Excellence Through Continuous Integration
๐ฏ Transparent Pipeline Operations Demonstrating ISMS Policy Compliance
๐ Document Owner: CEO | ๐ Version: 4.1 | ๐
Last Updated: 2026-04-20 (UTC) | ๐ฆ Release: v0.8.40
๐ Review Cycle: Quarterly | โฐ Next Review: 2026-07-20
๐ Workflow Status Badges
CI/CD Pipeline Status:
Security & Quality Metrics:
๐ ISMS Policy Alignment
EU Parliament Monitor's CI/CD workflows implement security controls mandated by Hack23 AB's ISMS framework:
| ISMS Policy | Workflow Implementation |
|---|---|
| ๐ ๏ธ Secure Development Policy | SAST (CodeQL), SCA (Dependency Review), E2E (Playwright), performance testing |
| ๐ Change Management | Automated testing gates, security scanning, PR review requirements |
| ๐ Vulnerability Management | Dependabot, CodeQL, OSSF Scorecard, npm audit, security advisories |
| ๐ Open Source Policy | SLSA attestations, SBOM generation, REUSE license compliance |
| ๐ Information Security Policy | Security-hardened runners, SHA-pinned actions, least privilege permissions |
| ๐ Access Control Policy | OIDC authentication, minimal workflow permissions, branch protection |
| ๐ Cryptography Policy | Sigstore signing, SLSA L3 provenance, build attestations |
| ๐จ Incident Response Plan | Automated rollback procedures, incident classification workflows |
| ๐พ Backup & Recovery Policy | Multi-CDN deployment (S3 + GitHub Pages DR), version control |
| ๐ค Third Party Management | SHA-pinned actions, dependency review, supply chain security |
Compliance Framework Mapping
| Framework | Version | Relevant Controls | Implementation |
|---|---|---|---|
| ISO 27001 | 2022 | A.8.25, A.8.26, A.8.27, A.8.28, A.12.1.4, A.12.6.1, A.14.2.1 | Secure development lifecycle, testing, change management |
| NIST CSF | 2.0 | PR.DS, DE.CM, ID.SC, RS.MI | Data security, monitoring, supply chain, mitigation |
| CIS Controls | v8.1 | 2.2, 4.1, 7.1, 16.1, 17.1 | Software inventory, access control, code signing, application security |
| EU CRA | 2024 | Art. 10, Art. 11 | SBOM generation, vulnerability disclosure, security updates |
๐ Architecture Documentation Map
| Document | Focus | Description | Documentation Link |
|---|---|---|---|
| Architecture | ๐๏ธ Architecture | C4 model showing current system structure | View Source |
| Future Architecture | ๐๏ธ Architecture | C4 model showing future system structure | View Source |
| Mindmaps | ๐ง Concept | Current system component relationships | View Source |
| Future Mindmaps | ๐ง Concept | Future capability evolution | View Source |
| SWOT Analysis | ๐ผ Business | Current strategic assessment | View Source |
| Future SWOT Analysis | ๐ผ Business | Future strategic opportunities | View Source |
| Data Model | ๐ Data | Current data structures and relationships | View Source |
| Future Data Model | ๐ Data | Enhanced European Parliament data architecture | View Source |
| Flowcharts | ๐ Process | Current data processing workflows | View Source |
| Future Flowcharts | ๐ Process | Enhanced AI-driven workflows | View Source |
| State Diagrams | ๐ Behavior | Current system state transitions | View Source |
| Future State Diagrams | ๐ Behavior | Enhanced adaptive state transitions | View Source |
| Security Architecture | ๐ก๏ธ Security | Current security implementation | View Source |
| Future Security Architecture | ๐ก๏ธ Security | Security enhancement roadmap | View Source |
| Threat Model | ๐ฏ Security | Political Threat Landscape analysis | View Source |
| Classification | ๐ท๏ธ Governance | CIA classification & BCP | View Source |
| CRA Assessment | ๐ก๏ธ Compliance | Cyber Resilience Act | View Source |
| Workflows | โ๏ธ DevOps | CI/CD documentation | View Source |
| Future Workflows | ๐ DevOps | Planned CI/CD enhancements | View Source |
| Business Continuity Plan | ๐ Resilience | Recovery planning | View Source |
| Financial Security Plan | ๐ฐ Financial | Cost & security analysis | View Source |
| End-of-Life Strategy | ๐ฆ Lifecycle | Technology EOL planning | View Source |
| Unit Test Plan | ๐งช Testing | Unit testing strategy | View Source |
| E2E Test Plan | ๐ Testing | End-to-end testing | View Source |
| Performance Testing | โก Performance | Performance benchmarks | View Source |
| Security Policy | ๐ Security | Vulnerability reporting & security policy | View Source |
๐ Executive Summary
EU Parliament Monitor employs a comprehensive suite of GitHub Actions workflows (~15 standard + 9 agentic โ 8 unified news-<type>.md + news-translate.md) for automated intelligence operations, quality assurance, security scanning, and release management. All workflows follow the Hack23 ISMS Secure Development Policy standards.
Workflow Portfolio
| # | Workflow | Purpose | Schedule / Trigger | ISMS Alignment |
|---|---|---|---|---|
| 1 | Agentic News Workflows (ร10) | AI-generated multi-language news articles (9 content + news-translate) |
Varied schedules (see ยง1) | Integrity controls (Medium) |
| 2 | Test & Report | Unit + integration tests, 3061+ tests, coverage, performance | On PR/push to main | Quality assurance (ISO 27001 A.12.1.4) |
| 3 | CodeQL | SAST security scanning (JS/TS + GitHub Actions) | On PR/push + weekly Saturday | Vulnerability management (ISO 27001 A.12.6) |
| 4 | E2E Tests | End-to-end Playwright tests (Chromium) + axe-core | On PR/push + daily midnight UTC | Functional validation + WCAG 2.1 AA |
| 5 | Release | Build, attest (SLSA L3), document, publish to npm (provenance) | Manual/tag push | SLSA L3, Documentation-as-code, npm provenance |
| 6 | Dependency Review | Supply chain security scanning | On PR | Supply chain security (NIST CSF ID.SC) |
| 7 | OpenSSF Scorecard | Security posture assessment | Weekly Tuesday 07:20 UTC | Continuous improvement |
| 8 | Deploy S3 | Production deployment to AWS S3 + CloudFront (OIDC, egress: block) | Push to main | Infrastructure as Code |
| 9 | REUSE Compliance | License and copyright verification (REUSE 3.3) | On PR/push + weekly Monday | Open Source Policy |
| 10 | SLSA Provenance | Build provenance attestation (integrated in release.yml) | On release + manual | Supply chain security (SLSA L3) |
| 11 | Compile Agentic Workflows | Compile .md โ .lock.yml via gh-aw CLI (pinned GH_AW_VERSION: v0.69.3) |
Manual dispatch | Automation governance |
| 12 | Agentics Maintenance | Housekeeping for agentic workflows (stale lock cleanup, health probes) | Scheduled | Automation governance |
| 13 | Labeler | Automatic PR labeling | On pull_request_target | Workflow governance |
| 14 | Setup Labels | Repository label management | Manual dispatch | Repository governance |
| 15 | Copilot Setup Steps | GitHub Copilot agent environment setup | Push/PR to itself + manual | Agent infrastructure |
| 16 | news-translate-reconciler | Reconcile missing translation artifacts across 14 languages | Scheduled | Translation consistency |
๐ Security Posture: All 14 standard workflows use SHA-pinned actions (100%), Harden Runner (step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0), and minimal permissions following least privilege principle. Agentic workflows add a 5-layer security model: AWF Squid firewall allowlist, sandboxed Docker with restricted shell, safe-output constraints (create-pull-request with max-patch-size), JSONL audit trail, and lock-file compilation.
๐๏ธ Pipeline Architecture
graph LR
A[Code Push] --> B[Build & Test]
B --> C[SCA Scan]
C --> D[CodeQL Scan]
D --> E[Quality Gate]
E --> F[Security Gate]
F --> G[SBOM Generation]
G --> H[Attestations]
H --> I[Release]
I --> J[Deploy]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef success fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B process
class C,D security
class E,F decision
class G,H security
class I,J success
Workflow Relationships
flowchart TB
subgraph "Continuous Integration"
direction TB
PR[Pull Request] --> CodeQLScan[CodeQL Analysis]
PR --> DependencyReview[Dependency Review]
PR --> Labeler[PR Labeler]
PR --> REUSECheck[REUSE Compliance]
CodeQLScan --> SecurityEvents[Security Events]
end
subgraph "Agentic Content Pipeline"
direction TB
Schedule1[Scheduled Triggers] --> AgenticNews[10 Agentic News Workflows]
AgenticNews --> Analysis[Political Intelligence Analysis]
Analysis --> Articles[14-Language Article Generation]
Articles --> ContentPR[Content Pull Request]
end
subgraph "Continuous Deployment"
direction TB
Release[Release Trigger] --> BuildTest[Prepare & Test]
BuildTest --> BuildPackage[Build & Package]
BuildPackage --> GenerateSBOM[Generate SBOM]
GenerateSBOM --> Attestations[Create Attestations]
Attestations --> CreateRelease[Create GitHub Release]
end
subgraph "Security Scanning"
direction TB
Weekly[Weekly Schedule] --> WeeklyScan[CodeQL Weekly Scan]
BranchProtection[Branch Protection] --> Scorecard[Scorecard Analysis]
end
PR -.-> |"approved & merged"| main[Main Branch]
ContentPR -.-> |"reviewed & merged"| main
main --> Scorecard
main --> DeployS3[Deploy to S3 + CloudFront]
main -.-> |"tag created"| Release
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef success fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
class PR,CodeQLScan,DependencyReview,Labeler,REUSECheck trigger
class Release,BuildTest,BuildPackage,GenerateSBOM,Attestations,CreateRelease process
class main,DeployS3 success
class Schedule1,AgenticNews,Analysis,Articles,ContentPR decision
class SecurityEvents,Weekly,WeeklyScan,BranchProtection,Scorecard security
๐ Workflow Detailed Documentation
1. Agentic News Workflows (ร10)
๐ฏ Purpose: AI-powered generation of multi-language news articles about European Parliament activities using GitHub Copilot with the claude-opus-4.7 model
๐ Architecture: 9 markdown source files (8 unified news-<type>.md + 1 news-translate.md helper) compiled to 9 .lock.yml files via gh aw compile (GitHub Agentic Workflows CLI)
๐ Languages: 14 (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)
Agentic Workflow Schedule Matrix (April-2026 unified workflows)
| ๐ค Workflow | ๐ File | ๐ Schedule | โฑ๏ธ Timeout |
|---|---|---|---|
| ๐ฎ EU Parliament Week Ahead | news-week-ahead.lock.yml |
Friday 07:00 UTC | 45 min |
| ๐ EU Parliament Week in Review | news-week-in-review.lock.yml |
Saturday 09:00 UTC | 45 min |
| ๐ณ๏ธ EU Parliament Plenary Votes & Resolutions | news-motions.lock.yml |
Weekdays (MonโFri) 06:00 UTC | 45 min |
| โ๏ธ EU Parliament Legislative Procedures | news-propositions.lock.yml |
Weekdays (MonโFri) 05:00 UTC | 45 min |
| ๐๏ธ EU Parliament Committee Activity | news-committee-reports.lock.yml |
Weekdays (MonโFri) 04:00 UTC | 45 min |
| ๐ EU Parliament Month Ahead | news-month-ahead.lock.yml |
1st of month 08:00 UTC | 45 min |
| ๐ EU Parliament Month in Review | news-month-in-review.lock.yml |
28th of month 10:00 UTC | 45 min |
| ๐จ EU Parliament Breaking News | news-breaking.lock.yml |
Every 6 hours (0 */6 * * *) |
45 min |
| ๐ Translate Articles | news-translate.lock.yml |
Weekdays 09:00/12:00/15:00 UTC; Sat 15:00; 1st & 28th 15:00 | 45 min |
Each
news-<type>.mdworkflow runs Stages A โ B โ C โ D โ E in one 45-minute session and produces exactly one PR containing both analysis artifacts and rendered article HTML. The earlier split-pairnews-<type>-analysis.md+news-<type>-article.mdlayout and the manualnews-article-generator.mdhelper were deleted in the April-2026 aggregator-pipeline migration. Thenews-translate.mdhelper (manual dispatch only) is the sole exemption from the single-PR rule.
