GitHub Agentic Workflows

Repository automation, powered by the coding agents you know β€” with guardrails

GitHub Agentic Workflows (gh-aw) lets you write repository automation in plain markdown. A gh aw CLI extension compiles that markdown into a hardened GitHub Actions workflow that runs an AI coding agent β€” GitHub Copilot CLI, Claude Code, OpenAI Codex, or Google Gemini β€” inside a sandboxed container, on a schedule or in response to repository events. Developed by GitHub and Microsoft, it augments deterministic CI/CD with Continuous AI.

.md β†’ .lock.yml
Natural-language workflows compiled to GitHub Actions YAML
4+ engines
Copilot (default), Claude, Codex, Gemini β€” switch with one line
20+ safe outputs
Agents run read-only; gated jobs perform the writes
AWF
Agent Workflow Firewall β€” sandbox + network egress control

The big idea

Instead of writing hundreds of lines of Actions YAML and glue scripts, you describe what you want in markdown:

---
on:
  schedule: [{ cron: "0 9 * * 1-5" }]
safe-outputs:
  create-issue:
    title-prefix: "[team-status] "
    labels: [report, daily-status]
---

# Daily Team Status

Create an upbeat daily status report for the team as a GitHub issue.

Include:
- Recent repository activity (issues, PRs, discussions, releases, code changes)
- Progress tracking, goal reminders and highlights
- Project status and recommendations
- Actionable next steps for maintainers

Run gh aw compile and this becomes a full GitHub Actions workflow (.lock.yml) that spins up a containerized coding agent every weekday morning. The agent reads your repository, analyzes activity, and requests issue creation through a safe output β€” a separate, permission-scoped job actually creates the issue. The agent itself never holds write permissions.

Why it matters

🧠 Continuous AI

Wake up to ready-to-review improvements: automated triage, CI insights, docs updates, and test enhancements β€” recurring, event-driven, and hands-off.

πŸ” Security-first

Layered defense: read-only tokens, no secrets in the agent, AWF sandbox with a network firewall, a safe-outputs gate, and threat-detection scanning before any write lands.

πŸ’° Cost control

gh aw logs and gh aw audit surface token/AI-credit spend per run; max-ai-credits gives each run a hard budget; OpenTelemetry exports traces for dashboards.

πŸ“ Markdown, not YAML

Frontmatter for config, natural language for behavior. Anyone on the team can read β€” and meaningfully review β€” the automation.

πŸ” Engine-agnostic

Change engine: copilot to engine: claude and recompile. Same workflow, different agent, same guardrails.

πŸ•ΈοΈ Multi-agent

Orchestrator workflows fan out to worker workflows via dispatch-workflow and call-workflow safe outputs β€” agents calling agents, safely.

πŸ§ͺ This page has a live companion repo: haslam93/gh-aw-demo-lab β€” every example below exists there as a real, compiled, runnable workflow. Open an issue there and watch the triage agent respond; run the orchestrator and watch it dispatch worker agents. Look for the β–Ά Run it live links throughout this page.

Vocabulary cheat-sheet

TermMeaning
gh awThe GitHub CLI extension (gh extension install github/gh-aw) that creates, compiles, runs, and audits agentic workflows.
Agentic workflowA markdown file in .github/workflows/ with YAML frontmatter (config) + markdown body (the agent's prompt).
.lock.ymlThe compiled, hardened GitHub Actions workflow generated by gh aw compile. Committed alongside the .md file.
EngineThe coding agent that interprets the markdown: Copilot CLI (default), Claude Code, Codex, or Gemini.
AWFAgent Workflow Firewall β€” the default sandbox that isolates the agent in a container with domain-based network egress control.
Safe outputsValidated GitHub write operations (create issue, comment, PR…). The agent emits structured requests; separate scoped jobs execute them.
MCPModel Context Protocol β€” how tools (GitHub API, Playwright, custom servers) are exposed to the agent, routed via an MCP gateway.
FrontmatterThe YAML block between --- markers: triggers, permissions, engine, network, tools, safe-outputs, timeouts.

