Skip to content
/
Tier B A11 Governance

GitHub Agentic Workflows

gh-aw-githubnext · githubnext/gh-aw · ★ 4.5k · last commit 2026-05-26

Write agentic workflows in natural language markdown, compile to GitHub Actions, run with production-grade security guarantees — read-only permissions by default, all writes through sanitized safe-outputs.

Best whenRepository automation should be written in natural language (not imperative YAML) while all write operations execute in a separate secured job so the main ag…
Skip ifWrite permissions on main job (use safe-outputs instead), Unsanitized event content in agent instructions (use sanitized context)
vs seeds
kiro(Archetype 5, proprietary format with compilation step) but runs in GitHub Actions CI rather than a local IDE, is multi-…
Primitive shape
No installable primitives
00

Summary

gh-aw-githubnext — GitHub Agentic Workflows (githubnext/gh-aw)

GitHub Agentic Workflows (gh-aw) is GitHub Next's official tool for writing agentic workflows in natural language markdown and running them inside GitHub Actions. Each workflow is a .md file with YAML frontmatter (configuration) and a markdown body (agent instructions in natural language), compiled by gh aw compile into GitHub Actions-compatible YAML. The framework supports four AI engines (GitHub Copilot, Claude, Codex, Gemini) and provides a comprehensive security model: read-only permissions by default, all write operations gated through sanitized safe-outputs that execute in a separate secured job, sandboxed execution, input sanitization against prompt injection, network isolation, SHA-pinned dependencies, and human approval gates. Workflows can define inline sub-agents, use persistent memory across runs, orchestrate complex fan-out/fan-in patterns, and schedule on cron expressions. The CLI (gh aw) is a GitHub CLI extension with subcommands for create, compile, run, audit, and debug.

Compared to the seeds, gh-aw is unlike any seed archetype. The closest parallel is kiro (Archetype 5 — closed IDE with proprietary primitives) in that it defines a proprietary workflow format with its own compilation step and lifecycle events. The key deltas: gh-aw runs inside GitHub Actions (CI infrastructure, not a local IDE), supports multiple AI engines, ships a dedicated CLI, and treats security as a first-class constraint at every layer.

01

Overview

Overview — GitHub Agentic Workflows (githubnext/gh-aw)

Origin

GitHub Agentic Workflows is a product from GitHub Next — GitHub's research and experimentation arm. The tagline is "Actions + Agent + Safety." The product builds on GitHub Actions infrastructure and extends it with AI agent execution, multi-engine support, and a safety/security model designed for production repository automation.

Philosophy

The core thesis: write agentic workflows in natural language, compile them to GitHub Actions workflows, and run them with strict safety guarantees baked in at the infrastructure level.

From README:

"Guardrails, safety and security are foundational to GitHub Agentic Workflows. Workflows run with read-only permissions by default, with write operations only allowed through sanitized safe-outputs. The system implements multiple layers of protection including sandboxed execution, input sanitization, network isolation, supply chain security (SHA-pinned dependencies), tool allow-listing, and compile-time validation."

From the workflow reference doc:

"No write permissions on main job: Never use issues: write, pull-requests: write, or contents: write. Use safe-outputs: instead — it handles write operations in a separate secured job."

"strict: true required: All production workflows must set strict: true."

Agent-Native Documentation

The README begins with a hidden HTML comment addressed to AI agents:

<!--
Hello fellow agent! Welcome to GitHub Agentic Workflows = Actions + Agent + Safety. 
Here are some pointers to get you started in using this tool.

- Create a new workflow: https://raw.githubusercontent.com/github/gh-aw/main/create.md
- Install: https://raw.githubusercontent.com/github/gh-aw/main/install.md
...
-->

This agent-first documentation design is unique in the corpus.

Supported AI Engines

GitHub Copilot (default), Claude (Anthropic), Codex (OpenAI), Gemini (Google), opencode — users pick whichever AI account they already have.