Agentic Workflow Architecture
All 9 agentic workflows share a common architecture (8 unified news-<type>.md produce English articles in single 45-min sessions; the manual news-translate helper then generates the remaining 13 languages):
graph TD
A[๐ Schedule / Manual Trigger] --> B[๐ Activation Job]
B --> C{Conditions Met?}
C -->|โ
Yes| D[๐ค Agent Job<br/>GitHub Copilot + claude-opus-4.7]
C -->|โ No| E[โญ๏ธ Skip]
D --> F[๐ฅ Checkout Repository]
F --> G[โ๏ธ Setup Node.js 25]
G --> H[๐ฆ Install Dependencies]
H --> I[๐ Install EP MCP Server v1.2.15+]
I --> J1[๐ฌ Analysis Stage<br/>Political Intelligence Pipeline<br/>--analysis flag]
J1 --> J1a[๐ Classification: significance, impact-matrix, actors, forces]
J1 --> J1b[๐ก๏ธ Threat Assessment: Political Threat Landscape,<br/>actor-threats, disruption]
J1 --> J1c[๐ Risk Scoring: risk-matrix, SWOT, velocity, capital-at-risk]
J1a --> J1d["๐ analysis/daily/YYYY-MM-DD/article-type/"]
J1b --> J1d
J1c --> J1d
J1d --> J[๐ฐ Generate News Articles<br/>npx tsx src/generators/news-enhanced.ts --analysis]
J --> K[๐ฌ๐ง English HTML Output]
K --> L[๐ Create Pull Request<br/>Includes analysis/ artifacts]
L --> M[โ
PR Ready for Review]
L -.-> N[๐ news-translate Workflow<br/>Generates 13 Additional Languages]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef skip fill:#95a5a6,stroke:#7f8c8d,stroke-width:1.5px,color:white
classDef analysis fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A,B trigger
class D,F,G,H,I process
class C decision
class E skip
class J1,J1a,J1b,J1c,J1d analysis
class J,K,L,M,N output
Common Agentic Workflow Properties
| Property | Value |
|---|---|
| Source format | Markdown (.md) compiled by gh aw compile |
| Lock format | YAML (.lock.yml) โ auto-generated, do not edit directly |
| AI Model | claude-opus-4.7 via GitHub Copilot CLI |
| Top-level permissions | {} (empty โ no default permissions) |
| Activation job permissions | contents: read |
| Agent job permissions | contents: write, pull-requests: write, issues: write, models: read |
| Concurrency group | gh-aw-${{ github.workflow }} |
| Node.js version | 25 |
| EP MCP Server | european-parliament-mcp-server@1.2.15 (globally installed via scripts/mcp-setup.sh, MCP gateway EP_MCP_GATEWAY_URL=http://host.docker.internal:80/mcp/european-parliament) |
| Data sources | European Parliament MCP Server v1.2.15+ (primary, 60+ tools โ sliding + fixed-window feeds + analytical), IMF REST SDMX 3.0 (native fetch in src/mcp/imf-mcp-client.ts, primary economic source โ WEO+FM+IFS+BOP+ER+PCPS+GFSR+EREO+FSI+GFS+DOT), World Bank Open Data MCP (non-economic only โ WDI social/health/education/environment/governance). Economic-context enforcement is editorial at the Stage-C completeness review against .github/prompts/03-analysis-completeness-gate.md and the per-artifact line floors in analysis/methodologies/reference-quality-thresholds.json โ the runtime articlePolicyHas* gates were purged in April-2026 |
| Analysis stage | --analysis flag enables 18-method political intelligence pipeline before article generation |
| Analysis output | analysis/daily/{date}/ for cross-article artifacts (for example shared synthesis outputs), plus analysis/daily/{date}/{article-type}/ for article-type-scoped classification, threat-assessment, risk-scoring, and data (EP feeds, World Bank, IMF, OSINT) artifacts committed to PR. Article-type scoping prevents merge conflicts between concurrent workflows. |
5-Stage Pipeline (matches the prompt library 00โ09)
Every article-generating news-*.md (all except news-translate.md) executes
the same five bounded stages. This is the canonical flow; it aligns 1-to-1
with the ten-file prompt library in .github/prompts/:
| Stage | Name | Prompt file(s) | Output location |
|---|---|---|---|
| A | Data collection | 01-data-collection.md + 07-mcp-reference.md |
analysis/daily/<YYYY-MM-DD>/<type>-run<NN>/intelligence/* |
| B | Analysis (2-pass mandatory) | 02-analysis-protocol.md โ analysis/methodologies/ai-driven-analysis-guide.md (10 steps, Rules 1โ22) |
classification / threat / risk / synthesis artifacts under the same run dir |
| C | Completeness gate | 03-analysis-completeness-gate.md โ npm run validate-analysis vs analysis/methodologies/reference-quality-thresholds.json |
blocks PR if any floor is missed |
| D | Article (2-pass mandatory) | 04-article-generation.md + 05-analysis-to-article-contract.md with Read-Before-Write against every artifact from Stage B |
news/<date>-<type>-<lang>.html |
| E | Single PR | 06-pr-and-safe-outputs.md โ one safeoutputs___create_pull_request call at end of run |
GitHub PR (max 1 per run; news-translate.md is the sole exemption โ multi-call flush for 14-language fan-out) |
Stage D's Read-Before-Write rule requires the agent to consult every artifact
produced in Stage B before drafting prose; the artifact โ article-section
map lives in 04-article-generation.md ยง 7.1.
The 39-template artifact catalogue (14 agentic-workflow templates โ which
include 6 reusable framework templates โ plus 25 per-artifact templates, and
the analysis-index.md + README.md catalogue files) is enumerated in
analysis/templates/README.md and mapped to
methodologies in analysis/methodologies/artifact-catalog.md.
Imports structure (shared component + runtime-import + lock-file)
Each news-*.md (except news-translate.md) uses gh-aw's imports: field
twice:
imports:
- shared/mcp/news-mcp-servers.md # frontmatter-only: MCP servers merged into frontmatter
- ../agents/news-generation.agent.md # body-only: Required Reading + Stage Contract appended to prompt
shared/mcp/news-mcp-servers.mdis the single source of truth for themcp-servers:block (EP, World Bank, IMF, MCP Gateway mounts). Editing it propagates to every importing workflow on next compile..github/agents/news-generation.agent.mdcontributes body-only content (confirmed against gh-aw v0.69.3, 2026-04-21: imported agent frontmatter is not merged into workflow frontmatter). It appends the canonical Required Reading order and the 5-stage Stage Contract to every importing prompt.- Both files are tracked; any change triggers a recompile of every importing
.lock.ymlbycompile-agentic-workflows.yml.
safeoutputs semantics (gh-aw v0.69.3)
Every news-*.md declares:
safe-outputs:
create-pull-request:
max: 1 # default for every news-*.md
Documented exceptions:
news-translate.mdusesexcluded-files:and a multi-call flush pattern withmax-patch-size; it is exempt from the single-PR rule and is the only workflow that callssafeoutputs___create_pull_requestmore than once.
Critical semantic: safeoutputs___create_pull_request takes a
synchronous git format-patch snapshot AT CALL TIME of the agent's working
tree. Calling it before all files are written produces a partial PR. It must
therefore be invoked exactly once at the very end of the run, after every
article, analysis artifact, and manifest has been written to disk. The
banned alternatives โ checkpoint PRs, keep-alive heartbeats, progressive safe
outputs, and safeoutputs___push_repo_memory โ are CI-lint-enforced by
scripts/lint-prompts.js / npm run lint:prompts.
See .github/prompts/README.md ยง Drift-guard Lint
for the full rule set.
Compilation Process
Source markdown files are compiled to lock files using the GitHub Agentic Workflows CLI:
# Compile all agentic workflow definitions
gh aw compile
The compile-agentic-workflows.yml workflow automates this process (see ยง11).
