github-agentic-workflows
Original:🇺🇸 English
Translated
1 scriptsChecked / no sensitive code detected
Authors, reviews, installs, and debugs GitHub Agentic Workflows in repositories, including workflow markdown, frontmatter, gh aw compile and run flows, safe outputs, security guardrails, and operational patterns. Use when creating or maintaining GH-AW automation. Don't use for standard deterministic GitHub Actions YAML, generic CI pipelines, or non-GitHub automation systems.
6installs
Sourcewebmaxru/ai-native-dev
Added on
NPX Install
npx skill4agent add webmaxru/ai-native-dev github-agentic-workflowsTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →GitHub Agentic Workflows
Procedures
Step 1: Identify the repository state
- Inspect the workspace for ,
.github/workflows/, existing.github/agents/files, and any.lock.ymlusage.gh aw - Execute when a Node runtime is available.
node skills/github-agentic-workflows/scripts/find-gh-aw-targets.mjs . - Run before making compiler-sensitive decisions so the workflow authoring path matches the installed CLI behavior.
gh aw version - If the repository contains multiple candidate workflows, prefer the workflow the user named or the one closest to the active issue, pull request, or automation surface.
- If the repository has no GH-AW setup and the task is to create or maintain agentic workflows, read before editing.
references/authoring.md - If the task is limited to standard deterministic GitHub Actions YAML without agentic markdown workflows, stop and explain that this skill does not apply.
Step 2: Choose the working mode
- Classify the task as one of: repository setup, new workflow authoring, workflow revision, workflow installation from another repository, security review, or failure debugging.
- Read when the task needs a starting pattern for scheduled reports, issue or PR triage, orchestration, or agent handoff.
references/examples.md - Read when the workflow needs safe outputs, network policy, authentication, lockdown, threat detection, or run observability.
references/security-and-operations.md - Read when the workflow fails to compile, install, authenticate, execute safe outputs, or access tools.
references/troubleshooting.md
Step 3: Author or revise the workflow source
- Keep the workflow source of truth in .
.github/workflows/<workflow-name>.md - Use as the base shape when creating a new workflow.
assets/workflow.template.md - Choose the smallest viable trigger surface and repository role scope that satisfies the task.
- Keep read-only unless the workflow truly needs broader GitHub Actions permissions outside the agentic section.
permissions: - Prefer for comments, issues, labels, PRs, agent assignment, and orchestration instead of granting direct write access to the agent.
safe-outputs: - In safe-output workflows, instruct the agent to call when no action is required.
noop - Keep and
tools:minimal and specific to the task.toolsets: - Default to unless the task explicitly requires another engine and the repository is already prepared for that engine's authentication model.
engine: copilot - Configure with least privilege. Prefer ecosystem identifiers such as
network:,node, orpythonover individual registry domains when the compiler supports them.github - If strict mode and the installed CLI reject custom domains that the workflow still needs, prefetch external sources in deterministic setup steps and pass local files into the agent instead of broadly relaxing the firewall.
- Do not rely on placeholders reaching the agent-visible markdown body in real runs. If prompt instructions depend on runtime values, write them into a deterministic local file during setup and tell the agent to read that file.
${{ steps.<id>.outputs.* }} - Use imported or reusable workflows only when the repository genuinely benefits from shared logic or orchestration.
- For recurring work across a dynamic set of inputs, prefer a reusable GH-AW worker plus a deterministic YAML wrapper for discovery and matrix fan-out.
- When a reusable GH-AW worker is called from a matrix, do not leave it on the default shared workflow-level concurrency group. Set an explicit concurrency group keyed by the matrix input or prompt identity so parallel legs are not cancelled by GitHub's one-running-one-pending concurrency behavior.
- Recompile the workflow after frontmatter, imports, or other compile-time configuration changes.
- If only the markdown body changed and the workflow is edited directly on GitHub.com, do not recompile solely for body text changes.
- Treat as transient GH-AW runtime and compiler scratch space during local compile, validate, or trial flows unless the workflow intentionally uses checked-in files from that path.
.github/aw/
Step 4: Configure repository prerequisites and authentication
- Read before first-time repository setup.
references/authoring.md - Run when the repository is not configured for GH-AW authoring and the user wants persistent setup.
gh aw init - Configure engine secrets with or
gh aw secrets bootstrap.gh aw secrets set - Use for Copilot engine authentication.
