Ideas

GitHub Actions should separate delivery from diagnosis

CI governance improves when delivery, diagnosis, telemetry, and decision loops are modeled as separate but connected planes.

2025-09-05

This model is not just CI -> deploy, and it is not just agent -> pull request.

It separates governance into planes. The control plane defines intent and guardrails. The execution plane produces code and artifacts. The observability plane records what happened. The decision layer turns telemetry and review signals into approval, retry, escalation, or feedback.

flowchart
  Spec["📘 Spec / Task Definition"]
  Human["🧑‍⚖️ Human Review"]
  Policy["📏 Policy / Guardrails"]

  CI["⚙️ GitHub Actions"]
  Agent["🤖 Agent Executor"]
  Job["🧠 Runner Job"]

  PR["📬 Pull Request / Code Change"]
  Artifact["📦 Build Artifact"]
  Deploy["🚀 GitHub Pages Deployment"]

  OTel["📡 OpenTelemetry Collector"]
  ELK["📊 ELK Logs / Metrics / Events"]
  Eval["📈 Evaluation / Scoring"]

  Decide["🧭 Decision Engine"]
  Feedback["🔁 Feedback Loop"]

  Spec --> Human
  Human --> Policy
  Policy --> CI

  CI --> Agent
  Agent --> Job

  Job --> PR
  Job --> Artifact
  Artifact --> Deploy
  Job -->|OTLP telemetry| OTel
  OTel -->|indexed signal| ELK

  ELK --> Eval
  Eval --> Decide

  Decide -->|approve| PR
  Decide -->|retry / fix| Agent
  Decide -->|escalate| Human
  Decide --> Feedback
  Feedback --> Spec

  subgraph L1["🧩 Control Plane"]
    Spec
    Human
    Policy
  end

  subgraph L2["⚙️ Execution Plane"]
    CI
    Agent
    Job
  end

  subgraph L3["📡 Observability Plane"]
    OTel
    ELK
    Eval
  end

  subgraph L4["🧠 Decision Layer"]
    Decide
    Feedback
  end

  subgraph L5["🚀 Delivery Output"]
    PR
    Artifact
    Deploy
  end

  classDef control fill:#182235,color:#f8fafc,stroke:#94a3b8,stroke-width:2px
  classDef exec fill:#082f49,color:#e0f2fe,stroke:#38bdf8,stroke-width:2px
  classDef obs fill:#064e3b,color:#dcfce7,stroke:#34d399,stroke-width:2px
  classDef decision fill:#431407,color:#ffedd5,stroke:#fb923c,stroke-width:2px
  classDef output fill:#312e81,color:#ede9fe,stroke:#a78bfa,stroke-width:2px

  class Spec,Human,Policy control
  class CI,Agent,Job exec
  class OTel,ELK,Eval obs
  class Decide,Feedback decision
  class PR,Artifact,Deploy output

  style L1 fill:#0f172a,stroke:#64748b,color:#e2e8f0,stroke-width:2px
  style L2 fill:#071b2f,stroke:#0ea5e9,color:#e0f2fe,stroke-width:2px
  style L3 fill:#06251f,stroke:#22c55e,color:#dcfce7,stroke-width:2px
  style L4 fill:#2a1206,stroke:#f97316,color:#ffedd5,stroke-width:2px
  style L5 fill:#17133a,stroke:#8b5cf6,color:#ede9fe,stroke-width:2px

  linkStyle 0 stroke:#94a3b8,stroke-width:2px
  linkStyle 1 stroke:#94a3b8,stroke-width:2px
  linkStyle 2 stroke:#38bdf8,stroke-width:2px
  linkStyle 3 stroke:#38bdf8,stroke-width:2px
  linkStyle 4 stroke:#38bdf8,stroke-width:2px
  linkStyle 5 stroke:#a78bfa,stroke-width:2px
  linkStyle 6 stroke:#a78bfa,stroke-width:2px
  linkStyle 7 stroke:#a78bfa,stroke-width:2px
  linkStyle 8 stroke:#22c55e,stroke-width:2px,stroke-dasharray: 5 5
  linkStyle 9 stroke:#22c55e,stroke-width:2px,stroke-dasharray: 5 5
  linkStyle 10 stroke:#22c55e,stroke-width:2px
  linkStyle 11 stroke:#f97316,stroke-width:2px
  linkStyle 12 stroke:#f97316,stroke-width:2px
  linkStyle 13 stroke:#f97316,stroke-width:2px
  linkStyle 14 stroke:#f97316,stroke-width:2px
  linkStyle 15 stroke:#f97316,stroke-width:2px
  linkStyle 16 stroke:#f97316,stroke-width:2px,stroke-dasharray: 5 5

Execution channel

The execution channel remains deterministic:

Spec -> Human Review -> Policy -> GitHub Actions -> Agent Executor -> Runner Job -> Build Artifact -> GitHub Pages Deployment

That path is responsible for state change. It decides whether a reviewed task can run, whether the runner produced a code change or artifact, and whether the static site artifact can reach GitHub Pages.

Observability channel

The observability channel is side-band:

Runner Job -> OpenTelemetry Collector -> ELK -> Evaluation / Scoring

The job emits logs, metrics, traces, and events as OTLP telemetry. The collector normalizes and forwards that signal into ELK for indexing, search, dashboards, and investigation. Evaluation then turns that record into run scores, anomaly signals, and pipeline ranking inputs.

Decision loop

The decision layer consumes evaluation output without making observability a deployment dependency.

It can approve a pull request, retry the agent with a fix, escalate back to a human reviewer, or feed lessons back into the next task definition. That makes the loop useful for agentic work: judgment remains explicit, retries remain bounded, and the system accumulates evidence about which jobs and pipelines are trustworthy.

Governance rule

Deployment should not depend on logging success.

If telemetry ingestion is delayed or ELK is unavailable, the build path should still be able to complete or fail based on its own checks. Observability is there to explain what happened, compare runs, detect anomalies, and score or rank pipelines after the fact.

That separation keeps GitHub Actions responsible for delivery while OpenTelemetry and ELK become the diagnostic record. The result is a CI system where execution remains deterministic and diagnosis remains rich enough to support job-level traceability, anomaly detection, evaluation, and pipeline governance.