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Input Validation | MCP data validated via schema before use | ISO 27001 A.14.2.1 |
| HTML Sanitization | Strip scripts, encode entities in generated content | OWASP Top 10 (XSS) |
| Empty Top-Level Permissions | permissions: {} โ no default permissions |
Least privilege |
| Scoped Job Permissions | Write permissions only on agent job | Least privilege |
| Concurrency Control | Single concurrent run per workflow | Resource governance |
| PR-Based Output | All generated content via PR, not direct push | Change review |
ISMS Evidence
- Policy: Secure Development Policy ยง4.1 - CI/CD Security
- Workflows:
.github/workflows/news-*.lock.yml - Source definitions:
.github/workflows/news-*.md - Process Flow: FLOWCHART.md ยงNews Generation Security Flow
Unique Data & Analytics Per Workflow (PRIO 1)
Every workflow downloads unique data and produces article-type-specific analytics. The following matrix shows the mandatory MCP data downloads and analytical tools unique to each workflow:
flowchart LR
subgraph "๐ด Breaking News"
B1["adopted_texts_feed\nevents_feed\nprocedures_feed\nmeps_feed"] --> B2["detect_voting_anomalies\nanalyze_coalition_dynamics\nearly_warning_system\ngenerate_political_landscape"]
end
subgraph "๐ Motions"
M1["adopted_texts_feed\nquestions_feed\nmeps_feed\nprocedures_feed"] --> M2["detect_voting_anomalies\nanalyze_coalition_dynamics\nget_voting_records\ncompare_political_groups"]
end
subgraph "๐ Propositions"
P1["procedures_feed\ndocuments_feed\nadopted_texts_feed\nplenary_docs_feed"] --> P2["search_documents\nmonitor_legislative_pipeline\ntrack_legislation\nanalyze_legislative_effectiveness"]
end
subgraph "๐๏ธ Committee Reports"
C1["committee_docs_feed\nplenary_docs_feed\nadopted_texts_feed\nprocedures_feed"] --> C2["get_committee_info\nmonitor_legislative_pipeline\nanalyze_legislative_effectiveness"]
end
style B1 fill:#dc3545,stroke:#b02a37,color:#fff
style B2 fill:#dc3545,stroke:#b02a37,color:#fff
style M1 fill:#fd7e14,stroke:#ca6510,color:#fff
style M2 fill:#fd7e14,stroke:#ca6510,color:#fff
style P1 fill:#ffc107,stroke:#cc9a06,color:#000
style P2 fill:#ffc107,stroke:#cc9a06,color:#000
style C1 fill:#198754,stroke:#146c43,color:#fff
style C2 fill:#198754,stroke:#146c43,color:#fff
| Workflow | Mandatory Feed Data | Mandatory Analytical Tools | Unique Focus |
|---|---|---|---|
| Breaking | adopted_texts, events, procedures, meps (todayโone-week) + documents, plenary_docs, committee_docs, questions | detect_voting_anomalies, analyze_coalition_dynamics, early_warning_system, generate_political_landscape | โก Only TODAY's items; 6-hour cycle |
| Motions | adopted_texts, parliamentary_questions, meps, procedures | detect_voting_anomalies, analyze_coalition_dynamics, get_voting_records, compare_political_groups | ๐ณ๏ธ Per-resolution vote breakdowns |
| Propositions | procedures, documents, adopted_texts, plenary_documents | search_documents, monitor_legislative_pipeline, track_legislation, analyze_legislative_effectiveness | ๐ Procedure stage tracking |
| Committee | committee_documents, plenary_documents, adopted_texts, procedures | get_committee_info, monitor_legislative_pipeline, analyze_legislative_effectiveness | ๐๏ธ Per-committee deep analysis |
| Week Ahead | events, procedures, plenary_documents, plenary_session_documents | get_plenary_sessions (future), get_committee_info, monitor_legislative_pipeline, generate_political_landscape | ๐ Prospective agenda analysis |
| Weekly Review | adopted_texts, procedures, plenary_documents, parliamentary_questions | get_voting_records, detect_voting_anomalies, generate_political_landscape | ๐ Retrospective outcome review |
| Month Ahead | events, procedures, plenary/committee docs, adopted_texts, session docs, meps | get_plenary_sessions, get_committee_info, monitor_pipeline, generate_landscape, compare_groups, analyze_delegation | ๐ Strategic calendar outlook |
| Monthly Review | adopted_texts, procedures, plenary_documents, parliamentary_questions | get_voting_records, detect_anomalies, generate_landscape, compare_groups, analyze_effectiveness | ๐ Comprehensive monthly trends |
| Translate | โ (consumes English articles) | โ | ๐ EN โ 13 languages |
PRIO 1 MANDATE: Each workflow ALWAYS downloads its mandatory feed data and runs its mandatory analytical tools BEFORE deciding whether to produce an article. Data collection is NEVER skipped, even for noop runs.
1b. Agentic News Workflows (gh-aw)
๐ Files: .github/workflows/news-*.md (9 content workflows + 1 translation workflow)
๐ฏ Purpose: AI-powered news article generation using GitHub Agentic Workflows (gh-aw) with European Parliament MCP Server data
โฐ Schedule: Various (see table below)
Architecture: Content/Translation Split
The agentic news system uses a separation of concerns architecture:
- Content Workflows (9 workflows) โ Generate English-only articles with deep political intelligence
- Translation Workflow (1 workflow) โ Translates English articles to 13 other languages
This split ensures content workflows spend their full time budget on political intelligence quality, while translations maintain fidelity to the English source content.
graph TD
A[๐ Content Workflows<br/>English only] -->|Generate| B[๐ฐ English Articles]
B -->|Merge PR| C[main branch]
C -->|Schedule trigger| D[๐ Translation Workflow]
D -->|Generate| E[๐ 13 Language Translations]
E -->|Merge PR| C
C -->|Deploy| F[๐ GitHub Pages<br/>Language Switchers + Sitemaps]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef deploy fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef translation fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
class A trigger
class B,C process
class D,E translation
class F deploy
Content Workflow Schedule
| Workflow Pair (analysis + article) | Article Type | Analysis Schedule | Focus |
|---|---|---|---|
| ๐ค Workflow | ๐ท๏ธ Type | ๐ Schedule | ๐ฏ Purpose |
| --- | --- | --- | --- |
news-committee-reports.md |
committee-reports | MonโFri 04:00 UTC | Committee activity analysis |
news-propositions.md |
propositions | MonโFri 05:00 UTC | Legislative pipeline tracking |
news-motions.md |
motions | MonโFri 06:00 UTC | Voting patterns & resolutions |
news-week-ahead.md |
week-ahead | Fri 07:00 UTC | Upcoming parliamentary agenda |
news-month-ahead.md |
month-ahead | 1st of month 08:00 UTC | Monthly strategic outlook |
news-week-in-review.md |
week-in-review | Sat 09:00 UTC | Week in review |
news-month-in-review.md |
month-in-review | 28th of month 10:00 UTC | Monthly retrospective |
news-breaking.md |
breaking | Every 6 hours | Real-time EP feed events |
Each
news-<type>.mdruns the full Stage AโE protocol in one ~45-minute session and produces exactly one PR with both analysis artifacts and the rendered article HTML. The earlier split-pairnews-<type>-analysis.md+news-<type>-article.mdlayout and the manualnews-article-generator.mdhelper were deleted in the April-2026 aggregator-pipeline migration (the prior legacy single-jobnews-<type>.mdwere briefly replaced by split pairs in 2025 because those exceeded the safeoutputs MCP TTL โ the unified workflows now stay within the TTL by deferring the PR call to minute โค 28).
Translation Workflow
| Workflow | Schedule | Purpose |
|---|---|---|
news-translate.md |
MonโFri 07/09/12/15/17/19 UTC, SatโSun 09/12/15 UTC | Translate English articles to sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh |
Supported Languages (14 total)
| English (en) | Swedish (sv) | Danish (da) | Norwegian (no) | Finnish (fi) |
|---|---|---|---|---|
| German (de) | French (fr) | Spanish (es) | Dutch (nl) | Arabic (ar) |
| Hebrew (he) | Japanese (ja) | Korean (ko) | Chinese (zh) |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| MCP Data Source | European Parliament MCP Server (live data) | ISO 27001 A.14.2.1 |
| Content Integrity | Quality validation, synthetic ID detection | Data integrity |
| Safe Outputs | gh-aw safe-outputs for PR creation | Least privilege |
| Concurrency | Shared concurrency group prevents conflicts | Resource management |
| Network Allowlist | Explicit domain allowlisting via gh-aw | Network security |
Enhanced Analysis Features (v2)
The following 8 unified article-generation workflows include mandatory analytical enhancements: news-week-ahead.md, news-month-ahead.md, news-breaking.md, news-committee-reports.md, news-propositions.md, news-motions.md, news-week-in-review.md, news-month-in-review.md. The news-translate.md workflow has complementary analysis-fidelity requirements for preserving these elements in translation.
๐ญ Multi-Stakeholder Perspective Requirements
Every major parliamentary action must be analyzed from at least 3 of 6 stakeholder perspectives:
| Perspective | Analysis Focus |
|---|---|
| EP Political Groups | Coalition dynamics, group influence, voting alliances |
| Civil Society & NGOs | Citizens' rights, democratic participation, transparency |
| Industry & Business | Regulatory burden, market effects, compliance dynamics |
| National Governments | Subsidiarity, implementation requirements, national interests |
| EU Citizens | Direct life impact, rights, services, democratic representation |
| EU Institutions | Commission, Council, ECB, Court of Justice โ inter-institutional dynamics |
Stakeholder perspective analysis is rendered by the TypeScript generator (buildStakeholderPerspectivesSection) as a card grid in each article's deep-analysis portion. Agents provide structured perspective content โ impact direction (positive/negative/neutral/mixed), severity (high/medium/low), reasoning, and evidence backed by specific EP MCP data citations โ and the generator handles the HTML markup (analysis-stakeholder-perspectives / stakeholder-perspectives-grid). Agents must NOT write raw HTML for this section. Impact and severity values must remain as canonical English enum tokens (e.g. positive, high) even in non-English articles โ the generator handles localized display labels and CSS classing from these tokens. (Note: the separate winners/losers outcomes list uses analysis-stakeholders / stakeholder-list โ that is a different section rendered by buildStakeholderSection.)
๐ Iterative AI Content Refinement Cycle
All analytical content sections follow a mandatory 4-pass refinement process:
| Pass | Activity | Output |
|---|---|---|
| Pass 1 โ Initial Assessment | Gather MCP baseline data; identify actors, actions, outcomes | Draft narrative |
| Pass 2 โ Stakeholder Challenge | Re-examine from each stakeholder angle; flag blind spots | Revised draft with gaps identified |
| Pass 3 โ Evidence Cross-Validation | Verify claims against EP documents/votes; add ๐ข/๐ก/๐ด confidence indicators | Evidenced assertions only |
| Pass 4 โ Synthesis & Scenarios | Produce balanced conclusions; provide 2โ3 forward-looking scenarios with probability labels | Final publishable analysis |
Localization requirement: All text labels โ confidence (๐ข High / ๐ก Medium / ๐ด Low), probability (likely / possible / unlikely), and significance (High / Medium / Low) โ must be rendered in the article's output language while preserving the underlying 3-level scale and keeping emoji markers (๐ข/๐ก/๐ด, โโโ) unchanged. Non-English articles must use the equivalent terms in the target language, not English labels.
โ Enhanced Analysis Quality Gates
In addition to the existing content quality gates (500-word minimum, no synthetic IDs, current dates), all articles must pass two new quality gate categories:
Analysis Depth Gates:
- Minimum 3 stakeholder perspectives analyzed per key development
- SWOT dimensions cover both political AND economic/regulatory aspects
- Dashboard trend indicators included (โโโ), not just current values
- Cross-domain policy links shown (e.g., environment โ trade โ social)
- Evidence chains cite specific document IDs, vote counts, or MCP data points
- Outlook provides at least 2 named scenarios with probability labels
Political Intelligence Gates:
- Coalition dynamics named explicitly (not just "EPP and S&D voted together")
- Each group's position explained with reasoning (incentives, ideology, constituency)
- Winner/loser analysis identified with supporting evidence
- Historical EP context referenced where comparable precedents exist
๐ EP Document Analysis Framework
Every key EP document featured in the deep-analysis section must include structured analysis (other document references may remain as citations without full framework analysis):
- Political Context โ Why introduced? Who pushed it? What problem does it solve?
- Stakeholder Impact โ Who benefits/faces costs? Quantified where possible.
- Procedure Stage โ Where in the legislative pipeline? Next steps and timeline.
- Coalition Dynamics โ Which groups support/oppose? Key fault lines.
- Significance Rating โ High / Medium / Low with one-sentence justification. (Note: significance ratings use text labels, not color indicators, to avoid confusion with the ๐ข/๐ก/๐ด confidence scale used in the refinement cycle.)