Official docs: github.github.com/gh-aw · Samples: githubnext/agentics

Updates

πŸ“° What's New in the gh-aw world

Recent releases and notable changes in GitHub Agentic Workflows. Entries added in the last 14 days carry a NEW badge. This section is maintained by an agentic workflow: site-updater.md checks the gh-aw project weekly and opens a PR updating the JSON data below β€” the lab demoing itself. πŸ•πŸ¦΄

How the badge works: the page compares each entry's date to today at load time β€” anything ≀ 14 days old is tagged NEW, and the sidebar link gets a count. The updater agent only edits the JSON; the rendering logic stays untouched, which keeps the agent's diff small, reviewable, and safe.

Sources watched: gh-aw releases · official docs · agentics samples

Lifecycle

How It Works β€” from markdown to merged

Click each stage in the pipeline to explore what happens there. This is the full journey of an agentic workflow, from authoring to a gated write on GitHub.

πŸ“
Author .md
markdown + frontmatter
β†’
βš™οΈ
gh aw compile
.lock.yml
β†’
🎯
Trigger
event / cron / manual
β†’
πŸ›‚
Activation
gates & checks
β†’
πŸ€–
Agent job
sandboxed, read-only
β†’
πŸ”
Threat scan
output inspection
β†’
βœ…
Safe outputs
scoped write jobs

The security flow at a glance

Repository + Prompt Input
   β†’ Read-only Token          # agent job gets read-only GITHUB_TOKEN
   β†’ No Secrets in Agent      # secrets never enter the agent container
   β†’ Sandbox + Network Firewall (AWF)
   β†’ Safe Outputs Gate        # structured JSON requests, validated
   β†’ Threat Detection Scan    # scans agent output for injection/exfil
   β†’ Scoped Write Job         # separate job with exactly the needed permission

This layered model is why an agent manipulated by prompt injection still can't push code, leak secrets, or spam issues beyond configured limits.

Reference

Anatomy of an Agentic Workflow

A realistic issue-triage workflow, line by line. Click any highlighted line to see what it does. The frontmatter configures the machinery; the markdown body is the agent's actual prompt.

πŸ‘ˆ Click a line

Select any line of the workflow to see an explanation of that field, its defaults, and related options.

After editing frontmatter, always run gh aw compile to regenerate the .lock.yml. GitHub Actions executes the lock file, not the markdown.
Agents

AI Engines β€” pick your coding agent

The engine: frontmatter field selects which coding agent interprets your markdown. Switching agents is a one-line change plus the matching secret. Copilot is the default and supports the broadest gh-aw feature set.

🟣 GitHub Copilot CLI default

Broadest feature support: custom agent files, autopilot continuations (max-continuations), SDK mode, BYOK provider routing.

  • Auth: COPILOT_GITHUB_TOKEN PAT (Copilot Requests: Read) or org billing via permissions.copilot-requests: write β€” no PAT needed
  • Custom agents: engine.agent: my-agent β†’ .github/agents/my-agent.agent.md
  • BYOK: route to OpenAI/Anthropic/Azure/Ollama via COPILOT_PROVIDER_BASE_URL

🟠 Claude Code (Anthropic)

Strong control over long reasoning sessions with turn limits.

  • Auth: ANTHROPIC_API_KEY secret
  • max-turns caps agent iterations (default 500)
  • engine.permission-mode: auto, acceptEdits (default), plan, bypassPermissions
  • Per-tool timeout default: 60s

🟒 OpenAI Codex

Fits when OpenAI models are already part of your tooling/budget.

  • Auth: OPENAI_API_KEY (or CODEX_API_KEY, which takes precedence)
  • web-search is opt-in: declare tools: web-search: explicitly
  • Per-tool timeout default: 120s

πŸ”΅ Google Gemini

Use Gemini models with the same workflow definition and guardrails.