COPILOT_GITHUB_TOKEN - For Copilot runs, use a fine-grained PAT in ; a general
COPILOT_GITHUB_TOKENOAuth token may pass secret checks but still fail real Copilot execution.gho_... - When using , verify that the host repository also has the required engine secret. Secrets from the logical or source repository are not copied automatically into the temporary or reusable host repo.
gh aw trial - Re-check after extension upgrades or reinstall paths so the repository guidance and compiler behavior stay aligned.
gh aw version - If a deterministic wrapper calls a reusable worker, make the caller workflow permissions at least as broad as the nested worker's requested ,
actions, andcontentsscopes or the run can fail before agent execution starts.pull-requests - Use a GitHub App or custom GitHub token when the workflow needs cross-repository reads or writes, Projects access, remote GitHub tool mode, or advanced safe outputs.
- If the repository is public and the workflow will inspect untrusted external content, preserve lockdown and approval controls unless the task is explicitly a low-risk public workflow.
Step 5: Validate, compile, and execute
- Run when the workflow uses deprecated fields or the compiler points to codemod-able drift.
gh aw fix --write - Run before treating a workflow as ready.
gh aw validate --strict - When the CLI version changed or a workflow depends on newer frontmatter behavior, run so warnings and generated-version changes are visible.
gh aw compile --verbose - Run after validation succeeds and commit both the
gh aw compilesource and the generated.mdfile..lock.yml - Use to validate remote dispatch behavior, especially when you suspect branch, trigger, or workflow-discovery problems.
gh aw run <workflow> --dry-run - Use when you need to execute a local workflow source before pushing it. The explicit
gh aw trial ./.github/workflows/<workflow>.mdpath matters; without it, the CLI may parse the argument as a repository spec instead of a local file../ - Use for direct execution only after the workflow source or lockfile actually exists on the target branch.
gh aw run <workflow> - Use ,
gh aw status,gh aw logs, andgh aw auditto review state, failures, cost, tool usage, and success trends after changes.gh aw health
Step 6: Operate and improve professionally
- Review whether the workflow can be simplified, split into smaller workflows, or converted into shared components.
- Prefer staged safe outputs for initial rollout of workflows that create issues, comments, or pull requests at scale.
- For recurring maintenance, pin or review the installed version deliberately and update workflows through
gh-aworgh aw updateinstead of ad hoc copy-paste.gh aw upgrade - Keep workflow prompts specific, bounded, and auditable. Move broad strategy into reusable imports or agent files when multiple workflows need the same rules.
Error Handling
- If fails, use the standalone installer path documented in
gh extension install github/gh-aw.references/troubleshooting.md - If compilation fails, fix frontmatter syntax, deprecated fields, imports, or permission mismatches before continuing.
- If compiler behavior does not match the docs you are reading, trust the installed and validate against that version before rewriting the workflow shape.
gh aw version - If rejects
gh aw trialas an invalid repository spec, retry with an explicit local path such as.github/workflows/<name>.md../.github/workflows/<name>.md - If a reusable worker succeeds in isolation but the wrapper run fails at startup, inspect caller-workflow inheritance before changing the worker logic.
permissions: - If a matrix of reusable GH-AW workers cancels most legs immediately, inspect the called workflow's concurrency group first. A shared workflow-level group will cancel pending legs even when is
cancel-in-progress.false - If a trial run fails on the activation step with , inspect the host repository with
Validate COPILOT_GITHUB_TOKEN secret. The source repository's secrets are not inherited by the trial host.gh secret list -R <host-repo> - If fails, confirm you have admin rights on the host repository and that the current GitHub auth token includes
gh aw trial --force-delete-host-repo-beforescope.delete_repo - If the workflow prompt still shows unresolved runtime placeholders during execution, move those values into a generated local context file and have the agent read that file explicitly.
- If local ,
gh aw compile, orgh aw validatecommands creategh aw trialfiles such as.github/aw/or logs, treat them as transient byproducts and remove them before commit unless the repository intentionally keeps them.actions-lock.json - If safe outputs do nothing, verify that staged mode is intentional and that the prompt explicitly instructs the agent to call when no write action is needed.
noop - If fails on a compiled scheduled workflow source with a fuzzy schedule parsing error, treat that as an inspection-path limitation first. Re-run
gh aw mcp inspect, prefer installed-workflow or run-log based debugging, and do not assume the workflow itself is invalid if validation and compile already passed.gh aw compile - If the compiler rejects engine fields or tool entries that look valid from older examples, trust the installed schema. In ,
gh aw v0.58.3is not supported for Copilot,engine.max-turnsmust bebash,true, or an allowlist, and barefalse/edit:keys are accepted where boolean values are not.web-fetch: - If URLs are sanitized as or tools cannot reach required services, tighten and expand
(redacted)deliberately rather than disabling the firewall.network.allowed - If Copilot inference fails with a configured token, verify that the PAT owner actually has Copilot license and inference access.
- If public-repository workflows miss external contributor content, confirm whether GitHub lockdown mode is blocking that content before changing workflow logic.