CLI & Tooling
Complete gh aw CLI command reference and tooling guide
⚠️ Note: gh aw is a separate Go-based extension for the GitHub CLI — not the Copilot CLI runtime. It handles workflow authoring and lifecycle management.
🚀 Quick Start
Get up and running in three commands.
# 1. Install the GitHub CLI (if you don't have it) # → https://cli.github.com/ # 2. Install the gh-aw extension $ gh extension install github/gh-aw # 3. Initialize your repository $ gh aw init # That's it! Now create your first workflow: $ gh aw new my-first-workflow --engine copilot $ gh aw compile my-first-workflow $ gh aw run my-first-workflow --push
📦 Installation Methods
Four ways to install, depending on your environment.
🔌 Extension Install Recommended
Standard installation via the GitHub CLI extension manager. Requires gh to be installed and authenticated.
$ gh extension install github/gh-aw $ gh aw version
📌 Pinned Version Production
Lock to a specific release tag or commit SHA for reproducible environments and team consistency.
$ gh extension install github/gh-aw@v0.57.0 # Upgrade a pinned version $ gh extension remove gh-aw $ gh extension install github/gh-aw@v0.58.0
📥 Standalone Installer Fallback
For Codespaces, restricted networks, or when gh extension install fails. Supports Linux, macOS, FreeBSD, Windows (WSL), and Android.
# Latest version $ curl -sL https://raw.githubusercontent.com/github/gh-aw/main/install-gh-aw.sh | bash # Pinned version $ curl -sL https://raw.githubusercontent.com/github/gh-aw/main/install-gh-aw.sh | bash -s v0.57.0
⚙️ GitHub Actions Setup CI/CD
For pipelines — includes automatic checksum verification and platform detection.
# In your workflow YAML: - name: Install gh-aw CLI uses: github/gh-aw/actions/setup-cli@main with: version: v0.57.0
💡 Global Flags: All commands support -h / —help for help and -v / —verbose for debug output. Use gh aw help [command] for command-specific docs.
📖 Command Reference
Complete reference for every gh aw command with syntax, options, and examples.
⚡ Core Commands
gh aw init
Initialize a repository for agentic workflows
What it creates:
.gitattributes (marks .lock.yml as generated), .github/agents/agentic-workflows.agent.md (dispatcher agent), .gitignore entries, and MCP server config.
Options:
| Flag | Description |
|---|---|
--no-mcp | Skip MCP server integration |
--codespaces [repos] | Configure devcontainer for current or specified repos |
--completions | Install shell completions |
--create-pull-request | Initialize via pull request instead of direct commit |
Examples:
$ gh aw init # Interactive mode
$ gh aw init --no-mcp # Skip MCP server
$ gh aw init --codespaces repo1,repo2 # Configure devcontainer for repos
$ gh aw init --create-pull-request # Initialize via PRgh aw compile
Compile Markdown to GitHub Actions YAML (.lock.yml) Core
The heart of gh-aw. Transforms .md workflow files into security-hardened .lock.yml files with schema validation, action SHA pinning, and guardrail configuration.
Options:
| Flag | Description |
|---|---|
--validate | Validate the workflow schema before compiling |
--strict | Enforce security best practices (no write perms, explicit network, pinned Actions, no wildcards, no deprecated fields) |
--fix | Run codemods before compilation |
--zizmor | Run zizmor security scanner against generated YAML |
--dependabot | Generate Dependabot-compatible dependency manifests |
--watch | Watch for file changes and auto-recompile |
--purge | Remove orphaned .lock.yml files |
--json | Output results in JSON format |
--stats | Output compilation statistics |
Examples:
$ gh aw compile # Compile all workflows
$ gh aw compile my-workflow # Compile a specific workflow
$ gh aw compile --watch # Auto-recompile on changes
$ gh aw compile --validate --strict # Schema + strict security
$ gh aw compile --strict --zizmor # Security scan (fail on findings)
$ gh aw compile --dependabot --purge # Dependabot + cleanupgh aw validate
Validate workflows with all linters enabled (no output generated)
Runs the compiler with all linters always-on — zizmor, actionlint, poutine — plus --validate and --no-emit. The go-to command for CI/CD gates.