02

Architecture

Architecture — GitHub Agentic Workflows (githubnext/gh-aw)

Distribution

  • Type: GitHub CLI extension (gh extension)
  • Install: gh extension install github/gh-aw (or see install.md)
  • Runtime: GitHub Actions + chosen AI engine (Copilot/Claude/Codex/Gemini)

Workflow File Format

Agentic workflows are stored as .md files in .github/workflows/:

.github/workflows/
├── my-workflow.md          # Workflow definition (markdown + YAML frontmatter)
├── my-workflow.yml         # Compiled GitHub Actions YAML (generated by gh aw compile)
└── agentics-maintenance.yml  # Auto-generated maintenance workflow

Two-Part File Structure

Every workflow file has:

  1. YAML frontmatter (between ---): Configuration requiring recompilation when changed
  2. Markdown body (after frontmatter): Agent instructions in natural language, editable without recompiling

Reference Documentation (.github/aw/)

File Content
github-agentic-workflows.md Main reference — format, compilation, common patterns
syntax.md Complete frontmatter schema
safe-outputs.md All write operation types and options
triggers.md Trigger patterns
context.md Context expressions + {{#if}} templates
memory.md Persistence strategies (cache-memory, repo-memory)
subagents.md Inline sub-agent definition guide
network.md Network configuration
experiments.md A/B testing
campaign.md KPI workflows
skills.md Skill system
token-optimization.md Token efficiency guide

CLI Binary: gh aw

Go binary (via cmd/gh-aw/) serving as a GitHub CLI extension. Full subcommand surface in 03-components.md.

Required Runtime

  • GitHub Actions (workflows run in GitHub's CI infrastructure)
  • gh CLI (for local development and compilation)
  • One of: GitHub Copilot, Claude, Codex, or Gemini API account

Compilation Step

gh aw compile transforms .md workflow files into GitHub Actions .yml files:

  • Frontmatter → GitHub Actions YAML fields
  • Markdown body → agent instruction prompt (injected into AI engine call)
  • Inline sub-agents extracted to engine-specific directories
  • Schema validation at compile time
03

Components

Components — GitHub Agentic Workflows (githubnext/gh-aw)

CLI Subcommands (gh aw)

From cmd/gh-aw/main.go help text:

Subcommand Purpose
gh aw init Set up a new repository for agentic workflows
gh aw new [workflow] Create a new workflow file with template configuration
gh aw add-wizard Add workflows via interactive guided setup
gh aw compile [workflow] Compile workflow .md files to GitHub Actions .yml
gh aw compile --purge Remove orphaned .lock.yml files
gh aw run [workflow] Execute a workflow
gh aw logs [workflow] View workflow execution logs
gh aw audit <run-id-or-url> Debug a failed run

Workflow Trigger Types

From syntax.md:

  • Standard GitHub Actions events: push, issues, pull_request, etc.
  • slash_command: — /mention triggers in issues/PRs
  • label_command: — label-based triggers
  • schedule: — cron-based scheduling with natural language aliases

Safe Output Types (write operations)

From safe-outputs.md:

  • create-issue: — create GitHub issues (with title-prefix, labels, max, expires, group-by-day)
  • add-comment: — add comments to issues/PRs
  • add-labels: — add/remove labels
  • create-pull-request: — create PRs
  • create-pull-request-review-comment: — add review comments (max: 10)
  • create-discussion: — create GitHub discussions
  • upload-artifact: — upload workflow artifacts
  • update-issue: — update existing issues

Memory Types

From memory.md:

  • cache-memory — ephemeral run state, deduplication, round-robin processing; default for most cases
  • repo-memory — long-lived knowledge base visible in PRs/code reviews; markdown files committed to repo
  • repo-memory with wiki: true — human-readable wiki pages
  • comment-memory — state persisted inline on triggering issue/PR

Sub-Agent Definition

From subagents.md:

## agent: `name`
---
description: ...
model: small | large | inherited
---
Agent instructions in natural language.

Sub-agents extracted at compile time to engine-specific directories:

  • Copilot: .agents/agents/*.agent.md
  • Claude: .claude/agents/*.md
  • Codex: .codex/agents/*.md

Toolbelts / Presets

From skills.md and README:

  • github (mode: gh-proxy or local, toolsets: default, pull_requests, etc.)
  • bash (allowlist: [cat, grep, jq] or ["*"])
  • edit (file editing)
  • web-fetch (URL fetching)
  • MCP servers (external)

Agentics Maintenance Workflow

agentics-maintenance.yml — auto-generated workflow that:

  • Enables/disables all agentic workflows (workflow_dispatch)
  • Upgrades gh-aw version and dependencies (opens a PR)
  • Replays safe outputs from previous runs
  • Creates labels referenced in safe-outputs
05

Prompts

Prompts — GitHub Agentic Workflows (githubnext/gh-aw)

Excerpt 1: Core Workflow Format Reference

Source: .github/aw/github-agentic-workflows.md Technique: Frontmatter-as-configuration, markdown body as agent instruction; separation of compile-time config from runtime instructions

---
name: My Workflow
description: Short description of what this workflow does
on:
  issues:
    types: [opened]
permissions:
  contents: read
  actions: read
engine: copilot          # or: claude, codex, gemini, opencode
strict: true
timeout-minutes: 15
network:
  allowed: [defaults, github]
tools:
  github:
    mode: gh-proxy        # preferred: pre-authenticated gh CLI, no MCP server startup
    toolsets: [default]
  bash: [cat, grep, jq]   # narrow list for workflows reading untrusted user input
  edit:
safe-outputs:
  create-issue:
    title-prefix: "[ai] "
    labels: [automation]
  add-comment:
  upload-artifact:
    skip-archive: true
---

# Workflow Title

Natural language instructions for the AI agent.

Reference sanitized event content: ${{ steps.sanitized.outputs.text }}
Access issue number: ${{ github.event.issue.number }}

Excerpt 2: Agent Dispatch (Orchestrator) Pattern

Source: .github/aw/github-agentic-workflows.md Technique: Hierarchical multi-agent dispatch — parent workflow triggers child workflows as parallel agents

---
on:
  issues:
    types: [opened]
permissions:
  contents: read
  actions: read
safe-outputs:
  add-comment:
  dispatch-workflow:
    allowed: [agent-a, agent-b]
timeout-minutes: 10
---

Analyze issue and dispatch to appropriate specialized agent:
- For bug reports: dispatch agent-a with issue context
- For feature requests: dispatch agent-b with feature spec

Excerpt 3: Memory Strategy Guide

Source: .github/aw/memory.md Technique: Decision table for persistent state strategy selection

## Quick Decision Guide

| Need | Use |
|---|---|
| Skip already-processed items (deduplication) | `cache-memory` ✅ first choice |
| Round-robin processing across runs | `cache-memory` ✅ first choice |
| Long-lived knowledge base visible in PRs | `repo-memory` |
| Baselines that must survive cache expiry | `repo-memory` |
| Human-readable wiki pages | `repo-memory` with `wiki: true` |

**Default to `cache-memory` unless you have a specific reason to use `repo-memory`.**

Excerpt 4: Inline Sub-Agent Definition

Source: .github/aw/subagents.md Technique: Inline multi-agent definition within workflow markdown, extracted at compile time

## agent: `file-summarizer`
---
description: Summarizes the content of a file in a few concise sentences
model: small
---
You are a file summarization assistant. When given a file path, read the
file and return a brief summary (2–4 sentences) describing its purpose
and key contents. Be concise and factual.

