[FAQ] Add: External admission authority and platform trust boundary#28937
Draft
[FAQ] Add: External admission authority and platform trust boundary#28937
Conversation
…ution Addresses the architectural question of whether the execution platform should own the final admission decision for trusted execution context, covering the layered trust model, available workarounds using pre-agent steps and custom safe output jobs, and the current limitation that a truly external authority outside GitHub Actions is not natively supported. Relates to: github/agentic-workflows#485 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Contributor
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. |
Collaborator
|
@copilot review and unslop |
…er prose Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6aa11b2b-16f7-4676-9ac9-51bd93f1ccd3 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Done in 846023f. Changes:
|
Collaborator
pelikhan
reviewed
Apr 28, 2026
Collaborator
pelikhan
left a comment
pelikhan
left a comment
There was a problem hiding this comment.
The proper pattern is to add steps to pre-activation and the output should automatically be used to gate the activation job. Needs work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new FAQ entry in the Guardrails section addressing the architectural question of whether the execution platform should own the final admission decision for trusted execution context.
What changed
New entry: "Should the execution platform own the final admission decision for trusted execution context?"
The entry explains:
steps:pattern as the closest approximation to an external admission gate (with OIDC token verification)Source
Raised in community discussion, tracked in: github/agentic-workflows#485 (follow-up to github/agentic-workflows#484)
Type of change
New FAQ entry (not an update to an existing entry — no existing entry covers this topic).