Options:
| Flag | Description |
|---|---|
--strict | Enforce strict mode |
--fail-fast | Stop at first error |
--dir <path> | Validate from a custom directory |
--engine <name> | Override AI engine for validation |
--json | Output results in JSON |
Examples:
$ gh aw validate # Validate all workflows
$ gh aw validate my-workflow # Validate specific workflow
$ gh aw validate --strict --fail-fast # Strict + stop on first error
$ gh aw validate --json # JSON output for CIgh aw run
Trigger workflow execution in GitHub Actions
Options:
| Flag | Description |
|---|---|
--push | Auto-commit, push, then dispatch (combines compile → stage → commit → push → run) |
--ref <branch> | Push to specific branch |
--repeat <n> | Repeat execution n times |
--dry-run | Preview without executing |
--enable-if-needed | Enable disabled workflow before running |
--auto-merge-prs | Auto-merge PRs created by workflow |
--engine <name> | Override AI engine |
--raw-field key=val | Pass custom inputs |
--repo owner/repo | Run in a different repository |
--json | Output triggered results as JSON |
Examples:
$ gh aw run workflow # Run a workflow
$ gh aw run workflow --push # Compile → push → dispatch
$ gh aw run workflow --repeat 3 # Run 3 times
$ gh aw run workflow --dry-run # Preview only
$ gh aw run w1 w2 --push --ref main # Run multiple, push to main💡 Power move: gh aw run —push is the ultimate local-dev shortcut — it recompiles outdated lock files, stages imports, commits, pushes, and dispatches in one command.
gh aw list
List workflows (fast, no API queries)
Options:
| Flag | Description |
|---|---|
--json | Output in JSON |
--label <name> | Filter by label |
--dir <path> | List from a custom directory |
Examples:
$ gh aw list # List all workflows
$ gh aw list ci- # Filter by pattern
$ gh aw list --label automation --json # Filter + JSONgh aw status
Detailed workflow status with run info
Options:
| Flag | Description |
|---|---|
--ref <branch> | Include latest run info for the specified branch |
--label <name> | Filter by label |
--repo owner/repo | Check a different repository |
Examples:
$ gh aw status # All workflows
$ gh aw status --ref main # Include latest run for main
$ gh aw status --repo owner/other-repo # Different repogh aw version
Show CLI version
$ gh aw version
gh-aw v0.57.0 (2026-03-15)🔄 Workflow Lifecycle
gh aw add
Add workflows from The Agentics collection or any repository
Options:
| Flag | Description |
|---|---|
--dir/-d <path> | Organize in a subdirectory |
--repo/-r <repo> | Source repository |
--create-pull-request | Add via pull request |
--append | Append to existing workflow |
--engine/-e <name> | Override engine |
--force/-f | Overwrite existing |
--name/-n <name> | Custom workflow name |
--stop-after <min> | Set max duration in minutes |
--no-stop-after | Remove duration limit |
--disable-security-scanner | Skip security scanner setup |
--no-gitattributes | Skip .gitattributes update |
Examples:
$ gh aw add githubnext/agentics/ci-doctor # Add from Agentics
$ gh aw add "githubnext/agentics/ci-*" # Wildcard match
$ gh aw add ci-doctor --dir shared --force # Into subdirectory
$ gh aw add ci-doctor --create-pull-request # Add via PRgh aw add-wizard
Interactive guided setup for adding workflows
Walks through engine selection, configuration, and compilation interactively.