  • Auth: GEMINI_API_KEY secret
  • Relies on timeout-minutes + tools.timeout for limits
  • Web search via third-party MCP server

Extended engine configuration

engine:
  id: copilot
  version: latest              # pin e.g. "0.5.1" for reproducible builds
  model: gpt-5                 # override the engine's default model
  agent: technical-doc-writer  # .github/agents/technical-doc-writer.agent.md
  args: ["--add-dir", "/workspace"]
  env:
    CUSTOM_API_ENDPOINT: https://api.example.com
  api-target: api.acme.ghe.com # GHEC/GHES custom API endpoint (hostname only)
  bare: false                  # true = skip AGENTS.md / memory / auto-context

Feature support notes

CapabilityCopilotClaudeCodexGemini
Custom agent files (engine.agent)βœ…β€”β€”β€”
Autopilot continuations (max-continuations)βœ…β€”β€”β€”
Iteration cap (max-turns)βœ…*βœ… strongestβœ…*βœ…*
Built-in web-searchMCPMCPopt-in nativeMCP
Harness retries (default 3, exp. backoff)βœ…βœ…βœ…β€”

*max-turns (default 500) and max-ai-credits (default 1000) are top-level fields supported across engines; behavior nuances vary. See the engines reference for the authoritative matrix.

Custom agent personas β€” a library of specialists

With the Copilot engine, workflows can invoke different specialized agents defined as markdown files in .github/agents/. Each agent file sets its own instructions, tone, tools, and expertise. Other engines (Claude, Codex) can still use them β€” the body is injected as a prompt via imports:.

Pick a persona, then click any highlighted line of its agent file to see what it does.

πŸ‘ˆ Click a line

Select any line of the agent file to see an explanation.

Calling this persona from a workflow

RuleDetail
LocationMust live in a .github/agents/ directory β€” local, or in a remote repo imported as owner/repo/.github/agents/name.md@ref
FormatMarkdown with YAML frontmatter: name, description, optional tools and mcp-servers
One per workflowOnly one agent file can be imported per workflow β€” orchestrate multiple personas via worker workflows
CachingRemote agent files are cached by commit SHA in .github/aw/imports/
Org librariesOrganizations can publish shared agent libraries (e.g. acme-org/ai-agents) and version them with tags

Combine this with orchestration (next section) and one orchestrator can route work to a triage agent, a docs agent, and a security agent β€” each in its own workflow with its own scoped permissions. Agents can also be defined inline in the workflow markdown (see the Inline Sub-Agents reference).

Core Concept

Safe Outputs β€” writes without write permissions

The signature security idea of gh-aw. The agent runs read-only and emits structured JSON describing what it wants to do. After validation and threat scanning, a separate job β€” holding exactly one write permission β€” executes the request. Least privilege, prompt-injection defense, auditability, and hard per-operation limits, all by construction.

What the agent emits

{
  "type": "create_issue",
  "title": "Triage: flaky parser test",
  "body": "Intermittent failure detected in CI...",
  "labels": ["bug", "flaky-test"]
}

Requests are made through MCP tools (e.g. safeoutputs.create_issue). The agent never touches the GitHub write API.

What actually happens

  • Output is validated against the safe-output schema (e.g. issue body must be 20–65,000 chars)
  • Threat detection scans for injection / exfiltration patterns
  • Config limits enforced: max: counts, allowed labels, title prefixes, target repos
  • A generated job with e.g. issues: write β€” and only that β€” performs the create
  • Created items get a hidden <!-- gh-aw-workflow-id --> marker for auditing/search
Default behavior: if no safe-outputs: section is present, create-issue is auto-enabled with conservative defaults (max: 1, labels + title-prefix set to the workflow ID). Declare an explicit section to opt out or expand.

Explore the safe output handlers

Select a handler on the left to see its purpose and a realistic configuration.

Power features worth demoing

⏳ expires

Auto-close issues after 7d, 2w, 1m… gh-aw generates an agentics-maintenance.yml workflow that sweeps at the right frequency.

🧹 close-older-issues

For recurring reports: after creating the new issue, close up to 10 previous ones from the same workflow as "not planned", with a link comment.

πŸͺž deduplicate-by-title

true = exact match, integer = Levenshtein edit distance. Checked at the MCP tool boundary (agent gets instant duplicate_dropped feedback) and again at apply time.

πŸ‘¨β€πŸ‘©β€πŸ‘§ group (sub-issues)

Organize batches as sub-issues under a parent (up to 64 children) β€” perfect for plans broken into tasks.

πŸ“… group-by-day

Frequent schedules post as comments on today's issue instead of creating a new one per run.

🌐 target-repo

Cross-repository operation with allowed-repos allowlists and optional custom github-token.