Prefer model aliases over model IDs:

  • small: cheap, fast tasks (extraction, classification, formatting)
  • large: complex reasoning or synthesis
  • inherited: use parent workflow model
09

Uniqueness

Uniqueness — GitHub Agentic Workflows (githubnext/gh-aw)

Differs From Seeds

gh-aw is unlike any seed archetype. The structural parallel closest is kiro (Archetype 5 — proprietary IDE with its own workflow format and compilation step) in that both define a proprietary specification format that compiles into runtime artifacts and both have their own lifecycle events. The key deltas from kiro: (1) CI infrastructure rather than local IDE — workflows run in GitHub Actions, not on the developer's machine; (2) security-first design — every write operation is gated through a separate secured safe-outputs job, input is always sanitized against prompt injection, network is isolated; (3) multi-engine — Copilot/Claude/Codex/Gemini behind a portable interface; (4) compiled format.md files compile to .yml, with a distinct separation between configuration (frontmatter, requires recompile) and instructions (markdown body, editable live). Unlike all seeds, gh-aw is a GitHub product, not a third-party add-on.

Positioning

gh-aw is the repository automation tool in this corpus — it turns GitHub issues, PRs, and scheduled triggers into AI-agent-driven automation with production-grade security guarantees. It is not a coding workflow assistant (like superpowers or agent-os) nor a project management overlay (like Personal OS). It is CI/CD automation with AI reasoning instead of imperative scripts.

Agent-Native First

The hidden HTML comment at the top of README.md addressed to AI agents ("Hello fellow agent!") and the llms.txt / llms-full.txt documentation corpus are the most explicitly agent-native design choices in this corpus.

Observable Failure Modes

  1. GitHub lock-in: Deeply tied to GitHub Actions infrastructure — no equivalent on GitLab, Gitea, or local CI
  2. Compilation friction: Frontmatter changes require gh aw compile re-run; easy to forget → stale compiled YAML
  3. Billing exposure: README notes "Releases 0.68.4 through 0.71.3 are being retired due to a bug that impacts billing" — token costs in CI can be unpredictable
  4. Model alias drift: small/large aliases resolve to different models per engine; same workflow produces different quality results across engines
  5. Safe-outputs limited scope: Write operations outside the safe-outputs list require architecture rethink rather than simple frontmatter addition
04

Workflow

Workflow — GitHub Agentic Workflows (githubnext/gh-aw)

Development Workflow

  1. gh aw init — initialize repo
  2. gh aw new <name> (or gh aw add-wizard) — create workflow .md file
  3. Edit frontmatter and markdown body
  4. gh aw compile — compile to GitHub Actions YAML
  5. Push to GitHub — workflow triggers on configured events
  6. gh aw logs / gh aw audit — monitor and debug

Runtime Workflow (per trigger)

  1. GitHub event fires (push, issue opened, slash command, schedule, etc.)
  2. agentics-maintenance.yml checks if workflows are enabled
  3. Main job runs with read-only permissions
  4. Agent reads sanitized event content (${{ steps.sanitized.outputs.text }})
  5. Agent processes using allowed tools (gh-proxy, bash allowlist, web-fetch)
  6. Agent emits structured outputs via XML markers
  7. safe-outputs job reads XML markers, executes write operations with write permissions

Phase-to-Artifact Map

Phase Artifact
Compile .github/workflows/*.yml (generated)
Issue triage Labels added, comment added (via safe-outputs)
PR review Review comments (via safe-outputs, max: 10)
Scheduled report Discussion post or issue (via safe-outputs)
Agent dispatch Spawned sub-workflows

Approval Gates

  1. Manual approval gate: manual-approval: frontmatter field — triggers GitHub environment protection rules requiring human approval
  2. Team-gated access: Workflows can be restricted to team members only
  3. skip-roles: Skip execution for users with specific roles (read-only users)
  4. skip-if-match: Skip workflow when a GitHub search query returns results (deduplication)
  5. Confidence gate: Not built-in, but can be implemented in agent instructions

Security Model (Key Constraints)