$ gh aw add-wizardgh aw new
Create a new workflow template
Options:
| Flag | Description |
|---|---|
--force | Overwrite existing workflow |
--engine <name> | Inject engine into frontmatter |
Examples:
$ gh aw new # Interactive mode
$ gh aw new my-workflow # Create named template
$ gh aw new my-workflow --engine claude # With engine presetgh aw fix
Auto-fix deprecated fields (dry-run by default)
Options:
| Flag | Description |
|---|---|
--write | Apply fixes (without this, only previews changes) |
--list-codemods | List available codemods |
Examples:
$ gh aw fix # Check all (dry-run)
$ gh aw fix --write # Apply fixes
$ gh aw fix my-workflow --write # Fix specific workflow
$ gh aw fix --list-codemods # Show available codemodsgh aw update
Update workflows from upstream (3-way merge by default)
Options:
| Flag | Description |
|---|---|
--no-merge | Override local changes with upstream |
--major --force | Allow major version updates |
--create-pull-request | Update via PR |
Examples:
$ gh aw update # Update all sourced workflows
$ gh aw update ci-doctor # Update specific (3-way merge)
$ gh aw update ci-doctor --no-merge # Force upstream version
$ gh aw update --create-pull-request # Update via PRgh aw upgrade
Upgrade repository configuration and agent files
Options:
| Flag | Description |
|---|---|
--no-fix | Update agent files only, skip codemods |
--no-actions | Skip Actions updates |
--no-compile | Skip recompilation |
--create-pull-request | Upgrade via PR |
--audit | Run dependency health audit |
--json | Output in JSON |
Examples:
$ gh aw upgrade # Full upgrade
$ gh aw upgrade --no-fix --no-compile # Agent files only
$ gh aw upgrade --create-pull-request # Upgrade via PRgh aw remove
Remove workflow and its compiled .lock.yml
$ gh aw remove my-workflowgh aw enable / gh aw disable
Enable or disable workflows
disable also cancels any in-progress runs automatically.
$ gh aw enable ci-doctor # Enable one workflow
$ gh aw disable ci-doctor # Disable + cancel active runs
$ gh aw enable # Enable all workflows
$ gh aw disable --repo owner/repo # Disable in a specific repo🔍 Monitoring & Debugging
gh aw logs
Download and analyze workflow run logs
Downloads and parses logs with tool usage, network patterns, errors, and warnings. Results are cached for 10–100× speedup on subsequent access. Accepts workflow IDs or display names (case-insensitive).
Examples:
$ gh aw logs workflow # Download logs
$ gh aw logs -c 10 --start-date -1w # Last week, 10 results
$ gh aw logs --ref main --parse --json # Parsed JSON for a branchgh aw audit
Deep analysis of a specific workflow run
Detailed metrics, tool usage, MCP failures, firewall analysis, no-ops, and artifacts. Accepts run IDs, workflow URLs, job URLs, and step-level URLs. Logs saved to logs/run-{id}/.
Examples:
$ gh aw audit 12345678 # By run ID
$ gh aw audit https://github.com/owner/repo/actions/runs/123 # By URL
$ gh aw audit 12345678 --parse # Parse to markdown
$ gh aw audit 12345678 --repo owner/repo # Specify repogh aw health
Workflow health metrics and trends
Displays success rates, trend indicators (↑ improving, → stable, ↓ degrading), execution duration, token usage, costs, and alerts.
Options:
| Flag | Description |
|---|---|
--days <n> | Time range (default: 7 days) |
--threshold <n> | Alert if below n% success rate |
--json | Output in JSON |
Examples:
$ gh aw health # Summary (last 7 days)
$ gh aw health issue-monster # Detailed for one workflow
$ gh aw health --days 30 # Last 30 days
$ gh aw health --threshold 90 --json # Alert below 90%gh aw trial
Test workflows in temporary repositories
Tests workflows in temporary private repos (default) or directly in a specified repo. Results saved to trials/.
Examples:
$ gh aw trial githubnext/agentics/ci-doctor # Test a remote workflow
$ gh aw trial ./workflow.md --logical-repo owner/repo # Act as different repo
$ gh aw trial ./workflow.md --dry-run # Preview only🔌 MCP, Secrets & Domains
gh aw mcp
Manage Model Context Protocol (MCP) servers
$ gh aw mcp list workflow # List servers for a workflow
$ gh aw mcp list-tools <mcp-server> # List tools exposed by server
$ gh aw mcp inspect workflow # Inspect and test servers
$ gh aw mcp add # Add an MCP tool to workflowgh aw mcp-server
Run gh-aw as an MCP server for IDE integration Bridge
Exposes gh-aw commands as MCP tools — the key bridge between CLI and IDEs. Configure as an MCP tool source in VS Code to give Copilot live access to workflow status, compilation, logs, and audit.