๐ฌ Workflow-Specific Intelligence Modules
Each scheduled content workflow includes a tailored intelligence module beyond the shared framework:
| Workflow Pair | Module | Focus |
|---|---|---|
news-week-ahead-{analysis,article}.md |
๐ญ Strategic Preview Analysis | What to watch, coalitions under stress, legislative inflection points, geopolitical triggers |
news-month-ahead-{analysis,article}.md |
๐ Long-Term Trend Context | Term trajectory, policy momentum, coalition evolution, EU external context |
news-breaking-{analysis,article}.md |
โก Rapid Stakeholder Impact Assessment | Immediate winners/losers, market/policy signals, next 24โ48 hour tracking |
news-committee-reports-{analysis,article}.md |
๐๏ธ Committee Power Dynamics Analysis | Rapporteur influence, shadow rapporteur positions, amendment landscape, trilogue implications |
news-propositions-{analysis,article}.md |
๐๏ธ Legislative Pipeline Intelligence | Passage probability, amendment expectations, timeline forecast, blocking coalitions |
news-motions-{analysis,article}.md |
๐ณ๏ธ Voting Pattern Intelligence | Coalition map, abstention analysis, cross-party defections, margin analysis |
news-weekly-review-{analysis,article}.md |
๐ Week-in-Context Analysis | Parliamentary landscape shift, promises vs. delivery, surprise developments |
news-monthly-review-{analysis,article}.md |
๐บ๏ธ Monthly Trend Synthesis | Legislative productivity, coalition stability index, policy trajectory, emerging themes |
The translation workflow has its own fidelity module:
| Workflow | Module | Focus |
|---|---|---|
news-translate.md |
๐ Analysis Fidelity Requirements | Stakeholder framing preservation, confidence indicator translation, EP official terminology |
๐ File: .github/workflows/test-and-report.yml
๐ฏ Purpose: Comprehensive testing with unit tests, integration tests, coverage reporting, and performance benchmarks
โฐ Trigger: On push to main, on PR to main
๐ Status:
Test Coverage
| Test Type | Framework | Coverage Target | Current Status |
|---|---|---|---|
| Unit Tests | Vitest 4.1.4 (happy-dom) | 52 test files | โ 3061+ passing |
| Integration Tests | Vitest + MCP contract suites (test/integration/mcp-integration.test.js, test/integration/mcp/imf-mcp.test.js, test/integration/mcp/worldbank-mcp.test.js) |
IMF/WB canonical tool lists asserted via drift-guard tests; EP MCP covered by mcp-integration.test.js (no canonical EP_MCP_TOOLS export yet) |
โ All passing |
| Line Coverage | Vitest (V8) | โฅ80% | โ 82%+ |
| Branch Coverage | Vitest (V8) | โฅ75% | โ 83%+ |
| Function Coverage | Vitest (V8) | โฅ80% | โ 89%+ |
| E2E | Playwright 1.59.1 + @axe-core/playwright 4.11.2 | WCAG 2.1 AA | โ Passing |
Workflow Jobs (6 Jobs)
graph LR
A[Prepare] --> B[Validation]
A --> C[Functional Tests]
A --> D[Performance]
A --> E[Security Check]
B --> F[Report]
C --> F
D --> F
E --> F
classDef prepare fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef test fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef perf fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef report fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class A prepare
class B,C test
class D perf
class E security
class F report
| Job | Name | Purpose | Key Steps |
|---|---|---|---|
prepare |
Prepare Environment | Cache dependencies, setup Node.js 25 | Checkout, npm ci, cache |
validation |
Validate Code | ESLint, Prettier, HTMLHint, npm audit | Lint, format check, HTML validation |
functional-tests |
Functional Tests | Vitest unit + integration tests | Run tests, coverage report |
performance |
Performance Testing | Lighthouse CI + article generation benchmarks | @lhci/cli@0.15.1, performance metrics |
security-check |
Security Check | npm audit analysis | Vulnerability triage, CodeQL integration |
report |
Generate Report | Aggregate results, PR comments | Coverage summary, status checks |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Code Quality | ESLint + Prettier | Code quality standards |
| Vulnerability Scanning | npm audit | ISO 27001 A.12.6.1 |
| Coverage Thresholds | 80%+ lines, 75%+ branches | Quality gates |
| Performance Benchmarks | Lighthouse CI scoring | Performance validation |
| False Positive Handling | Intelligent npm audit triage | Risk acceptance process |
ISMS Evidence
- Policy: Secure Development Policy ยง3.3 - Testing Requirements
- Workflow: test-and-report.yml
- Coverage Report: Live Coverage
3. CodeQL Security Scanning
๐ File: .github/workflows/codeql.yml
๐ฏ Purpose: Static Application Security Testing (SAST) for JavaScript/TypeScript and GitHub Actions
โฐ Schedule: On push to main, on PR to main, weekly Saturday 21:33 UTC
๐ Status:
Security Analysis
| Parameter | Value |
|---|---|
| Languages | javascript-typescript, actions |
| Build Mode | none (interpreted languages) |
| Query Suite | Security Extended |
| Analysis Type | Source code + dependencies |
Vulnerability Types Detected:
- SQL Injection
- XSS (Cross-Site Scripting)
- Path Traversal
- Command Injection
- Unsafe Deserialization
- GitHub Actions expression injection
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| SAST Scanning | CodeQL security-extended (JS/TS + Actions) | ISO 27001 A.14.2.5 |
| Automated Analysis | On every PR + push | Shift-left security |
| SHA-Pinned Actions | All actions pinned to SHA | Supply chain security |
| Security Alerts | GitHub Security tab integration | Incident response |
ISMS Evidence
- Policy: Secure Development Policy ยง4.3 - Security Scanning
- Workflow: codeql.yml
- Security Architecture: SECURITY_ARCHITECTURE.md ยงCodeQL Analysis
4. E2E Testing Workflow
๐ File: .github/workflows/e2e.yml
๐ฏ Purpose: End-to-end testing with Playwright across browsers
โฐ Schedule: On push to main, on PR to main, daily at midnight UTC
๐ Status:
Test Coverage
- Browser: Chromium (optimised for speed)
- Timeout: 60 minutes
- Test Categories:
- Homepage validation
- Accessibility (axe-core integration)
- Responsive design
- Multi-language support (14 languages)
- Artifacts: Screenshots, videos, HTML reports
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Accessibility Testing | axe-core WCAG AA compliance | Inclusive security |
| Visual Regression | Screenshot comparison | Quality assurance |
| Functional Validation | User workflow testing | Requirements validation |
| Daily Regression | Scheduled midnight UTC | Continuous validation |
ISMS Evidence
- Workflow: e2e.yml
- Test Reports: Live E2E Report
5. Release Workflow
๐ File: .github/workflows/release.yml
๐ฏ Purpose: Comprehensive release automation with attestations and documentation
โฐ Trigger: Manual dispatch (with version input) or tag push (v*)
๐ Status:
Release Pipeline
graph TD
A[๐ Trigger: Manual/Tag] --> B[๐ Prepare Job]
B --> C[โ
Run Tests with Coverage]
C --> D[๐ญ Run E2E Tests]
D --> E[๐ Generate API Docs]
E --> F[๐ Generate Coverage Reports]
F --> G[๐จ Generate Doc Index]
G --> H[โ
Verify Structure]
H --> I[๐พ Commit Documentation]
I --> J[๐จ Build Job]
J --> K[๐ฆ Create Release Artifacts]
K --> L[๐ Generate SBOM]
L --> M[๐ Build Provenance]
M --> N[๐ SBOM Attestation]
N --> O[๐ Release Job]
O --> P[๐ Draft Release Notes]
P --> Q[๐ Create GitHub Release]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef test fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef docs fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef build fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef release fill:#2ecc71,stroke:#27ae60,stroke-width:2px,color:white
class A trigger
class B,C,D test
class E,F,G,H,I docs
class J,K build
class L,M,N security
class O,P,Q release
Release Jobs
| Job | Name | Key Permissions |
|---|---|---|
prepare |
Prepare Release | contents: write |
build |
Build Release Package | contents: read, id-token: write, attestations: write |
release |
Create Release | contents: write, id-token: write |
Documentation as Code
Every release automatically generates:
| Documentation | Generator | Output |
|---|---|---|
| API Documentation | JSDoc | 52 files, searchable |
| Test Coverage | Vitest HTML | Interactive reports |
| E2E Test Reports | Playwright | Screenshots, videos |
| Documentation Index | Custom script | Beautiful hub page |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| SLSA Level 3 | Build provenance attestation + npm provenance (--provenance flag on publish) |
Supply chain security |
| SBOM Generation | SPDX JSON format via anchore/sbom-action |
NTIA SBOM minimum elements |
| Artifact Signing | GitHub Attestations API (Sigstore, OIDC keyless) | Integrity verification |
| npm Registry | Published to registry.npmjs.org/euparliamentmonitor with Sigstore provenance |
Supply chain transparency |
| Documentation Audit Trail | Committed to main branch | Evidence trail |
| Test Validation | 3061+ unit/integration tests + E2E Playwright | Quality gates |
ISMS Evidence
- Policy: Secure Development Policy ยง3.2 - Architecture Documentation
- Workflow: release.yml
- Release Guide: docs/RELEASE_PROCESS.md
- Attestations: GitHub Attestations
- Documentation: docs/index.html
6. Dependency Review Workflow
๐ File: .github/workflows/dependency-review.yml
๐ฏ Purpose: Supply chain security scanning for pull requests
โฐ Trigger: On pull request
๐ Status: Dependency review enabled
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| License Compliance | Allowed licenses only | Legal compliance |
| Vulnerability Detection | Known CVEs blocked | ISO 27001 A.12.6.1 |
| Supply Chain Security | Dependency graph analysis | NIST CSF ID.SC |
ISMS Evidence
- Policy: Supply Chain Security
- Workflow: dependency-review.yml
7. OpenSSF Scorecard Workflow
๐ File: .github/workflows/scorecards.yml
๐ฏ Purpose: Security posture assessment against OpenSSF best practices
โฐ Schedule: Weekly on Tuesday 07:20 UTC, push to main, branch protection rule
๐ Status:
Assessed Security Practices
- Binary artifacts
- Branch protection
- CI tests
- Code review
- Dangerous workflows
- Dependency update tool
- Fuzzing
- License
- Maintained
- Pinned dependencies
- SAST
- Security policy
- Signed releases
- Token permissions
- Vulnerabilities
ISMS Evidence
- Workflow: scorecards.yml
- Live Score: View Scorecard
8. Deploy S3 Workflow
๐ File: .github/workflows/deploy-s3.yml
๐ฏ Purpose: Production deployment to AWS S3 + CloudFront
โฐ Trigger: Push to main
๐ Status: Production deployment
Deployment Pipeline
graph LR
A[Push to main] --> B[Checkout Code]
B --> C[๐ Harden Runner<br/>egress: BLOCK]
C --> D[Configure AWS OIDC]
D --> E[Sync to S3]
E --> F[Invalidate CloudFront]
F --> G[โ
Production Live]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white
classDef complete fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white
class A trigger
class B,C security
class D,E,F aws
class G complete
Note:
deploy-s3.ymlis the only workflow usingegress-policy: block(all other workflows useaudit). Outbound network calls are restricted to an explicit allowlist defined in theallowed-endpointsparameter of the Harden Runner step within deploy-s3.yml.