  • Main job: read-only permissions only
  • Write operations: ONLY via safe-outputs in separate secured job
  • Input: ONLY via ${{ steps.sanitized.outputs.text }} (injection-safe)
  • Bash: narrow allowlist for untrusted input workflows ([cat, grep, jq])
  • Timeout: always required (timeout-minutes:)
  • strict: true: mandatory for production workflows
  • Network: configurable isolation (default, github, custom allowlist)
  • Supply chain: SHA-pinned dependencies

Common Pattern: Issue Triage

---
on:
  issues:
    types: [opened, reopened]
permissions:
  contents: read
  actions: read
safe-outputs:
  add-labels:
    allowed: [bug, enhancement, question, documentation]
  add-comment:
timeout-minutes: 5
---

Analyze issue #${{ github.event.issue.number }} in ${{ github.repository }}.
Content: "${{ steps.sanitized.outputs.text }}"
Categorize the issue and add appropriate labels.
06

Memory Context

Memory & Context — GitHub Agentic Workflows (githubnext/gh-aw)

Memory Architecture

Three distinct memory strategies for different persistence needs:

1. cache-memory (ephemeral, default)

  • Purpose: Deduplication, round-robin processing, run state, intermediate results
  • Backend: GitHub Actions cache
  • Expiry: Subject to GitHub Actions cache retention (7 days default)
  • Use cases: Skip already-processed items, track watermarks, store run state

2. repo-memory (persistent)

  • Purpose: Long-lived knowledge base, baselines that survive cache expiry
  • Backend: Markdown files committed to the repository
  • Visibility: Visible in PRs and code reviews
  • wiki mode: Human-readable GitHub wiki pages

3. comment-memory

  • Purpose: State persisted inline on the triggering issue or PR
  • Backend: GitHub issue/PR comments
  • Use cases: Track processing state on a specific issue across multiple agent runs

Built-in Context via GitHub Graph

Before writing new persistent files, workflows can use:

  • Git history (git log per file) — track changed files since last run
  • Issue/PR history — avoid reopening known incidents
  • PR merge history — incremental processing watermarks
  • GitHub graph links — cached relationship maps by stable node IDs

Best practice: prefer watermarks (last-seen timestamp, commit SHA, PR number) over full snapshots.

Context in Agent Instructions

Workflow bodies use template expressions:

  • ${{ steps.sanitized.outputs.text }} — injection-safe event content
  • ${{ github.event.issue.number }} — GitHub event context
  • ${{ github.repository }} — repository context
  • {{#if condition}}...{{/if}} — conditional content blocks

Cross-Run Deduplication

From memory.md:

skip-if-match:
  query: "is:issue is:open label:in-progress"
  max: 3      # Skip if 3 or more matches

Prevents duplicate issue creation on repeated runs of scheduled workflows.

Token Optimization

From token-optimization.md:

  • Prefer gh-proxy mode (no MCP server startup overhead)
  • Narrow bash allowlists reduce tool surface area and prompt size
  • Inline sub-agents with model: small for cheap extraction tasks
  • Phase summaries compact cross-run context
07

Orchestration

Orchestration — GitHub Agentic Workflows (githubnext/gh-aw)

Multi-Agent Support

Yes — inline sub-agents and workflow dispatch patterns:

  • Inline sub-agents: Defined directly in workflow markdown, extracted at compile time to engine-specific directories
  • Agent dispatch: Parent workflow can dispatch to specialized child workflows
  • Parallel fan-out: Multiple sub-agents can run concurrently for different classification branches

Orchestration Pattern

Hierarchical (parent + specialized sub-agents) + parallel-fan-out (multi-agent dispatch).

Example from docs: issue triage workflow dispatches to agent-a (bugs) or agent-b (features) based on content analysis.

