Using GitHubs Actions & Prompt Bundling to Provide Compliance Guardrails

This guide shows how to use Prompt Bundling plus a lightweight GitHub Actions check to ensure every production prompt change is peer‑reviewed and fully auditable—meeting common controls such as SOC 2 CC4.1, ISO 27001 A.14.2.5, and PCI‑DSS 6.4.5.

Why it matters

  • Prompt text is business logic. Untracked changes can introduce risk or inconsistent behavior.
  • Most compliance frameworks require that production code (including prompts) is:
    • Immutable after deployment
    • Peer‑reviewed before release
    • Traceable with a full audit trail
  • Bundling a prod Prompt Template into an artifact that lives in Git provides these guarantees with almost zero additional tooling.
  • This also protects your application in the unlikely event that you're application cannot connect to the Freeplay platform

Prerequisites for this guide

  • GitHub repository
  • GitHub Actions enabled
  • Freeplay CLI
  • A Prompt Template already promoted to the prod environment

Step 1  ·  Bundle the production prompt

Run during your release pipeline:

freeplay download \
  --env prod \
  --output bundled_prompts

This writes an immutable JSON artifact containing:

  • Prompt text
  • Model/provider selection
  • All request parameters

Step 2  ·  Open a pull request if the bundle changes

Add the following workflow file to .github/workflows/prompt-bundle-guard.yml:

name: Update Bundled Prompts
on:
  push:
    branches: [main]

jobs:
  prompt-bundle-guard:
    runs-on: ubuntu-latest
    permissions:
      contents: write          # push temp branch
      pull-requests: write     # open PR
    steps:
      - uses: actions/checkout@v4

      - name: Install Freeplay CLI
        run: python -m pip install --upgrade freeplay

      - name: Re‑bundle prod prompts
        run: |
          freeplay download \
            --env prod \
            --output bundled_prompts

      - name: Open PR if bundle changed
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if git diff --quiet --exit-code -- bundled_prompts; then
            echo "No prompt updates detected." && exit 0
          fi

          git config user.name  "Freeplay Prompt Bundler"
          git config user.email "[email protected]"
          branch="auto/prompt-bundle-$(date +%s)"
          git switch -c "$branch"
          git add bundled_prompts
          git commit -m "chore(prompts): update prod bundled prompt"
          git push --set-upstream origin "$branch"

          gh pr create \
            --title "Update production bundled prompts" \
            --body "Automated PR generated by Prompt Bundler workflow." \
            --label "prompt-bundle" \
            --base main \
            --head "$branch" \
            --draft

What happens?

  1. Bundle – Regenerates the prod bundle.
  2. Diff – If anything changed inside bundled_prompts/, the workflow:
    • Pushes the change on a new auto/prompt-bundle-* branch.
    • Creates a draft PR that a human must review & merge.
  3. Once merged, the new bundle is locked in Git history.

Tip: Protect main with “Require PR approval” to enforce peer review.


Step 3  ·  Pin the Bundled Prompt for production systems at runtime

from pathlib import Path
from freeplay.thin import Freeplay
from freeplay.thin.resources.prompts import FilesystemTemplateResolver

# Point the resolver at your committed bundle directory
fpClientLocal = Freeplay(
    freeplay_api_key=freeplay_key,
    api_base=freeplay_api_base,
    template_resolver=FilesystemTemplateResolver(Path("bundled_prompts"))
)

# Invoke the production template as usual

The SDK reads the local bundle, so the application can only execute prompts that passed the PR gate.


Compliance mapping

FrameworkRequirementHow the workflow satisfies it
SOC 2 CC4.1Peer review of production changesPR approval required before merge
ISO 27001 A.14.2.5Secure engineering principles & immutable artifactsBundled Prompt is hashed & version‑controlled
PCI‑DSS 6.4.5Formal approval prior to productionPR review & protected branch policies
HIPAA §164.308(a)(1)(ii)(D)System activity review & audit trailsGit + GitHub Actions logs show who changed what, when

FAQ & Troubleshooting

Q : What if we maintain multiple prod environments (e.g., per‑tenant)?
A : Run freeplay download --env prod-<tenant> (or similar, given your environment naming conventions) for each environment and store each bundle under its own path.

Q : Can I use Bitbucket Pipelines or GitLab CI instead?
A : Yes mirror the same logic: re‑bundle, diff, and open a merge request when changes are detected.

Q : How do I invalidate a bad prompt quickly?
A : Revert the bundle commit or promote a previous prompt template version in the Freeplay dashboard and re‑run the workflow.