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Federation | aws-actions/configure-aws-credentials with role ARN |
No long-lived secrets |
| Egress Block Mode | Harden Runner blocks all non-allowlisted endpoints | Network security |
| IAM Least Privilege | Minimal S3 + CloudFront permissions | AWS security best practices |
| HTTPS Only | CloudFront SSL/TLS distribution | Data in transit protection |
| Infrastructure as Code | GitHub Actions workflow | Reproducible deployments |
ISMS Evidence
- Workflow: deploy-s3.yml
- Architecture: SECURITY_ARCHITECTURE.md ยงDeployment
9. REUSE Compliance Workflow
๐ File: .github/workflows/reuse.yml
๐ฏ Purpose: License and copyright compliance verification using the REUSE Specification
โฐ Schedule: On push to main, on PR to main, weekly Monday 06:00 UTC
๐ Status:
License Compliance Scope
| Artifact | License | SPDX Header Required |
|---|---|---|
Source scripts (scripts/) |
Apache-2.0 | โ Yes |
Test files (test/, e2e/) |
Apache-2.0 | โ Yes |
HTML pages (index-*.html) |
Apache-2.0 | โ Yes |
Workflow files (.github/workflows/) |
Apache-2.0 | โ Yes |
| Binary assets | Declared in REUSE.toml |
Via manifest |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| License Verification | SPDX header validation on every file | Open Source Policy |
| Copyright Compliance | Per-file copyright tracking | IP management |
| Supply Chain Clarity | Machine-readable REUSE.toml |
NIST CSF ID.SC-4 |
| SHA-Pinned Action | fsfe/reuse-action pinned to SHA |
Supply chain security |
ISMS Evidence
- Policy: Open Source Policy
- Workflow: reuse.yml
- Configuration: REUSE.toml
10. SLSA Provenance (Integrated in Release Workflow)
๐ File: .github/workflows/release.yml
๐ฏ Purpose: Generate cryptographic build provenance for supply chain integrity verification
โฐ Trigger: On tag push (v*) + manual dispatch with version input
๐ Status:
Provenance Generation Pipeline
SLSA Level 3 provenance is generated as part of the release workflow build job. All attestations and SBOM are created during the build step and attached to the immutable GitHub Release in a single atomic operation.
Attestation Artifacts
| Artifact | Action | Verification Command |
|---|---|---|
| Build Provenance | actions/attest-build-provenance (SHA-pinned) |
gh attestation verify --owner Hack23 <file> |
| SBOM (SPDX) | anchore/sbom-action + actions/attest (SHA-pinned) |
gh attestation verify --owner Hack23 <file> |
| Distribution Archive | .zip with excluded dev files |
SHA-256 checksum |
| SBOM JSON | SPDX format | License compliance check |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Keyless Signing | id-token: write + GitHub Sigstore |
SLSA Level 3 |
| Immutable Release | immutableCreate: true โ single-write release |
Integrity |
| Minimal Permissions | permissions: read-all top-level |
Least privilege |
| Harden Runner | egress audit on all outbound calls | Network security |
ISMS Evidence
- Policy: Secure Development Policy ยง4.4
- Workflow: release.yml
- Attestations: GitHub Attestations
11. Compile Agentic Workflows
๐ File: .github/workflows/compile-agentic-workflows.yml
๐ฏ Purpose: Compile agentic workflow markdown source files (.md) into executable lock files (.lock.yml) using the gh-aw CLI (pinned GH_AW_VERSION: v0.69.3)
โฐ Trigger: Manual dispatch only (workflow_dispatch)
๐ Status: 
Version pin contract:
GH_AW_VERSION: v0.69.3is a repository-level environment pin incompile-agentic-workflows.yml. Bumping this pin requires re-compilation of all 10.lock.ymlfiles, a full PR review, and successfulgh aw compile --validateacross the workflow set. Any.mdโ.lock.ymldrift is detected byagentics-maintenance.yml.
Compilation Pipeline
graph LR
A[Manual Trigger] --> B[Checkout Repository]
B --> C["Install gh-aw CLI<br/>(pinned v0.69.3)"]
C --> D["Run gh aw compile --validate<br/>Validates frontmatter + safe-outputs"]
D --> E["Commit & Push<br/>.lock.yml Files"]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B,C,D process
class E output
gh-aw Architecture Gotchas (AI-First Quality Principle)
| Gotcha | Impact | Mitigation |
|---|---|---|
| Bash Tool Call Contract | Every bash tool call in an agentic workflow MUST specify BOTH command and description parameters โ omitting description causes silent tool-call rejection |
Validator in gh aw compile --validate + agent system prompt enforcement |
| AWF Sandbox Expansion Restrictions | Dangerous shell expansions (${var@P}, chained variable assignments building command substitutions, ${!var}, eval-like constructs) are refused by the sandbox |
Agents must not attempt prompt-injection patterns; sandbox logs refused attempts |
| max-patch-size Tuning | Default create-pull-request max-patch-size is 1024 KB; news-translate.md overrides to 10240 KB at top level to accommodate 14-language fan-out patches |
Top-level YAML frontmatter in news-translate.md sets the elevated limit |
| Dynamic file resolution | Agents must not hallucinate filenames; use ls -t "news/${TODAY}-${TYPE}"*"-en.html" | head -1 pattern to resolve latest English source for translation |
Pattern documented in workflow system prompts |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Manual Trigger Only | workflow_dispatch โ no automatic runs |
Change control |
| Version Pin | GH_AW_VERSION: v0.69.3 pinned at workflow env |
Supply chain integrity |
| Token Fallback | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN with GITHUB_TOKEN fallback |
Credential management |
| Write Permissions | contents: write, pull-requests: write, actions: write, issues: write |
Least privilege for compilation |
12. Pull Request Automatic Labeler
๐ File: .github/workflows/labeler.yml
๐ฏ Purpose: Automatically label pull requests based on file paths and content
โฐ Trigger: pull_request_target (opened, synchronize, reopened, edited)
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Minimal Job Permissions | contents: read, pull-requests: write, issues: read |
Least privilege |
| Target Event | pull_request_target โ runs on base branch code |
Workflow security |
13. Setup Repository Labels
๐ File: .github/workflows/setup-labels.yml
๐ฏ Purpose: Create and manage repository labels for issue/PR governance
โฐ Trigger: Manual dispatch only (workflow_dispatch with recreate_all input)
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Manual Trigger Only | workflow_dispatch โ deliberate action required |
Change control |
| Minimal Permissions | contents: read, issues: write |
Least privilege |
14. Copilot Setup Steps
๐ File: .github/workflows/copilot-setup-steps.yml
๐ฏ Purpose: Set up the development environment for GitHub Copilot coding agents
โฐ Trigger: Push/PR to copilot-setup-steps.yml file + manual dispatch
Environment Setup
| Component | Version / Configuration |
|---|---|
| Node.js | 25 |
| EP MCP Server | european-parliament-mcp-server (global) |
| Playwright Browsers | Installed for E2E |
| Virtual Display | Xvfb (:99) |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Broad Read Permissions | Multiple read scopes for agent access | Copilot agent requirement |
| Write Limited | Only pull-requests: write, issues: write |
Least privilege for agents |
| Token Management | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
Credential management |
15. Agentics Maintenance
๐ File: .github/workflows/agentics-maintenance.yml
๐ฏ Purpose: Housekeeping for the agentic workflow fleet โ detect .md โ .lock.yml drift, probe MCP gateway health, prune stale analysis artifacts, verify GH_AW_VERSION: v0.69.3 is in effect.
โฐ Trigger: Scheduled (weekly) + manual dispatch
Security Controls
| Control | Implementation |
|---|---|
| Read-only probes | Health checks write no state to the repo |
| Drift detection | Compares gh aw compile --validate output against committed .lock.yml |
| PR on drift | Opens a PR via safe-outputs when lock drift is detected |
16. News Translate Reconciler
๐ File: .github/workflows/news-translate-reconciler.yml
๐ฏ Purpose: Sweep news/ for English articles that are missing translations in one or more of the 13 target languages (sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh) and enqueue backfill runs for news-translate.md.
โฐ Trigger: Scheduled (multiple times daily) + manual dispatch
Reconciliation Logic
flowchart LR
A[Scan news/*.html] --> B{English article exists<br/>without all 13 translations?}
B -- Yes --> C[Enqueue news-translate<br/>with article slug + date]
B -- No --> D[Log reconciled]
C --> E[news-translate produces<br/>missing languages]
classDef scan fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef action fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A scan
class B decision
class C,E action
Security Controls
| Control | Implementation |
|---|---|
| Scoped dispatch | Only calls news-translate.md with a specific {slug,date} input โ no arbitrary workflow chaining |
| max-patch-size coordination | Translation runs use news-translate.md's top-level 10240 KB max-patch-size for fan-out |
| Idempotency | Skips slugs already at 14/14 language coverage |
๐ง AI-First Quality Principle Enforcement
The AI-First Quality Principle (.github/skills/ai-first-quality.md, non-negotiable) governs all agentic content generation. Workflow-level enforcement:
Mandatory 2-Pass Iterative Improvement
| Pass | Time Budget | Mandatory Outputs |
|---|---|---|
| Pass 1 (~60%) | First 60% of workflow timeout | Initial narrative draft; full MCP data fetch; first stakeholder perspective pass |
| Pass 2 (~40%) | Remaining 40% of workflow timeout | Read-back of entire draft; evidence cross-validation; gap filling; scenario elaboration |
Time Budget Enforcement
| Workflow timeout | Minimum active time (no early exit) |
|---|---|
| 60-minute workflow | โฅ45 minutes actively engaged |
| 120-minute workflow (article-generator) | โฅ90 minutes actively engaged |
Quality Gates (Validator โ validate-analysis-completeness)
Before PR creation, the agentic workflow MUST run:
node scripts/utils/validate-analysis-completeness.js --article-html="$(ls -t news/${TODAY}-${TYPE}*-en.html | head -1)"
which asserts:
- โฅ80 words per SWOT item
- โฅ150 words per stakeholder perspective
- โฅ60% prose ratio (non-HTML text content)
- โฅ1 Chart.js visualization embedded
- 0
[AI_ANALYSIS_REQUIRED]sentinel markers remaining - Economic context present: IMF (primary economic source, mandatory for policy articles per Stage-C review) and/or World Bank (non-economic context). Enforcement is editorial at the Stage-C completeness gate against
.github/prompts/03-analysis-completeness-gate.md scanHtmlForFallbackLeaks()returns empty โ noFALLBACK_TEMPLATE_PATTERNSin output
Reference thresholds (analysis/methodologies/reference-quality-thresholds.json):
| Artifact | Min words | Breaking threshold |
|---|---|---|
intelligence/mcp-reliability-audit.md |
200 | 385 |
intelligence/reference-analysis-quality.md |
140 | 190 |
Pre-Translation Validator Gate
news-translate.md runs the validator against all English source articles before fan-out to the 13 target languages. A single failing English source blocks the entire translation run, preserving translation fidelity.
Analysis-to-Article Data Contract
buildDefaultStakeholderPerspectives in src/templates/section-builders.ts emits AI_MARKER sentinels into the HTML template. Agents author the stakeholder/impact slots directly in rendered HTML โ the generator emits markup shells (analysis-stakeholder-perspectives / stakeholder-perspectives-grid) and the agent fills the semantic content. Agents MUST NOT write raw HTML for this section structure but MUST author the perspective text.