Isolation Mechanism

Sandbox execution via GitHub Actions infrastructure:

  • Each workflow run is isolated in a GitHub Actions runner
  • Sandboxed execution for tools
  • Network isolation (configurable per workflow)
  • No cross-run file system state (except via cache/repo-memory)

Multi-Model Support

Yes — model alias system per sub-agent:

  • small: maps to cheapest/fastest available model per engine (haiku, gpt-5-mini, gemini-flash)
  • large: maps to most capable available model (sonnet, gpt-5-pro, gemini-pro)
  • inherited: inherits parent workflow model
  • Per-engine model resolution ensures portability across Copilot/Claude/Codex/Gemini

Execution Mode

Event-driven + scheduled. Triggers:

  • GitHub events (issues, PRs, push, etc.)
  • Slash commands (/review in PR comments)
  • Cron schedules (natural language: "daily on weekdays")
  • Manual dispatch (workflow_dispatch)

Crash Recovery

Partial — failed runs can be debugged via gh aw audit; safe outputs can be replayed via agentics-maintenance.yml workflow_dispatchsafe_outputs. Full re-run capability via GitHub Actions retry.

Consensus Mechanism

None.

Prompt Chaining

Yes — parent workflow output (via safe-outputs → dispatched workflow context) becomes input for child workflow. Issue context propagates from triage to specialized agent.

Cross-Tool Portability

High — engine-agnostic by design. Same .md workflow file compiles for Copilot, Claude, Codex, or Gemini by changing the engine: frontmatter field or the --engine CLI flag.

08

Ui Cli Surface

UI & CLI Surface — GitHub Agentic Workflows (githubnext/gh-aw)

Dedicated CLI Binary

Yesgh aw (GitHub CLI extension, Go binary).

Subcommand Purpose
gh aw init Initialize repository
gh aw new <name> Create workflow template
gh aw add-wizard Interactive workflow creation wizard
gh aw compile Compile .md → GitHub Actions .yml
gh aw compile --purge Remove orphaned lock files
gh aw run <workflow> Execute workflow
gh aw logs <workflow> View execution logs
gh aw audit <run-id-or-url> Debug failed run

The CLI is its own binary (not a thin wrapper) — it implements the compiler, parser, and schema validator.

GitHub Actions as Runtime UI

GitHub's native Actions UI provides:

  • Workflow run history and status
  • Step-by-step execution logs
  • Artifact downloads
  • Manual approval gates via Environment protection rules

Local Web Dashboard

No local web dashboard — GitHub.com is the UI surface.

IDE Integration

VS Code extension referenced in .vscode/ directory; no dedicated plugin but VS Code settings configure the development environment.

Agent-Native Documentation

The framework ships agent-readable documentation in .github/aw/:

  • llms.txt / llms-full.txt — comprehensive corpus for agents (per README.md)
  • Each .md file in .github/aw/ starts with --- frontmatter specifying applyTo: patterns so IDE agents auto-apply relevant docs

Observability

  • gh aw logs — execution logs per workflow run
  • gh aw audit <run-id> — detailed debugging for failed runs
  • GitHub Actions native observability (timing, step status, artifact sizes)
  • DEADCODE.md — dead code tracking (unusual framework-level observability artifact)

Related frameworks

same archetype · same primary tool · same memory type

OpenHarness ★ 13k
A11 Governance

Open-source Python agent runtime providing complete harness infrastructure: tools, memory, governance, swarm coordination, and…

Trae Agent ★ 12k
A11 Governance

Research-friendly open-source CLI coding agent by ByteDance, designed for academic ablation studies and modular LLM provider…

Sweep AI ★ 7.7k
A11 Governance

Autonomous GitHub bot that converts issues to pull requests using a sequential multi-agent pipeline.

Agent Governance Toolkit (microsoft) ★ 2.3k
A11 Governance

Enterprise-grade AI agent governance: YAML policy enforcement, 12-vector prompt injection defense, zero-trust identity,…

TDD Guard ★ 2.1k
A11 Governance

Mechanically enforces the Red-Green-Refactor TDD cycle by blocking file writes that violate TDD principles via a PreToolUse hook…

Agentic Coding Flywheel Setup (ACFS) ★ 1.5k
A11 Governance

Take a complete beginner from laptop to three AI coding agents running on a VPS in 30 minutes via an idempotent manifest-driven…