Automation Infrastructure
TABS is operated almost entirely through automated pipelines. This page documents the two main chains: the hands-off coding workflow that takes a GitHub Issue to a merged PR without any human writing code, and the daily data pipeline that processes Prolific submissions, runs analysis, and commits results - all without a human pressing a button.
The Hands-Off Chain
Every feature and fix follows an eight-step chain from GitHub Issue to merged PR. No human writes code; the workflow is purely assignment, review, and approval.
| Step | Actor | Action | Output |
|---|---|---|---|
| 1 | Human | Creates a GitHub Issue describing the task | Issue assigned to @Copilot or Claude Code |
| 2 | Copilot / Claude | Reads the issue, explores the codebase, plans and implements the change | Branch + commits pushed to GitHub |
| 3 | GitHub Actions | CI runs: format check, lint, unit tests, build, Playwright E2E | Green or red status on the PR |
| 4 | Copilot PR Review | Automatically reviews the PR diff for correctness, style, and security | Inline review comments on the PR |
| 5 | Copilot / Claude | Reads review comments, applies fixes, pushes updated commits | PR updated; CI re-runs |
| 6 | GitHub Actions | CI re-runs on the updated commits | Green or red status |
| 7 | Human | Reviews the final diff and CI results; approves if satisfied | PR approval recorded |
| 8 | GitHub | Merge queue runs final checks; merges to main and deploys to GitHub Pages | Feature live on technologyadoptionbarriers.org |
Daily Data Pipeline
A GitHub Actions workflow (daily-pipeline.yml) runs every morning. The workflow runs a seven-phase chain that processes Prolific submissions, exports and analyzes Qualtrics responses, and commits updated JSON artifacts - all without manual intervention.
| Phase | Name | What it does | GitHub Environment |
|---|---|---|---|
| 1 | Fetch | Pulls auth checks and submission statuses from the Prolific API; produces a disposition CSV artifact | prolific-prod |
| 2 | Analyze | Exports Qualtrics survey responses, enriches with Prolific status, runs disposition waterfall, descriptive stats, advanced analysis, psychometrics, and quality audit - 7 sub-steps in sequence | qualtrics-prod |
| 3a | Approve | Bulk-approves CLEAN-disposition participants on Prolific; pre-filters already-approved PIDs to avoid double-processing | prolific-prod |
| 3b | Message | Sends disposition-specific messages to FLAG participants via the Prolific messaging API - 9 message variants, run sequentially | prolific-prod |
| 3c | Dashboard | Generates disposition-summary.json with live Prolific counts cross-referenced against the analysis sample Ns | prolific-prod |
| 4 | Commit | Runs Prettier on all changed data files, then opens a PR with updated JSON artifacts via the format-and-pr composite action | copilot |
| 5 | Report | Creates a daily GitHub Issue summarizing pipeline results, counts, and any anomalies - always runs, even if earlier phases fail | github-pages |
Data Privacy Boundaries
The pipeline is designed so that PII never reaches the repository. The table below classifies every artifact produced during a pipeline run.
| Artifact | Contains PIDs? | Committed to repo? | Retention |
|---|---|---|---|
| sensitivity-analysis.json | No (aggregate stats) | Yes | Permanent |
| data-audit.json | No (aggregate counts) | Yes | Permanent |
| disposition-summary.json | No (aggregate counts) | Yes | Permanent |
| Disposition CSV | Yes (PROLIFIC_PID) | No (artifact only) | 1 day |
| Qualtrics raw CSV | Yes (PII fields) | No (stays on runner) | Ephemeral |
| Prolific demographics | Yes (per-participant) | No (not fetched in daily pipeline) | Ephemeral |
| Step summaries | No (aggregate counts) | No (Actions UI) | Workflow lifetime |
| Workflow logs | Yes (PIDs in debug) | No (Actions UI) | 90 days |
Demographic data (age, sex, ethnicity, language, nationality) from Prolific profiles is not fetched during the daily pipeline. When fetched via manual workflows or standalone scripts, any resulting CSV files are written only to runner temp or short-lived artifacts and are never committed to the repository. The public dataset excludes all direct identifiers.
Privacy Rule
Never commit PROLIFIC_PID or participant-level data to the repository. Step summaries use aggregate counts only. Workflow logs containing PIDs are retained only in the GitHub Actions UI for 90 days and are not accessible to the public.
AI Agent Ecosystem
Three distinct AI agents collaborate on every feature, each with a different role and access level.
Copilot Coding Agent
Implementation
- •Assigned GitHub Issues
- •Writes and pushes code to a branch
- •Opens a pull request
- •Fixes review comments
- •Never merges - human approves
Claude Code
Implementation (alternate)
- •IDE-integrated; runs locally or in CI
- •Same write access as Copilot agent
- •Used for complex multi-file refactors
- •Can call MCP servers (Qualtrics, GitHub)
- •Submits work via PR - same review chain
Copilot PR Review
Review
- •Triggered when PR is marked ready
- •Reviews diffs for bugs and style
- •Posts inline comments
- •Re-reviews after fixes
- •Cannot merge - advisory only
How the agents hand off on a single feature
- Human creates an issue and assigns it to @Copilot.
- Copilot coding agent clones the repo, reads the issue, and writes the code.
- Agent pushes a branch and opens a PR, which triggers CI.
- CI (format, lint, tests, build, E2E) runs automatically and posts status.
- Human marks the PR as “Ready for review” - Copilot PR Review reads the diff and posts comments.
- Copilot coding agent (or Claude) reads the review comments and pushes fixes.
- CI re-runs; if green, human reviews the final diff and approves.
- GitHub merge queue merges the PR and deploys to GitHub Pages.
Dependency Provenance
Every external API is accessed through either an official first-party client library or a centralized TypeScript/Python module that wraps the REST API directly. No third-party API wrappers are used.
Qualtrics API v3 (REST)
Survey export, embedded data, and quota operations use the official Qualtrics REST API v3. The centralized client is src/lib/qualtrics-api.ts (TypeScript) and scripts/analysis/tabs_api.py (Python). No third-party Qualtrics SDK is used.
Prolific API v1 (REST)
Participant operations (approve, message, status) use the official Prolific API with token-based authentication. The centralized client is src/lib/prolific-api.ts (TypeScript) and scripts/analysis/prolific_tools.py (Python).
Google Analytics & Search Console
Analytics and SEO metrics use the official @google-analytics/data and googleapis SDKs from Google. Service account authentication is used; credentials are stored in GitHub Secrets and never committed to the repository.
GitHub MCP Server
AI agents access GitHub - creating issues, pushing files, managing PRs - through the official @modelcontextprotocol/server-github MCP server, not via third-party wrappers. Qualtrics MCP uses the first-party MCP endpoint built into the Qualtrics platform.