feat(agentic-workflows): add gh-aw and awf reference#75
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project version to 2.15.0 and introduces a new reference guide for agentic workflows using gh-aw and gh-aw-firewall. The documentation covers the compilation of Markdown specs into hardened GitHub Actions and the use of a sandbox firewall for egress control. Feedback was provided to improve documentation clarity by replacing generic file placeholders with specific examples and to refine the concurrency configuration in the audit checklist to avoid repository-wide blocking.
There was a problem hiding this comment.
Pull request overview
Adds a new reference document to the GitHub Project skill covering “agentic workflows” tooling (gh-aw and awf) and wires it into the skill’s references and versioning metadata.
Changes:
- Added
references/agentic-workflows.mddocumentinggh-aw(workflow compiler) andgh-aw-firewall/awf(egress + credential isolation), including usage guidance and an audit checklist. - Linked the new reference from
skills/github-project/SKILL.md. - Bumped skill/plugin version from
2.14.0to2.15.0in bothSKILL.mdand.claude-plugin/plugin.json.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
skills/github-project/SKILL.md |
Version bump and adds the new “Agentic workflows” entry to the References table. |
skills/github-project/references/agentic-workflows.md |
New reference doc explaining gh-aw/awf, their guarantees, and audit guidance. |
.claude-plugin/plugin.json |
Keeps plugin version in sync with the skill version bump. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds references/agentic-workflows.md covering: - gh-aw (github/gh-aw): gh CLI extension that compiles Markdown agent specs into hardened GitHub Actions workflows (SHA-pinned uses, narrowed permissions, input sanitisation, sanitised-output gating, tool allowlists). - gh-aw-firewall / awf (github/gh-aw-firewall): Squid-proxy-based egress firewall that sandboxes the agent inside a Docker network with an optional API-proxy sidecar for credential isolation. Includes when-to-use vs when-not-to-use, a minimal gh-aw spec example, the awf vs step-security/harden-runner comparison (adjacent, not mutually exclusive), and an audit checklist. SKILL.md: add table row, bump version 2.14.0 -> 2.15.0. plugin.json: keep in sync at 2.15.0. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
Versioning belongs to release work, not feature PRs. Restore both skills/github-project/SKILL.md and .claude-plugin/plugin.json to the base version 2.14.0 on main; the next release will bump as a separate release commit. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
- Replace generic .github/workflows/*.yml placeholder with a concrete triage-bot.yml example matching the spec shown in the section. - Scope the concurrency: bullet in the audit checklist to the triggering issue/PR (github.event.issue.number || ...pull_request.number || github.sha) so concurrent issues/PRs are not serialised by a static repo-wide group. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
Summary
references/agentic-workflows.mdcoveringgh-aw(theghCLI extension that compiles natural-language Markdown specs into hardened GitHub Actions workflows) andgh-aw-firewall/awf(Squid-proxy-based egress firewall with an optional API-proxy sidecar for LLM-credential isolation).gh-awenforces in compiled output (SHA-pinneduses, narrowedpermissions, untrusted-input sanitisation, sanitised-output gating, tool allowlists), a minimal spec example, when to layerawfon top, the relationship tostep-security/harden-runner(adjacent, not mutually exclusive), and an audit checklist.SKILL.md's References table, bumpsversion2.14.0->2.15.0(minor: new topic), and keeps.claude-plugin/plugin.jsonin sync.Structural choice: new
references/agentic-workflows.mdrather than an inlineSKILL.mdsection, matching the skill's existing pattern (terseSKILL.md, depth inreferences/). The skill'sdescription:already covers Actions-workflow authoring/hardening, so it was not widened.compatibility:was not changed —gh-awandawfare optional.Test plan
markdownlint-cli2clean onSKILL.mdand the new referencescripts/verify-harness.sh-> Level 3 COMPLETE, 0 errors, 0 warningsreferences/*.mdlinks fromSKILL.mdresolvegit log --show-signature -1reports "Good 'git' signature")SKILL.mdword count stays at the ~500 convention (currently 501)