Exposed tools: status, compile, logs, audit, mcp-inspect, add, update
$ gh aw mcp-server # stdio transport (default)
$ gh aw mcp-server --port 8080 # HTTP server with SSE
$ gh aw mcp-server --validate-actor # Enable actor validationgh aw secrets
Manage repository secrets for AI engine authentication
$ gh aw secrets set MY_SECRET # From stdin
$ gh aw secrets set MY_SECRET --repo myorg/myrepo # Target repo
$ gh aw secrets set MY_SECRET --value-from-env MY_TOKEN # From env var
$ gh aw secrets bootstrap # Auto-detect missing
$ gh aw secrets bootstrap --engine copilot # Check Copilot only
$ gh aw secrets bootstrap --non-interactive # Display, don't promptgh aw domains
List network domains referenced in workflows
Shows allowed/blocked domains including DNS expansions.
$ gh aw domains # List all domains
$ gh aw domains --json # Output in JSON🧰 Utilities
gh aw completion install
Auto-detect shell and install tab completions for commands, workflow names, engines, and paths.
$ gh aw completion install $ gh aw completion uninstall
gh aw project new
Create and manage GitHub Projects V2 boards for workflow organization.
gh aw pr transfer
Transfer a pull request to another repository.
gh aw hash-frontmatter
Compute deterministic SHA-256 hash of workflow frontmatter for change detection.
⚙️ Compilation Pipeline
How gh aw compile transforms Markdown into secure GitHub Actions YAML.
.md, extract YAML frontmatter + body.github/aw/imports/.lock.ymlFile Relationships
.github/ ├── workflows/ │ ├── my-workflow.md ← Source (authored by developer) │ └── my-workflow.lock.yml ← Compiled output (generated) ├── aw/ │ └── imports/ ← Cached remote imports ├── agents/ │ └── agentic-workflows.agent.md ← Dispatcher agent └── dependabot.yml ← Generated with --dependabot
Strict Mode Enforcement
When --strict is enabled, the compiler enforces these security requirements:
🚫 No Write Permissions
Workflows cannot have elevated write access to the repository.
🌐 Explicit Network
All network access must be declared — no implicit internet access.
🚫 No Wildcards
*.example.com patterns are rejected — domains must be explicit.
📌 Pinned Actions
All action references must use full SHA hashes, not version tags.
⚠️ No Deprecated Fields
Deprecated frontmatter keys are rejected — use gh aw fix first.
🔗 Shared Workflows
Workflows without on are auto-detected as shared components with relaxed validation.
💻 IDE Integration
Use gh aw from your favorite editor.
🟦 VS Code Agent Mode Primary
The primary IDE for authoring agentic workflows. Through GitHub Copilot Agent Mode, create, edit, and debug workflows conversationally.
- Open Copilot Chat → switch to Agent Mode
- Prompt: “Create a workflow for GitHub Agentic Workflows…”
- Agent creates the
.mdfile, runsgh aw compile, and can commit - Use
/agentcommand forcreate,debug,update,upgrade
💡 MCP Bridge: Configure gh aw mcp-server as an MCP tool source in VS Code Chat to give Copilot live access to workflow status, compilation, logs, and audit — all within the editor.
🟪 JetBrains IDEs
IntelliJ, WebStorm, and PyCharm support Copilot Chat and can invoke gh aw commands from the integrated terminal.
- Custom agents and sub-agents (GA)
- Plan agent (GA)
- Agent hooks (preview)
- Auto-approve support for MCP
- Expanded agent instruction files
gh aw mcp-server works as an MCP tool source in any IDE supporting MCP.
🌐 Web UI & Any Terminal
GitHub.com: Author workflows directly via Copilot chat in the web UI. Great for quick prototyping without local tooling.
Any IDE with terminal: The CLI is IDE-agnostic — if it has a terminal, you can use the full gh aw CLI for compilation, validation, and execution.
# Works in any terminal $ gh aw compile --watch $ gh aw validate --strict $ gh aw run my-workflow --push
📊 The Agents Tab
A centralized dashboard for managing Copilot coding agent sessions in your repository.
👁️ View Sessions
See all active and archived agent sessions in one place. Track what your agents are doing across the repository.
➕ Create Sessions
Start new agent sessions or switch between active tasks directly from the repository interface.