Pattern: OrchestratorOps

Multi-Agent Orchestration β€” agents calling agents

One workflow (the orchestrator) decides what to do and fans work out to worker workflows, each with its own scoped permissions, tools, and even a different engine or custom agent. Two safe outputs make this possible: dispatch-workflow and call-workflow.

🎯
Trigger
schedule / issue / manual
β†’
🧠
Orchestrator
decide & dispatch
β†’
πŸ”
Worker A: triage
issues: write only
πŸ“¦
Worker B: dep audit
PR-creation only
πŸ“
Worker N: docs
docs-writer agent

Option 1 β€” dispatch-workflow (async fan-out)

The orchestrator dispatches named workflows via GitHub's workflow_dispatch API. Workers run asynchronously as independent workflow runs and can outlive the parent.

# orchestrator.md
---
on:
  schedule: [{ cron: "0 6 * * 1" }]
safe-outputs:
  dispatch-workflow:
    workflows: [repo-triage-worker, dependency-audit-worker]
    max: 5
---

# Weekly Ops Orchestrator

Review open issues and dependency alerts. Split the work into units and
dispatch the right worker for each: use `repo-triage-worker` for unlabeled
issues, `dependency-audit-worker` for outdated dependencies. Pass a
`tracker_id` input so workers can report back to the same Project board.

The compiler validates at compile time that each target workflow exists and supports workflow_dispatch. Workers receive a JSON payload.

Option 2 β€” call-workflow (compile-time fan-out)

Workers are reusable workflows (workflow_call). The compiler generates a typed MCP tool per worker from its declared inputs and emits a conditional uses: job β€” no API call at runtime. The worker runs inside the same workflow run, preserving github.actor and billing attribution.

safe-outputs:
  call-workflow:
    workflows: [spring-boot-bugfix, frontend-dep-upgrade]

Which one should I use?

dispatch-workflowcall-workflow
ExecutionAsync, independent runsSame run, synchronous jobs
Actor / billing attributiongithub-actions botPreserves github.actor
Workers outlive parent?βœ… yes❌ finish before parent concludes
Runtime API overheadOne API call per dispatchZero β€” compile-time wiring
Best forLong-running fan-out, multi-repo rolloutsAttribution-sensitive, must-complete phases

When to reach for OrchestratorOps

  • Work spans multiple repositories or needs different tools/permissions per step
  • Units of work benefit from parallel execution
  • You want intermediate human review between phases
  • Examples: multi-repo rollouts, phased dependency upgrades, initiative-level automation across many issues/PRs
Pass shared context (e.g. a tracker_id string) as an explicit worker input and have workers write it into a Project custom field β€” both orchestrator and workers can then update one board for visibility.
β–Ά Run it live: the demo-lab repo has this exact pattern wired up β€” weekly-ops-orchestrator.md dispatches triage-worker.md and dep-audit-worker.md with a shared tracker_id. Trigger with gh aw run weekly-ops-orchestrator and watch the fan-out in the Actions tab.

Three ways "different agents" show up in gh-aw

1. Different engines

Orchestrator on Copilot, a deep-reasoning worker on Claude, a budget worker on Gemini. One engine: line each.

2. Custom agent personas

Copilot engine + engine.agent pointing at .github/agents/*.agent.md files: triage-bot, security-reviewer, doc-writer…

3. Worker workflows

Full workflows dispatched/called as tools β€” each is an independent agent with its own sandbox, prompts, and safe outputs.

Defense in depth

Security & the AWF Sandbox

AI agents can be manipulated by prompt injection, malicious repository content, or compromised tools. gh-aw assumes this will happen and contains each run with layered controls. AWF β€” the Agent Workflow Firewall β€” is the default sandbox for the coding agent.

The six layers

1️⃣ Read-only token

The agent job's GITHUB_TOKEN carries read permissions only. Writes are structurally impossible from inside the agent.

2️⃣ No secrets in agent

Repository secrets never enter the agent container. Strict mode enforces codemods like steps-run-secrets-to-env.

3️⃣ AWF sandbox + firewall

Containerized execution with domain-based network egress control via the top-level network: allowlist.

4️⃣ Safe outputs gate

Only schema-validated, limit-checked structured requests can become GitHub actions.