๐ Workflow Metrics
Execution Statistics
| Metric | Target | Current | Status |
|---|---|---|---|
| Test Success Rate | โฅ95% | 100% | โ Excellent |
| Test Execution Time | <10 min | ~3 min | โ Excellent |
| Release Frequency | As needed | Manual | โ On-demand |
| Mean Time to Deploy | <1 hour | ~15 min | โ Excellent |
| Failed Deployment Rate | <5% | 0% | โ Perfect |
Security Metrics
| Metric | Target | Current | Status |
|---|---|---|---|
| Critical Vulnerabilities | 0 | 0 | โ Secure |
| High Vulnerabilities | 0 | 0 | โ Secure |
| Code Coverage | โฅ80% lines/functions/statements, โฅ75% branches | Enforced by vitest config | โ CI-gated |
| SHA-Pinned Actions | 100% | 100% | โ Complete |
| OpenSSF Score | โฅ8.0 | TBD | ๐ Monitoring |
๐ Security Hardening Practices
EU Parliament Monitor implements industry best practices for securing CI/CD pipelines, with StepSecurity hardening for all workflows:
flowchart LR
subgraph "๐ก๏ธ Pipeline Security Hardening"
PH[Permissions Hardening] --> LAP[Least Access Principle]
PS[Pin SHA Versions] --> IDT[Immutable Dependencies]
AV[Action Verification] --> TS[Trusted Sources]
RH[Runner Hardening] --> AL[Audit Logging]
OT[OIDC Tokens] --> EF[Ephemeral Credentials]
end
subgraph "๐ Security Measures"
AS[Asset Security] --> AC[Asset Verification]
DS[Dependency Security] --> PD[Dependency Pinning]
BS[Build Security] --> BA[Build Attestations]
RS[Release Security] --> SBOM[SBOM Generation]
end
PH --> AS
PS --> DS
AV --> BS
RH --> RS
classDef practice fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef measures fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class PH,PS,AV,RH,OT practice
class LAP,IDT,TS,AL,EF practice
class AS,DS,BS,RS measures
class AC,PD,BA,SBOM measures
Specific Hardening Measures
The project's workflows collectively implement the following security measures (applied per workflow where applicable):
- ๐ Permissions Restriction: Explicit least-privilege permissions with
read-allor empty{}top-level - ๐ SHA Pinning: 100% of actions pinned to specific SHA hashes โ zero tag references
- ๐ก๏ธ Runner Hardening: StepSecurity
harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0for audit logging - ๐ SBOM Generation: The release workflow generates a Software Bill of Materials in SPDX format via
anchore/sbom-action - ๐ Build Attestations: The release workflow creates SLSA Level 3 provenance via
actions/attest-build-provenance - โฑ๏ธ Timeout Limits: Critical workflows (e.g., E2E and agentic
*.lock.ymlpipelines) use explicittimeout-minutesto prevent resource exhaustion; remaining workflows rely on GitHub's default job timeouts and are monitored for anomalies - ๐ OIDC Tokens: The
deploy-s3workflow uses AWS OIDC federation โ no long-lived secrets - ๐ซ Egress Control: The
deploy-s3workflow usesharden-runnerwithegress-policy: block
๐ก๏ธ Workflow Security Architecture
Workflow Permissions Matrix
Every workflow declares explicit, minimal permissions following the principle of least privilege. Some workflows use top-level permissions: read-all with job-level write overrides where needed, while others define more restrictive explicit top-level scopes tailored to their tasks.
| Workflow | Top-Level | Job-Level Overrides | Secrets Used |
|---|---|---|---|
| codeql | contents: read |
analyze: security-events: write, packages: read, actions: read |
None |
| compile-agentic-workflows | contents: write, pull-requests: write, actions: write, issues: write |
โ | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
| copilot-setup-steps | contents: read, actions: read, attestations: read, checks: read, issues: write, models: read, discussions: read, pages: read, pull-requests: write, security-events: read, statuses: read |
โ | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
| dependency-review | contents: read |
โ | None |
| deploy-s3 | contents: read, id-token: write, actions: write |
โ | AWS OIDC role |
| e2e | contents: read |
e2e-tests: contents: read |
None |
| labeler | read-all |
labeler: contents: read, pull-requests: write, issues: read |
GITHUB_TOKEN |
| release | read-all |
prepare: contents: write; build: contents: read, id-token: write, attestations: write; release: contents: write, id-token: write |
GITHUB_TOKEN |
| reuse | contents: read |
โ | None |
| scorecards | read-all |
analysis: security-events: write, id-token: write, contents: read, actions: read, issues: read, pull-requests: read, checks: read |
None |
| setup-labels | contents: read, issues: write |
โ | GITHUB_TOKEN |
| test-and-report | read-all |
validation: contents: read, pull-requests: write; functional-tests: contents: read; performance: contents: read; security-check: contents: read, security-events: write; report: contents: read, pull-requests: write |
None |
| news-* (agentic ร9) | {} (empty) |
activation: contents: read; agent: contents: write, pull-requests: write, issues: write, models: read |
GITHUB_TOKEN |
Security Control Layers
graph TD
subgraph Layer1["๐ต Layer 1: Developer Workstation"]
PC[Pre-Commit Hooks<br/>gitleaks ยท eslint ยท prettier]
LS[Lint-Staged<br/>ESLint fix ยท Prettier ยท HTMLHint]
PC --> LS
end
subgraph Layer2["๐ข Layer 2: Source Control"]
BP[Branch Protection<br/>Required status checks]
CR[Code Review<br/>Required approvals]
BP --> CR
end
subgraph Layer3["๐ก Layer 3: CI Pipeline"]
HR[Harden Runner v2.15.1<br/>Egress policy: audit/block]
ST[SHA-Pinned Actions 100%<br/>Supply chain integrity]
HR --> ST
end
subgraph Layer4["๐ด Layer 4: Security Scanning"]
CQL[CodeQL SAST<br/>JS/TS + Actions analysis]
DR[Dependency Review<br/>CVE blocking on PR]
NA[npm audit<br/>CVE check]
CQL --> DR --> NA
end
subgraph Layer5["๐ฃ Layer 5: Build Integrity"]
SB[SBOM Generation<br/>CycloneDX / SPDX]
AT[Build Attestation<br/>Sigstore / SLSA L3]
SB --> AT
end
subgraph Layer6["โซ Layer 6: Deployment"]
S3[S3 Sync<br/>Cache-optimised headers]
CF[CloudFront Invalidation<br/>HTTPS-only CDN]
S3 --> CF
end
Layer1 --> Layer2 --> Layer3 --> Layer4 --> Layer5 --> Layer6
classDef layer1 fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef layer2 fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef layer3 fill:#f1c40f,stroke:#f39c12,stroke-width:1.5px,color:black
classDef layer4 fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef layer5 fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef layer6 fill:#2c3e50,stroke:#1a252f,stroke-width:1.5px,color:white
class PC,LS layer1
class BP,CR layer2
class HR,ST layer3
class CQL,DR,NA layer4
class SB,AT layer5
class S3,CF layer6
๐ช Pre-Commit Security Controls
The project employs two complementary pre-commit enforcement mechanisms: Husky (Node.js native) and pre-commit framework.
Husky + lint-staged
Configuration: .husky/pre-commit โ runs npx lint-staged
| File Pattern | Commands | Purpose |
|---|---|---|
scripts/**/*.js |
eslint --fix, prettier --write |
JS quality + formatting |
*.md |
prettier --write |
Documentation formatting |
*.html |
htmlhint |
HTML validation |
Pre-Commit Framework
Configuration: .pre-commit-config.yaml
graph LR
A[git commit] --> B{Husky Hook Triggered}
B --> C[lint-staged]
C --> D[ESLint --fix JS]
C --> E[Prettier --write MD]
C --> F[HTMLHint HTML]
D --> G{All Pass?}
E --> G
F --> G
G -->|โ
Pass| H[Commit Proceeds]
G -->|โ Fail| I[Commit Blocked]
I --> J[Developer Fixes Issues]
J --> A
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef lint fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
class A trigger
class B,G decision
class C,D,E,F lint
class H pass
class I,J fail
| Hook | Version | Purpose | Security Value |
|---|---|---|---|
| gitleaks | v8.16.3 | Secret scanning | Prevent credential exposure |
| mirrors-eslint | v8.38.0 | JS linting | Code quality enforcement |
| end-of-file-fixer | pre-commit v4.4.0 | File termination | Consistency |
| trailing-whitespace | pre-commit v4.4.0 | Whitespace cleanup | Consistency |
Security Value: gitleaks scans for hardcoded secrets (API keys, tokens, passwords) before any commit reaches the remote repository, providing first-line credential leak prevention aligned with Cryptography Policy.
๐ SLSA Level 3 Compliance
Supply-chain Levels for Software Artifacts (SLSA) Level 3 compliance is achieved through GitHub's native attestation infrastructure integrated into the release and SLSA provenance workflows.
SLSA Requirements Matrix
| SLSA L3 Requirement | Implementation | Workflow |
|---|---|---|
| Source โ Version controlled | Git + GitHub branch protection | All |
| Source โ Verified history | Protected main branch |
All |
| Build โ Scripted build | npm ci + reproducible steps |
release.yml |
| Build โ Build service | GitHub Actions managed runners | All |
| Build โ Non-falsifiable provenance | GitHub Sigstore / OIDC keyless | release.yml |
| Build โ Isolated | GitHub-hosted Ubuntu runners | All |
| Provenance โ Available | .intoto.jsonl attached to release |
release.yml |
| Provenance โ Authenticated | OIDC id-token: write |
release.yml |
| Provenance โ Service generated | actions/attest-build-provenance |
release.yml |
| Provenance โ Non-falsifiable | Sigstore transparency log | release.yml |
Build Provenance Flow
graph TD
A[Developer: git tag vX.Y.Z] --> B[GitHub Actions: release.yml triggered]
B --> C[prepare job: run tests + generate docs]
C --> D[build job: npm ci - hermetic install]
D --> E[Create release-artifacts/euparliamentmonitor-vX.Y.Z.zip]
E --> F[anchore/sbom-action: SPDX JSON SBOM]
F --> G[actions/attest-build-provenance<br/>Subject: release zip file]
G --> H[GitHub Sigstore: OIDC token exchange]
H --> I[Sigstore Transparency Log Entry]
I --> J[.intoto.jsonl bundle saved]
J --> K[actions/attest-sbom<br/>Subject: release zip + SBOM path]
K --> L[GitHub Release: all artifacts attached]
L --> M[Verification: gh attestation verify --owner Hack23 file.zip]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef build fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef crypto fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef release fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B,C,D,E build
class F,K security
class G,H,I,J crypto
class L,M release
Attestation Verification
End-users can verify artifact integrity using the GitHub CLI:
# Verify build provenance
gh attestation verify euparliamentmonitor-v1.0.0.zip --owner Hack23
# Verify SBOM attestation
gh attestation verify euparliamentmonitor-v1.0.0.spdx.json --owner Hack23
# Expected output: โ
Verification successful
# Attestation bundle verified with signer's certificate
ISMS Reference: Secure Development Policy ยง4.4 โ Supply Chain Security
๐ Security Scanning Pipeline
Security scanning tools are integrated into the CI/CD pipeline with triggers as documented in the matrix below (e.g., push, pull request, schedule, pre-commit).