🔗 Jump to PRs
One-click links to associated pull requests. See exactly what changes each agent session produced.
📁 Archive Sessions
Organize completed sessions by archiving them. Keep your workspace clean while preserving history.
💡 Configuration: For policy and environment settings, navigate to Settings → Copilot → Coding agent within your repository. The Actions tab shows workflow run history, job logs, artifacts, and the staged pipeline execution stages.
🔁 Local Development Workflow
A typical end-to-end development cycle with gh aw.
# 1. Initialize the repository (one-time setup) $ gh aw init # 2. Create a new workflow $ gh aw new my-workflow --engine copilot # 3. Edit the .md file in your editor of choice # 4. Validate without compiling $ gh aw validate my-workflow # 5. Compile to .lock.yml $ gh aw compile my-workflow # 6. Watch mode for rapid iteration $ gh aw compile --watch # 7. Commit both files $ git add .github/workflows/my-workflow.md .github/workflows/my-workflow.lock.yml $ git commit -m "Add my-workflow agentic workflow" $ git push # 8. Trigger a run $ gh aw run my-workflow # 9. Monitor health over time $ gh aw health my-workflow --days 7 # 10. Analyze a specific run $ gh aw audit <run-id> --parse
⚡ Shortcut: gh aw run —push combines steps 5–8 into a single command: recompile → stage → commit → push → dispatch.
🐛 Debugging & Troubleshooting
Tips, the DEBUG environment variable, and common fixes.
Debug Environment Variable
Enable detailed debugging output with namespace filtering:
$ DEBUG=* gh aw compile # All debug logs $ DEBUG=cli:* gh aw compile # CLI logs only $ DEBUG=*,-tests gh aw compile # All except test logs
Fuzzy Workflow Name Matching
The CLI auto-suggests similar workflow names on typos using Levenshtein distance:
$ gh aw compile audti-workflows
✗ workflow file not found
Did you mean: audit-workflows?GitHub Enterprise Server
$ export GH_HOST="github.enterprise.com"
$ gh auth login --hostname github.enterprise.com
$ gh aw logs workflow --repo github.enterprise.com/owner/repoCommon Issues
| Issue | Solution |
|---|---|
command not found: gh | Install the GitHub CLI from cli.github.com |
extension not found: aw | Run gh extension install github/gh-aw |
| Compilation fails with YAML errors | Check indentation, colons, and array syntax in frontmatter. Error reports include file paths, line numbers, and contextual code snippets. |
| Workflow not found | Check the fuzzy suggestion or run gh aw status to list available workflows |
| Permission denied | Check file permissions or repository access. Ensure gh auth status shows correct authentication. |
| Missing secrets at runtime | Run gh aw secrets bootstrap to auto-detect and configure missing secrets |
| Trial creation fails | Check GitHub rate limits and authentication. Verify with gh auth status. |
| Lock file outdated | Run gh aw compile to regenerate, or use gh aw run --push which auto-recompiles. |
📋 Command Cheat Sheet
Every command at a glance.
⚡ Core
| Command | Description |
|---|---|
gh aw init | Initialize repository |
gh aw compile | Compile .md → .lock.yml |
gh aw validate | Validate with all linters |
gh aw run | Trigger execution |
gh aw list | List workflows (no API) |
gh aw status | Detailed status + runs |
gh aw version | Show CLI version |
🔄 Lifecycle
| Command | Description |
|---|---|
gh aw add | Add from repos |
gh aw add-wizard | Interactive setup |
gh aw new | Create template |
gh aw fix | Auto-fix deprecated |
gh aw update | Update from upstream |
gh aw upgrade | Upgrade repo config |
gh aw remove | Remove workflow |
gh aw enable/disable | Toggle workflows |
🔍 Monitoring
| Command | Description |
|---|---|
gh aw logs | Download & analyze logs |
gh aw audit | Deep run analysis |
gh aw health | Metrics & trends |
gh aw trial | Test in temp repos |
🔌 MCP & Secrets
| Command | Description |
|---|---|
gh aw mcp | Manage MCP servers |
gh aw mcp-server | Run as MCP server |
gh aw secrets | Manage secrets |
gh aw domains | List network domains |