[FAQ] Add: How agent actions are constrained (commenting, PRs, files, external tools)#29642
Merged
[FAQ] Add: How agent actions are constrained (commenting, PRs, files, external tools)#29642
Conversation
Adds a new entry under the Guardrails section explaining how agent actions (commenting, PRs, file changes, external calls) are constrained via read-only defaults, safe outputs, and the Agent Workflow Firewall. Source: github/agentic-workflows#528 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
chrizbo
added
automated
faq-update
question-answered
Contributor
|
❌ Smoke Project encountered failures. Check the logs for details. |
Contributor
|
📰 DEVELOPING STORY: Smoke Copilot ARM64 reports was cancelled. Our correspondents are investigating the incident... |
Contributor
|
❌ Smoke Multi PR failed to create multiple PRs. Check the logs. |
Contributor
|
❌ Smoke Temporary ID encountered failures. Check the logs for details. |
pelikhan
reviewed
May 1, 2026
|
|
||
| **1. Read-only agent by default.** The AI agent step has read-only GitHub permissions. It cannot comment, open PRs, or push files unless you explicitly configure [safe outputs](/gh-aw/reference/safe-outputs/). | ||
|
|
||
| **2. Safe outputs for all writes.** Commenting, creating PRs, and modifying files all go through safe outputs — separate GitHub Actions jobs with scoped write tokens. The agent produces a structured artifact; a downstream job applies the changes after sanitization (secret redaction, URL filtering, size limits). You declare exactly which operations are permitted: |
Collaborator
There was a problem hiding this comment.
@copilot simplify example, mention agentic threat detection
Contributor
There was a problem hiding this comment.
Done in c9910db. Simplified the safe-outputs example to a single minimal operation, simplified the network allowlist example, and added threat detection as a fourth defense-in-depth layer (with a link to the threat detection reference).
Contributor
Contributor
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7f53e7d5-80a3-41aa-b71a-67cbf89f0077 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Guardrails FAQ entry explaining how gh-aw constrains agent actions across GitHub writes and external network access.
Changes:
- Adds a new FAQ question covering default read-only behavior, safe outputs, threat detection, and network controls.
- Includes short YAML examples for enabling safe outputs and network access.
- Links the new entry to existing FAQ/reference pages about sanitization, threat detection, sandboxing, and approval gates.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/reference/faq.md | Adds a consolidated Guardrails FAQ entry describing how agent actions are constrained. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (2)
docs/src/content/docs/reference/faq.md:228
- This presents threat detection as an unconditional layer, but the reference allows workflows to opt out with
safe-outputs.threat-detection: false. Without that caveat, the new FAQ overstates the guarantees around write-time scanning and may mislead readers into thinking detection always runs.
**3. Threat detection before writes.** [Agentic threat detection](/gh-aw/reference/threat-detection/) runs automatically between the agent job and the safe output jobs. It scans the agent's output for prompt injection attempts, secret leaks, and malicious code patches, blocking the write jobs if a threat is detected.
docs/src/content/docs/reference/faq.md:235
- The network section is inaccurate: the default is not "all outbound network access blocked." The network reference says that omitting
network:defaults tonetwork: defaults, which still allows basic infrastructure domains. This answer currently overstates the default restriction for external calls.
**4. Network allowlist for external calls.** The [Agent Workflow Firewall](/gh-aw/reference/sandbox/) blocks all outbound network access by default. You must explicitly allow each domain an agent may reach:
```yaml wrap
network:
allowed:
- defaults
- Files reviewed: 1/1 changed files
- Comments generated: 1
Comment on lines
+219
to
+221
| **1. Read-only agent by default.** The AI agent step has read-only GitHub permissions. It cannot comment, open PRs, or push files unless you explicitly configure [safe outputs](/gh-aw/reference/safe-outputs/). | ||
|
|
||
| **2. Safe outputs for all writes.** Commenting, creating PRs, and modifying files all go through safe outputs — separate GitHub Actions jobs with scoped write tokens. The agent produces a structured artifact; a downstream job applies the changes after sanitization (secret redaction, URL filtering, size limits). You declare which operations are permitted: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new FAQ entry under the Guardrails section directly answering how gh-aw constrains agent actions — covering the read-only default, safe outputs for writes, and the Agent Workflow Firewall for external calls.
This consolidates information spread across several existing entries into a single, directly-addressable question that users commonly ask.
Change type: New FAQ entry (no existing entry covers this exact question)
Source issue: github/agentic-workflows#528