Scanning Tool Matrix
| Tool | Type | Triggers | Findings Location | Blocks Merge? |
|---|---|---|---|---|
| CodeQL | SAST | Push, PR, weekly Saturday | GitHub Security tab | Yes (via required check) |
| npm audit | SCA | Push, PR | Workflow logs | Yes (new โฅ moderate, allowlist exceptions) |
| Dependency Review | SCA | PR only | PR comments | Yes |
| ESLint | SAST Lint | Push, PR, pre-commit | Workflow logs | Yes |
| HTMLHint | Validation | Push, PR, pre-commit | Workflow logs | Warning |
| REUSE | Compliance | Push, PR, weekly Monday | Workflow logs | Yes |
| OpenSSF Scorecard | Posture | Push, weekly Tuesday | SARIF โ Security tab | Advisory |
| gitleaks | Secret Scan | Pre-commit | Terminal | Yes (pre-commit) |
Integrated Scanning Flow
graph LR
subgraph Triggers["โก Triggers"]
PR[Pull Request]
PS[Push to main]
SC[Schedule Weekly]
end
subgraph Scanning["๐ Security Scanning"]
CQL[CodeQL SAST<br/>JS/TS + Actions]
NA[npm audit<br/>CVE check]
DR[Dependency Review<br/>CVE block on PR]
RL[REUSE<br/>License compliance]
SC2[OpenSSF Scorecard<br/>Posture assessment]
end
subgraph Output["๐ Results"]
GH[GitHub Security<br/>Alerts Dashboard]
PRC[PR Comments<br/>Inline feedback]
SAR[SARIF Upload<br/>Code scanning tab]
WL[Workflow Logs<br/>Actions tab]
end
PR --> CQL & NA & DR & RL
PS --> CQL & NA & RL & SC2
CQL --> SAR
NA --> WL
DR --> PRC
RL --> WL
SC2 --> SAR
SAR --> GH
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef scanning fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class PR,PS,SC trigger
class CQL,NA,DR,RL,SC2 scanning
class GH,PRC,SAR,WL output
๐ฆ Deployment Security Gates
Production deployment to AWS S3 + CloudFront is protected by multiple sequential security gates that must all pass before code reaches production.
Security Gate Sequence
graph TD
A[Developer: Push / PR] --> B{Branch Protection<br/>Rules}
B -->|Protected branch| C[Required Status Checks]
C --> D{CI Tests Pass?<br/>test-and-report.yml}
D -->|โ
Pass| E{CodeQL Scan Pass?<br/>codeql.yml}
D -->|โ Fail| BLOCK[๐ซ Merge Blocked]
E -->|โ
Pass| F{REUSE Compliance?<br/>reuse.yml}
E -->|โ Fail| BLOCK
F -->|โ
Pass| G{Code Review<br/>Approved?}
F -->|โ Fail| BLOCK
G -->|โ
Approved| H[Merge to main]
G -->|โ Pending| BLOCK
H --> I[Deploy to S3<br/>deploy-s3.yml triggered]
I --> J[Harden Runner<br/>egress: BLOCK mode]
J --> K[OIDC AWS Auth<br/>id-token: write]
K --> L[S3 Sync<br/>Cache-optimised]
L --> M[CloudFront Invalidation<br/>Cache flush]
M --> N[โ
Production Live<br/>hack23.com]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white
classDef security fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class A trigger
class B,D,E,F,G decision
class C,H,N pass
class BLOCK fail
class I,J,K security
class L,M aws
AWS Deployment Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Federation | aws-actions/configure-aws-credentials with role ARN |
No long-lived secrets |
| Minimal IAM Role | GithubWorkFlowRole โ S3 + CloudFront only |
Least privilege |
| Egress Block Mode | Harden Runner blocks all non-allowlisted endpoints | Network security |
| mtime Preservation | Git commit times restored before sync | Change detection accuracy |
| Cache-Optimised Sync | Per-type cache headers (HTML: 1h, assets: 1y) | Performance + integrity |
| HTTPS Enforcement | CloudFront HTTPS-only distribution | Data in transit protection |
| TLS 1.3 | CloudFront + S3 expected to enforce TLS 1.3 (configured in AWS account) | Cryptography Policy |
๐ Workflow Failure Handling & Rollback
Failure Classification and Response
| Failure Type | Detection | Automated Response | Manual Action |
|---|---|---|---|
| Test failure | CI job exits non-zero | Workflow marked failed, merge blocked | Review logs, fix code, re-push |
| Security finding (CodeQL, new) | CodeQL analysis | PR comment + GitHub Security alert | Assess, fix or document false positive |
| Security finding (npm audit, new) | npm audit in test-and-report.yml |
Workflow failed, findings in logs only | Review audit output, update deps or add to allowlist per policy |
| Security finding (known / accepted) | Known GHSA in audit allowlist | Intelligent triage passes | Document in SECURITY.md and risk register |
| Deployment failure | S3 sync / CF invalidation error | Workflow failed, previous version still live | Check AWS CloudWatch, re-run |
| Attestation failure | Sigstore API / OIDC error | Release blocked | Retry workflow, check OIDC config |
| REUSE non-compliance | Missing SPDX header | PR blocked | Add SPDX-FileCopyrightText headers |
| Agentic workflow failure | Agent timeout or error | PR not created, workflow marked failed | Review agent logs, re-trigger manually |
Rollback Procedure
graph TD
A[๐จ Production Incident Detected] --> B{Incident Type}
B -->|Content error| C[Re-run deploy-s3.yml<br/>from previous commit]
B -->|Security breach| D[Immediate CloudFront disable]
B -->|Dependency vuln| E[npm audit fix + re-deploy]
C --> F[git revert + push to main]
F --> G[Auto-deploy triggered]
D --> H[Revoke AWS role session]
H --> I[Investigate + patch]
I --> J[Re-enable CloudFront]
E --> K[PR with dep update]
K --> L[CI gates pass]
L --> M[Merge + auto-deploy]
G --> N[โ
Rollback Complete]
J --> N
M --> N
classDef alert fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef content fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef security fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef dependency fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
classDef complete fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white
class A alert
class B decision
class C,F,G content
class D,H,I,J security
class E,K,L,M dependency
class N complete
Recovery Time Objectives
| Scenario | RTO Target | Procedure |
|---|---|---|
| Broken deployment | < 15 minutes | Re-run deploy-s3.yml from last good commit |
| Content regression | < 30 minutes | git revert + auto-deploy pipeline |
| Dependency vulnerability | < 4 hours | npm audit fix + PR + deploy |
| Security incident | < 1 hour | CloudFront disable + incident response |
ISMS Reference: BCP Plan | Incident Response
๐ฆ Dependabot Security Configuration
Configuration: .github/dependabot.yml
Dependabot is configured with two package ecosystems, both scheduled on Monday to batch updates and reduce CI noise.
Dependabot Configuration Summary
| Ecosystem | Directory | Schedule | PR Limit | Groups |
|---|---|---|---|---|
| npm | / |
Weekly, Mon 06:00 UTC | 10 | dev-deps (minor/patch), prod-deps (minor/patch) |
| github-actions | / |
Weekly, Mon 07:00 UTC | Unlimited | github-actions (minor/patch) |
Update Grouping Strategy
graph LR
A[Dependabot Scan] --> B{Package Type?}
B -->|Development dep| C[Group: development-dependencies<br/>minor + patch updates]
B -->|Production dep| D[Group: production-dependencies<br/>minor + patch updates]
B -->|GitHub Action| E[Group: github-actions<br/>minor + patch updates]
C --> F[Single PR: all dev dep updates]
D --> G[Single PR: all prod dep updates]
E --> H[Single PR: all action SHA updates]
F --> I[CI gates validate]
G --> I
H --> I
I --> J{Pass?}
J -->|Yes| K[Auto-merge eligible]
J -->|No| L[Manual review required]
classDef scanner fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef group fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef pr fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
class A scanner
class B,J decision
class C,D,E group
class F,G,H pr
class I,K pass
class L fail
Commit Message Convention
| Type | Prefix | Example |
|---|---|---|
| npm dep update | build(deps): |
build(deps): bump eslint from 8.x to 9.x |
| npm dev dep | build(deps-dev): |
build(deps-dev): bump vitest from 2.x to 3.x |
| Actions update | build(deps): |
build(deps): bump actions/checkout from v4 to v5 |
Security Labels: All Dependabot PRs are labelled dependencies + javascript or github_actions for easy filtering.
๐ก Workflow Monitoring & Alerting
Workflow Status Badges
All primary workflows expose real-time status badges in README.md and this document for instant visibility into pipeline health:
| Workflow | Badge | Target |
|---|---|---|
| Test & Report | |
Green always |
| CodeQL | |
Green always |
| E2E Tests | |
Green always |
| REUSE | |
Green always |
| OpenSSF Scorecard | โฅ 8.0/10 |
GitHub Security Dashboard Integration
The following tools integrate with the GitHub Security Dashboard via SARIF or native mechanisms:
| Tool | Integration Type | Destination |
|---|---|---|
| CodeQL | SARIF via github/codeql-action/analyze |
GitHub Security Dashboard (code scanning alerts) |
| OpenSSF Scorecard | SARIF via github/codeql-action/upload-sarif |
GitHub Security Dashboard (code scanning alerts) |
| Dependabot | Native GitHub integration | GitHub Security Dashboard (Dependabot alerts) |
Alerting Channels
| Event | Alert Channel | Severity |
|---|---|---|
| Critical CVE found | GitHub Security Advisories | P1 โ Immediate |
| Workflow failure on main | GitHub email notification | P2 โ Same day |
| Scorecard score drop | Weekly scorecard badge | P3 โ Weekly review |
| Dependabot PR opened | GitHub PR notification | P4 โ Next Monday batch |
๐ ISMS Policy Alignment Summary
Policy Coverage
| ISMS Policy | Workflows Implementing Controls | Evidence |
|---|---|---|
| ๐ ๏ธ Secure Development Policy | All 24 workflows | This document |
| ๐ Information Security Policy | CodeQL, OpenSSF Scorecard | SECURITY_ARCHITECTURE.md |
| ๐ Access Control Policy | deploy-s3 (OIDC), release (minimal permissions) | Workflow files |
| ๐ Cryptography Policy | deploy-s3 (TLS), release (Sigstore/SLSA) | Attestations |
| ๐ Open Source Policy | REUSE compliance workflow | REUSE.toml |
| ๐ Vulnerability Management | CodeQL, npm audit, Dependency Review | GitHub Security tab, PR checks |
| ๐ Change Management | Branch protection, CI gates, PR reviews | Workflow gate enforcement |
| ๐จ Incident Response Plan | Rollback procedures, incident classification | ยงFailure Handling section |
Secure Development Policy Alignment
| Policy Section | Implementation | Evidence |
|---|---|---|
| ยง3.2 Architecture Documentation | Documentation-as-code in release workflow | SECURITY_ARCHITECTURE.md |
| ยง3.3 Testing Requirements | 3061+ unit/integration tests, E2E tests, 82%+ coverage | Test & Report Workflow |
| ยง4.1 CI/CD Security | All workflows with security controls | This document |
| ยง4.3 Security Scanning | CodeQL, npm audit, Dependabot | CodeQL Workflow |
| ยง4.4 Supply Chain Security | SLSA L3, SBOM, Dependency Review, REUSE, npm provenance | Release Workflow |
| ยง10.1 CI/CD Workflow Excellence | 24 automated workflows, 100% SHA-pinned | This document |
Compliance Frameworks
| Framework | Version | Controls Implemented | Evidence Location |
|---|---|---|---|
| ISO 27001 | 2022 | A.8.25, A.8.26, A.8.27, A.8.28, A.12.1.4, A.12.6.1, A.14.2.1 | Workflow files + this document |
| NIST CSF | 2.0 | ID.SC (Supply Chain), DE.CM (Detection), PR.DS (Data Security) | SECURITY_ARCHITECTURE.md |
| CIS Controls | v8.1 | 2.2, 4.1, 7.1, 16.1, 16.5, 16.7, 16.12 | Scorecard |
| SLSA | L3 | Build provenance, hermetic build, non-falsifiable, authenticated | Attestations |
| OpenSSF | โ | SHA-pinned actions (100%), Harden Runner, branch protection | Scorecard Report |
| EU CRA | 2024 | SBOM generation, vulnerability disclosure, security updates | Release Workflow |
๐ฌ Political Intelligence Operations Centre
The 9 agentic news workflows collectively form a European Parliament Political Intelligence Operations Centre โ a systematic, automated pipeline that transforms raw parliamentary data into multi-language political intelligence articles published daily.