5️⃣ Threat detection scan

Agent output is scanned before any write job runs; suspicious content stops the pipeline.

6️⃣ Scoped write job

Each safe output executes in a separate job with exactly one permission (e.g. issues: write).

Network permissions

AWF enforces a network allowlist. You compose it from ecosystem identifiers and custom domains:

network:
  allowed:
    - defaults          # basic infrastructure (GitHub, package proxies…)
    - python            # Python/PyPI ecosystem domains
    - node              # npm ecosystem
    - "api.example.com" # custom domain

Anything not on the list is blocked at egress β€” even if the agent is tricked into trying.

Sandbox configuration

sandbox:
  agent: awf                # default β€” Agent Workflow Firewall
  mcp-gateway:              # route all MCP calls via unified HTTP gateway
    api-key: "${{ secrets.MCP_GATEWAY_API_KEY }}"

# Disabling requires an audited, literal justification β‰₯ 20 chars:
sandbox:
  agent: false
features:
  dangerously-disable-sandbox-agent: "controlled environment with no internet access"
  • AWF makes host binaries visible in the container β€” gh, language runtimes, anything from setup actions or apt-get
  • Host PATH is captured as AWF_HOST_PATH and restored inside, so actions/setup-go/setup-python just work
  • Boolean true justifications and ${{ }} expressions are rejected by the compiler β€” disabling the sandbox is deliberately noisy

Trigger-level guardrails

FieldWhat it protects
roles:Restrict which repo roles can trigger (default: [admin, maintainer, write])
skip-bots: / bots:Ignore or explicitly allow bot actors β€” stops agent-triggers-agent loops
manual-approval:Require environment protection rule approval before the agent runs
stop-after:Auto-disable triggers after a deadline (great for trials)
forks:Fork filtering for pull_request triggers
max-ai-credits / max-daily-ai-creditsHard per-run budget (default 1000) and 24-hour aggregate cap
Demo tip: run gh aw compile --strict --zizmor to show the security scanner failing the build on findings β€” a great "guardrails are real" moment.
Capabilities

Tools & MCP β€” what the agent is allowed to touch

The tools: frontmatter declares which GitHub API operations, shell commands, browser automation, and MCP servers the agent may use. Everything is allowlist-based.

Built-in tools

tools:
  github:
    toolsets: [default]        # GitHub API operations (read scopes)
  edit:                        # file editing in the workspace
  bash: ["gh label list", "git status", "grep:*"]
  web-fetch:                   # fetch web content
  web-search:                  # engine-dependent
  playwright:
    version: "1.56.1"          # browser automation
  cache-memory:                # persistent memory across runs
  timeout: 300                 # seconds per tool call
ToolNotes
bashDefaults to safe commands (echo, ls, cat, grep, head…). Wildcards: git:* for a family, :* for everything (careful!), [] to disable.
githubToolset-based GitHub API access; read permissions declared under permissions:.
playwrightFull browser automation for UI checks, screenshots, accessibility audits.
cache-memory / repo-memoryPersistent memory across runs β€” trends, historical data, repo context.
qmdLocal vector search index over docs, exposed as an MCP search tool.
agentic-workflowsgh-aw introspection: workflow logs and audit analysis as MCP tools (needs actions: read).

Custom MCP servers

mcp-servers:
  slack:
    command: npx
    args: ["-y", "@slack/mcp-server"]
    env:
      SLACK_BOT_TOKEN: "${{ secrets.SLACK_BOT_TOKEN }}"
    allowed: ["send_message", "get_channel_history"]  # gateway-enforced
  • Server types: command+args (process), container (Docker image), url+headers (HTTP)
  • Always set allowed: β€” the MCP gateway filter is a real enforcement boundary, not a hint
  • tools.cli-proxy: true mounts MCP servers as CLI commands on PATH (e.g. safeoutputs add_comment --item_number 42 --body "...") β€” saves tokens on big schemas

Composition: imports & skills

imports:
  - shared/tools.md            # reuse tools/steps/prompts across workflows

skills:                        # install Copilot skills (SHA-pinned!) pre-run
  - mattpocock/skills/tdd@801dca688564c529fa84f247f64472520d9ebe28

Imports merge tools, MCP servers, steps and prompt fragments from other files. Skills entries must be pinned to a 40-char commit SHA β€” supply-chain hygiene by design.

