chore(ai): bootstrap governance workflows and PR template

[ErykKul]

@AI-Tool: Copilot

Summary

• Bootstrap governance workflows and PR template; normalize uses to local; add sync metadata.

AI Provenance (required for AI-assisted changes)

• Prompt: Bootstrap governance workflows and PR template; normalize uses to local.
• Model: GitHub Copilot gpt-5
• Date: 2025-09-16T10:00:00Z
• Author: @ErykKul
• Role: deployer

Compliance checklist

• No secrets/PII
• Transparency notice updated (if user-facing)
• Agent logging enabled (actions/decisions logged)
• Kill-switch / feature flag present for AI features
• No prohibited practices under EU AI Act
• Human oversight retained (required if high-risk or agent mode)
• Risk classification: limited
• Personal data: no
• DPIA: N/A
• Automated decision-making: no
• Agent mode used: yes
• GPAI obligations: N/A (if Role: provider)
• Vendor GPAI compliance reviewed: N/A (if Role: deployer)
• License/IP attestation
• Attribution: N/A
• Oversight plan: N/A

Change-type specifics

• Security review: N/A
• Media assets changed:
• AI content labeled
• C2PA: N/A
• UI changed:
• Accessibility review (EN 301 549/WCAG)
• Accessibility statement: N/A
• Deploy/infra changed:
• Privacy notice: N/A
• Lawful basis: N/A
• Retention schedule: N/A
• NIS2 applicability: N/A
• Incident response plan: N/A
• Backend/API changed:
• ASVS: N/A
• Log retention policy: N/A
• Data paths changed:
• TDM: N/A
• TDM compliance: N/A

Tests & Risk

• Unit/integration tests added/updated
• Security scan passed
• Rollback plan: Revert PR; workflows are isolated under .github and feature-flagged in CI.
• Smoke test: N/A
• Docs updated (if needed)

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[github-actions]

AI Governance checks failed

Please fix the following before re-running checks:

• Ensure PR body includes provenance fields:
  • Prompt
  • Model
  • Date
  • Author
  • No secrets/PII (checkbox)
• Complete compliance checklist items required for your change type (transparency notice, DPIA, logging, kill-switch, risk classification, human oversight, security review, vendor GPAI review).
• Add a rollback note if the change is risky (authz, data export, evaluation logic, etc.).

Helpful links:

• PR template (provenance): https://github.com/libis/ai-transition/blob/main/.github/pull_request_template.md
• Risk mitigation matrix: https://github.com/libis/ai-transition/blob/main/governance/risk_mitigation_matrix.md
• Reusable governance workflow: https://github.com/libis/ai-transition/blob/main/.github/workflows/ai-governance.yml

After edits, push updates or re-run the workflow to validate.

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[ErykKul]

AI-Assistance: Prompts used in this conversation

• read this file for context (See attachments above for file contents. You may not need to search or read the file again.)
• bootstrap
• Continue: "Continue to iterate?"
• make the markdownlint less strikt and fix the remaining problems, if any
• add a comment to the pr containig the prompts used in this conversation