Intelligence Collection Cycle
The following diagram shows the complete intelligence cycle from EP data collection through analysis to multi-language publication:
flowchart TD
subgraph Collection["๐ก COLLECTION<br/>(EP MCP Server v1.2.15+)"]
direction TB
C1["๐ณ๏ธ Votes &<br/>Adopted Texts"]
C2["๐ Legislative<br/>Procedures"]
C3["๐๏ธ Committee<br/>Documents"]
C4["๐ค Plenary<br/>Speeches"]
C5["โ Parliamentary<br/>Questions"]
C6["๐
Events &<br/>Meetings"]
C7["๐ค MEP Data &<br/>Declarations"]
end
subgraph Analysis["๐ฌ ANALYSIS<br/>(Political Intelligence Pipeline)"]
direction TB
A1["๐ท๏ธ Classification<br/>7-dimension taxonomy"]
A2["โ ๏ธ Risk Assessment<br/>5ร5 Likelihood ร Impact"]
A3["๐ญ Threat Landscape<br/>6 political dimensions"]
A4["๐ผ SWOT Analysis<br/>Evidence-based quadrants"]
A5["๐ Significance Scoring<br/>Publication priority"]
A6["๐ฅ Stakeholder Impact<br/>Multi-perspective"]
end
subgraph Production["๐ฐ PRODUCTION<br/>(9 Content Workflows)"]
direction TB
P1["โก Breaking News<br/>Every 6 hours"]
P2["๐ Daily Intelligence<br/>Motions + Propositions + Committees"]
P3["๐
Weekly Intelligence<br/>Week Ahead + Weekly Review"]
P4["๐ Monthly Intelligence<br/>Month Ahead + Monthly Review"]
P5["๐ฏ On-Demand<br/>Article Generator"]
end
subgraph Distribution["๐ DISTRIBUTION<br/>(14 Languages)"]
direction TB
D1["๐ฌ๐ง English<br/>(source)"]
D2["๐ธ๐ช๐ฉ๐ฐ๐ณ๐ด๐ซ๐ฎ<br/>Nordic Languages"]
D3["๐ฉ๐ช๐ซ๐ท๐ช๐ธ๐ณ๐ฑ<br/>Western European"]
D4["๐ธ๐ฆ๐ฎ๐ฑ๐ฏ๐ต๐ฐ๐ท๐จ๐ณ<br/>Global Languages"]
end
Collection --> Analysis --> Production --> D1
D1 --> |"news-translate<br/>workflow"| D2 & D3 & D4
style Collection fill:#1565C0,stroke:#0D47A1,color:#FFFFFF
style Analysis fill:#6A1B9A,stroke:#4A148C,color:#FFFFFF
style Production fill:#2E7D32,stroke:#1B5E20,color:#FFFFFF
style Distribution fill:#E65100,stroke:#BF360C,color:#FFFFFF
Threat Landscape Dimensions Monitored
The political intelligence pipeline monitors six threat landscape dimensions across all parliamentary activity:
mindmap
root((๐ญ Political<br/>Threat Landscape))
๐ Coalition Shifts
Grand coalition stability
Cross-party alliance formation
Defection patterns
Group cohesion metrics
๐ Transparency Deficit
Access-to-information gaps
Lobbying disclosure failures
Declaration compliance
Procedural opacity
โช Policy Reversal
Legislative rollback risk
Position contradiction
Commitment abandonment
Implementation failure
๐๏ธ Institutional Pressure
Inter-institutional friction
Council-Parliament disputes
Commission accountability
Rule-of-law mechanisms
๐ง Legislative Obstruction
Procedure stalling
Amendment flooding
Committee bottlenecks
Trilogue deadlocks
๐ณ๏ธ Democratic Erosion
Participation decline
Representation gaps
Accountability weakening
Mandate legitimacy
Workflow Cadence โ Weekly Intelligence Rhythm
The 9 agentic workflows follow a carefully orchestrated schedule to ensure continuous intelligence coverage of the European Parliament.
Note: The Gantt chart below uses sample dates (week of 2026-01-05) to illustrate the recurring weekly cadence. Mermaid's gantt format requires concrete dates; the actual schedule repeats every week.
gantt
title Weekly Agentic Workflow Cadence UTC โ Sample Week
dateFormat YYYY-MM-DD
axisFormat %a
section Daily Mon-Fri
Committee Reports 04h00 UTC :active, d1, 2026-01-05, 1d
Propositions 05h00 UTC :active, d2, 2026-01-05, 1d
Motions 06h00 UTC :active, d3, 2026-01-05, 1d
Breaking News 4x daily :crit, d4, 2026-01-05, 1d
section Weekly
Week Ahead Fri 07h00 UTC :d5, 2026-01-09, 1d
section Weekend
Weekly Review Sat 09h00 UTC :d6, 2026-01-10, 1d
section Translation
Translate Weekdays 3x daily :d7, 2026-01-05, 5d
Translate Sat 15h00 UTC :d8, 2026-01-10, 1d
section Monthly
Month Ahead 1st 08h00 UTC :d9, 2026-01-01, 1d
Monthly Review 28th 10h00 UTC :d10, 2026-01-28, 1d
Data Flow โ EP MCP Server to Published Article
flowchart LR
subgraph "๐๏ธ European Parliament"
EP["EP Open Data Portal"]
end
subgraph "๐ MCP Layer"
MCP["EP MCP Server<br/>v1.2.15+<br/>(120s timeout;<br/>60+ tools, sliding + fixed-window feeds)"]
end
subgraph "๐ค Agent Layer"
Agent["GitHub Copilot<br/>claude-opus-4.7"]
Analyze["Analysis Pipeline<br/>11 methodology assets<br/>39 templates"]
end
subgraph "๐ฐ Output Layer"
EN["๐ฌ๐ง English Article"]
Translate["Translation Agent"]
Multi["๐ 13 Additional<br/>Languages"]
end
subgraph "๐ Deployment"
PR["Pull Request"]
Pages["GitHub Pages"]
S3["AWS S3 CDN"]
end
EP --> MCP --> Agent --> Analyze --> EN --> PR
EN --> Translate --> Multi --> PR
PR --> |"merge"| Pages & S3
style EP fill:#003399,stroke:#002266,color:#FFFFFF
style MCP fill:#6A1B9A,stroke:#4A148C,color:#FFFFFF
style Agent fill:#1565C0,stroke:#0D47A1,color:#FFFFFF
style Analyze fill:#C62828,stroke:#B71C1C,color:#FFFFFF
style EN fill:#2E7D32,stroke:#1B5E20,color:#FFFFFF
style Translate fill:#E65100,stroke:#BF360C,color:#FFFFFF
style Multi fill:#F57F17,stroke:#F9A825,color:#000000
style PR fill:#37474F,stroke:#263238,color:#FFFFFF
style Pages fill:#00695C,stroke:#004D40,color:#FFFFFF
style S3 fill:#FF6F00,stroke:#E65100,color:#FFFFFF
Analysis Artifact Structure
Each content workflow deposits analysis artifacts in an isolated directory. Cross-article artifacts (such as ai-daily-synthesis.md) live at the date root analysis/daily/{date}/, while per-workflow artifacts are scoped under analysis/daily/{date}/{article-type}/:
analysis/daily/2026-03-31/
โโโ ai-daily-synthesis.md โ Cross-article synthesis (date root)
โโโ breaking/ โ news-breaking workflow
โ โโโ manifest.json
โ โโโ classification/
โ โโโ threat-assessment/
โ โโโ risk-scoring/
โ โโโ data/ โ EP MCP data for this workflow
โโโ committee-reports/ โ news-committee-reports workflow
โ โโโ manifest.json
โ โโโ classification/
โ โโโ data/
โโโ motions/ โ news-motions workflow
โ โโโ manifest.json
โ โโโ data/
โโโ propositions/ โ news-propositions workflow
โ โโโ manifest.json
โ โโโ data/
โโโ week-ahead/ โ news-week-ahead workflow (Fridays)
โโโ manifest.json
โโโ data/
๐จ Isolation Rule: Each workflow writes ONLY to its own
{article-type-slug}/subdirectory. Cross-workflow overwrites are prohibited. Theai-*.mdsynthesis files at the date root aggregate across all workflows.
๐ Continuous Improvement
Planned Enhancements
See FUTURE_WORKFLOWS.md for:
- Advanced security scanning
- Performance testing enhancements
- Deployment automation improvements
- Multi-environment support
- Fuzzing integration
๐ Related Documentation
| Document | Focus | Link |
|---|---|---|
| ๐ Security Architecture | Current security implementation | SECURITY_ARCHITECTURE.md |
| ๐ Security Flowcharts | Process flows with security controls | FLOWCHART.md |
| ๐ Data Model | Data structures and flows | DATA_MODEL.md |
| ๐ Future Workflows | Planned enhancements | FUTURE_WORKFLOWS.md |
| ๐ Release Process | Release procedures | docs/RELEASE_PROCESS.md |
| ๐ก๏ธ ISMS Policy | Security policy framework | Hack23 ISMS-PUBLIC |
| ๐ฆ Dependabot Config | Automated dependency updates | .github/dependabot.yml |
๐ Questions? Contact: Security Team
๐ Security Issues? See SECURITY.md for vulnerability disclosure
Last updated: 2026-04-20 by Documentation Architect / DevOps Engineer (EU Parliament Monitor v0.8.40)