Setup

Authentication β€” org billing, PATs, Apps & WIF

Two distinct auth concerns in gh-aw: engine inference (paying for the AI) and GitHub operations (tokens for tools and safe outputs). Most workflows need just one engine credential β€” and with Copilot, the newest option needs no secret at all.

Copilot inference: two ways

✨ Org billing via copilot-requests: write recommended · new

Grant one permission in frontmatter and gh-aw uses the built-in GitHub Actions token (${{ github.token }}) for Copilot inference. No PAT, no secret.

permissions:
  contents: read
  copilot-requests: write   # ← that's it
  • No PAT lifecycle β€” tokens minted per-run, auto-revoked
  • Billing flows through the org's Copilot plan, not an individual's quota
  • Works in forks and org workflows without sharing a personal token
  • When set, any COPILOT_GITHUB_TOKEN is ignored for inference
  • Requires an org Copilot subscription with centralized billing β€” a 403 here means it isn't available; fall back to the PAT

πŸ”‘ Personal Access Token: COPILOT_GITHUB_TOKEN

For personal repos or when org billing isn't available. A fine-grained PAT billed against your own Copilot quota.

# 1. Create fine-grained PAT (resource owner = YOUR user account)
#    Permissions β†’ Account β†’ Copilot Requests: Read
# 2. Store it:
gh aw secrets set COPILOT_GITHUB_TOKEN --value "<your-pat>"
  • Must be a fine-grained PAT β€” GitHub Apps / OAuth tokens are not supported for this secret
  • Resource owner must be your user account, not an org
  • Token owner needs an active Copilot license
  • 403 "Resource not accessible" β†’ missing Copilot Requests permission

All engine credentials

EnginePrimaryAlternatives / notes
Copilotpermissions: copilot-requests: write (no secret)COPILOT_GITHUB_TOKEN fine-grained PAT; custom endpoints via GITHUB_COPILOT_BASE_URL; BYOK via COPILOT_PROVIDER_BASE_URL
ClaudeANTHROPIC_API_KEYWorkload Identity Federation (WIF) β€” keyless via GitHub OIDC (below). CLAUDE_CODE_OAUTH_TOKEN is not supported. Custom endpoint: ANTHROPIC_BASE_URL
CodexOPENAI_API_KEYCODEX_API_KEY takes precedence if both set; Azure OpenAI / routers via OPENAI_BASE_URL in engine.env (+ host in network.allowed)
GeminiGEMINI_API_KEYKey from Google AI Studio; no alternative
# Fastest path: analyze workflows, detect engines, prompt for missing secrets
gh aw secrets bootstrap

# Or set individual secrets
gh aw secrets set ANTHROPIC_API_KEY --value "sk-ant-..."
gh aw secrets list

Beyond inference: GitHub operations

Tools and safe outputs use the workflow's GITHUB_TOKEN by default. You need additional auth for: reading multiple repos, reading Projects, GitHub tools remote mode, cross-repo safe outputs, or outputs that must trigger CI on created PRs.

πŸͺ„ GH_AW_GITHUB_TOKEN

Optional "magic" fallback secret for GitHub operations outside inference. Fallback chain:

custom github-token
  β†’ secrets.GH_AW_GITHUB_TOKEN
    β†’ secrets.GITHUB_TOKEN

Scope it to the minimum repos + permissions (e.g. Issues: write only). Does not replace COPILOT_GITHUB_TOKEN.

🀝 GitHub App short-lived tokens

One App can cover all non-inference GitHub auth. Tokens are minted per-run:

github-app:
  client-id: ${{ vars.APP_ID }}
  private-key: ${{ secrets.APP_PRIVATE_KEY }}
  owner: "my-org"
  repositories: [repo1, repo2]

Preferred over long-lived PATs for org setups.

πŸ›‚ Anthropic WIF keyless

Claude without a stored API key β€” short-lived GitHub OIDC tokens exchanged via a federation rule:

permissions:
  id-token: write
engine:
  id: claude
  auth:
    federation-rule-id: fdrl_xxx
    organization-id: org_xxx
    service-account-id: svac_xxx
    workspace-id: ws_xxx

Configure the rule in the Anthropic Console. Available since v0.79.6.

Troubleshooting quick hits

SymptomLikely cause & fix
403 with copilot-requests: writeOrg lacks Copilot centralized billing β†’ confirm subscription, or fall back to COPILOT_GITHUB_TOKEN
403 Resource not accessible by PATPAT missing Copilot Requests: Read or owned by an org instead of your user account
Copilot fails at inference despite valid tokenPAT owner has no active Copilot license
401/403 (Claude)Key missing/expired β€” or you set CLAUDE_CODE_OAUTH_TOKEN, which is ignored; use ANTHROPIC_API_KEY
401/403 (Codex) with custom endpointCheck OPENAI_BASE_URL is reachable and its host is listed in network.allowed
Security posture: engine secrets are consumed by the harness/proxy β€” they are never mounted into the agent container. Strict mode plus the engine-env-secrets-to-engine-config codemod keeps it that way.
Hands-on

CLI Reference β€” the gh aw lifecycle

Commands organized by lifecycle: create β†’ build β†’ test β†’ monitor β†’ manage. Filter by phase below.

Demo flow suggestion: gh extension install github/gh-aw β†’ gh aw new my-triage β†’ edit markdown β†’ gh aw compile --strict β†’ show the generated .lock.yml β†’ gh aw run my-triage β†’ gh aw logs β†’ gh aw audit.
Interactive

Workflow Builder β€” compose your own

Pick options on the left; the generated agentic workflow markdown updates live on the right. Copy it into .github/workflows/my-workflow.md and run gh aw compile.

Then: gh aw compile β†’ commit both the .md and generated .lock.yml β†’ gh aw run.

Interactive

Run Simulator β€” watch a run travel the guardrails

A simulated end-to-end run of an issue-triage agentic workflow. Press play and narrate each stage during your demo β€” including the moment the safe-outputs gate blocks an over-limit request.

Run log

β€” idle β€” press β–Ά Run workflow β€”
Gallery

Examples Gallery β€” real-world patterns

Complete, copy-ready workflows for common scenarios. Many of these mirror the public githubnext/agentics sample collection (installable via gh aw add githubnext/agentics/<name>).

Get started

Quick Start β€” first run in ~10 minutes

Install a pre-baked workflow (the Daily Repo Status Report) into a repo you maintain and watch it file its first issue.

Prerequisites

  • AI account β€” GitHub Copilot (easiest, no extra account), Anthropic, OpenAI, or Google Gemini
  • A GitHub repository with write access and Actions enabled
  • GitHub CLI v2.0.0+, logged in: gh auth login --scopes repo,workflow
  • Linux, macOS, or Windows with WSL

Steps

# 1. Install the extension
gh extension install github/gh-aw

# 2. Add a sample workflow with the interactive wizard
gh aw add-wizard githubnext/agentics/daily-repo-status
#    β€” checks prerequisites, lets you pick an engine,
#      sets up the secret, adds .md + .lock.yml, offers a first run

# 3. Watch it
gh aw status
gh run watch

# 4. Customize: edit .github/workflows/daily-repo-status.md, then
gh aw compile
gh aw run daily-repo-status

Engine secret cheat-sheet

EngineSecretWhere to get it
CopilotCOPILOT_GITHUB_TOKENFine-grained PAT with Copilot Requests: Read β€” or use org billing via permissions.copilot-requests: write (no PAT)
ClaudeANTHROPIC_API_KEYconsole.anthropic.com β†’ Settings β†’ Keys
CodexOPENAI_API_KEY (or CODEX_API_KEY)platform.openai.com β†’ API keys
GeminiGEMINI_API_KEYaistudio.google.com β†’ API keys

Set with: gh secret set COPILOT_GITHUB_TOKEN < token.txt or gh aw secrets bootstrap (analyzes workflows and prompts for what's missing).

Where to go next

πŸ“– Official docs

github.github.com/gh-aw β€” reference, guides, patterns, FAQ.

🏭 Agent Factory blog

A 19-part tour of real-world agentic workflows by the gh-aw maintainers β€” triage, releases, quality checks, and more.

πŸ§ͺ The Agentics

githubnext/agentics β€” installable sample workflows: ci-doctor, daily-repo-status, and friends.