⚙️
Configuration Reference
Complete frontmatter schema and field reference
PrerequisitesOverviewAuthenticationSchemaTriggersPermissionsEnginesToolsSafe OutputsNetworkMCP ServersAdvanced
Prerequisites
Before creating agentic workflows, ensure you have the following:
✅ Required
- GitHub Copilot subscription — Pro, Pro+, Business, or Enterprise plan
- GitHub CLI —
ghv2.45.0 or above (cli.github.com) - gh-aw extension —
gh extension install github/gh-aw - Repository admin access — needed to manage secrets and enable workflows
🔑 Tokens & Secrets
COPILOT_GITHUB_TOKEN— required repo secret; fine-grained PAT with Copilot Requests permission (see Authentication)GH_AW_AGENT_TOKEN— optional repo secret; PAT forassign-to-agentsafe output- Custom PAT or GitHub App — optional, for safe-output writes under a different identity
What gh aw init Does
Running gh aw init in your repository:
- ✅ Creates
.github/workflows/copilot-setup-steps.yml— the environment setup file for the agentic workflow runner - ✅ Walks you through selecting an AI engine (Copilot, Claude, Codex)
- ✅ Provides instructions for setting up required secrets
- ❌ Does not create the
COPILOT_GITHUB_TOKENsecret — you must do this manually
# Initialize the repo
gh aw init --engine copilot
# Then manually create the required secret
gh secret set COPILOT_GITHUB_TOKEN -R owner/repo
# (paste your fine-grained PAT when prompted)⚠️ Without COPILOT_GITHUB_TOKEN, the activation step will fail immediately. This is the first thing to check when troubleshooting a failed workflow run.
How Configuration Works
Every agentic workflow is a .md file in .github/workflows/ with two parts:
📋 YAML Frontmatter
Structured config between --- markers — triggers, permissions, tools, engine, and safe outputs. Validated at compile time.
📝 Markdown Body
Natural-language instructions for the AI agent. Editable without recompilation — the agent interprets these contextually at runtime.
# File: .github/workflows/triage-issues.md
---
on:
issues:
types: [opened]
permissions: read-all
safe-outputs:
add-labels:
allowed: [bug, feature, docs]
add-comment: {}
---
# Issue Triage Agent
Analyze new issues and apply the appropriate label.
Explain your reasoning in a comment.💡 Run gh aw compile to transform the .md file into a .lock.yml — a security-hardened GitHub Actions workflow. The lock file is what Actions executes.
Authentication & Tokens
Agentic workflows use repository secrets for authentication. The compiled .lock.yml workflow references these secrets at runtime during the activation and safe-outputs steps.
COPILOT_GITHUB_TOKEN — The Core Requirement
Every agentic workflow needs COPILOT_GITHUB_TOKEN — a fine-grained PAT from a user with an active Copilot license. The compiled workflow validates this secret during activation; without it, the run fails immediately.
Creating the Token
- Go to github.com/settings/personal-access-tokens
- Select Fine-grained token → choose your target repository or Public Repositories
- Under Account permissions, grant Copilot Requests: Read-only
- Copy the generated token and store it as a repo secret:
gh secret set COPILOT_GITHUB_TOKEN -R owner/repo
# Paste your fine-grained PAT when prompted⚠️ COPILOT_GITHUB_TOKEN is not the built-in GITHUB_TOKEN. It must be a PAT from a user whose Copilot subscription is consumed for premium requests. The token owner’s account must have Copilot access.
Additional Secrets
Depending on your workflow configuration, you may need additional repository secrets:
| Secret | When Needed | Permission |
|---|---|---|
COPILOT_GITHUB_TOKEN | Always — every agentic workflow | Copilot Requests: Read-only |
GH_AW_AGENT_TOKEN | Using assign-to-agent safe output | Issues: Read & Write |
ANTHROPIC_API_KEY | Using engine: claude | — |
OPENAI_API_KEY | Using engine: codex | — |
GEMINI_API_KEY | Using engine: gemini | — |
GH_AW_SECURITY_ALERTS_TOKEN | Security monitoring workflows | Dependabot, Code scanning, Secret scanning alerts |
💡 All secrets are stored as regular repository secrets (Settings → Secrets and variables → Actions). MCP server secrets referenced in the workflow frontmatter also go here, using the ${{ secrets.NAME }} syntax.
Custom Tokens for Safe Outputs
By default, safe-output write operations use the built-in GITHUB_TOKEN. To use a different identity for writes (e.g., a bot account, a GitHub App), configure github-token: or github-app: in your safe-outputs.
🔑 Fine-Grained PAT
Use a PAT for full control. Supports all safe-output types including assign-to-agent.
safe-outputs:
github-token:
secret: MY_BOT_PAT
create-pull-request:
draft: true
assign-to-agent:
allowed: [copilot]🤖 GitHub App
Use a GitHub App for scoped, short-lived tokens. Better for orgs — no personal account needed.
safe-outputs:
github-app:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_KEY }}
create-pull-request:
draft: true
add-comment: {}PAT Required Scopes
| Scope | Required For |
|---|---|
contents: write | Creating PRs, pushing code |
issues: write | Creating/updating issues, adding labels |
pull-requests: write | PR reviews, comments |
actions: write | Dispatching workflows |
⚠️ GitHub App limitation: The assign-to-agent safe output requires a fine-grained PAT — GitHub App installation tokens are not supported by the Copilot assignment API. If you use github-app: for other safe outputs, set the GH_AW_AGENT_TOKEN repository secret (a PAT) as a fallback for agent assignment.
Token Summary
| Scenario | Token Type | Where to Configure |
|---|---|---|
| Running any agentic workflow | Fine-grained PAT | COPILOT_GITHUB_TOKEN repo secret |
| Third-party engine (Claude, Codex, Gemini) | API key | Engine-specific repo secret |
| MCP server authentication | Secret | Repo secret, referenced via ${{ secrets.NAME }} |
| Safe-output writes (custom identity) | PAT or GitHub App | github-token: or github-app: in frontmatter |
| Assign-to-agent | Fine-grained PAT only | GH_AW_AGENT_TOKEN repo secret |
Complete Frontmatter Schema
35+ fields| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | No | Filename | Display name in GitHub Actions UI |
description | string | No | — | Human-readable workflow description |
on | string / object | Yes | — | Trigger events and access controls |
permissions | string / object | No | read-all | GitHub token permission scopes |
engine | string / object | No | copilot | AI engine and model selection |
tools | object | No | — | Available tools for the agent |
mcp-servers | object | No | — | Custom Model Context Protocol servers |
mcp-scripts | object | No | — | Inline MCP tools via JS/shell scripts |
safe-outputs | object | No | — | Permitted write operations |
network | string / object | No | defaults | Network access control (AWF) |
sandbox | string / object | No | awf | Sandbox configuration (AWF + MCP gateway) |
strict | boolean | No | true | Enhanced security validation |
imports | string[] / object[] | No | — | Import shared config from other .md files |
source | string | No | — | Origin tracking (owner/repo/path@ref) |
secrets | object | No | — | Secret values for workflow execution |
environment | string / object | No | — | Deployment protection rules |
container | string / object | No | — | Container image for job steps |
services | object | No | — | Service containers (databases, caches) |
steps | array | No | — | Custom steps before agentic execution |
post-steps | array | No | — | Custom steps after agentic execution |
jobs | object | No | — | Custom jobs alongside agentic execution |
env | object | No | — | Workflow-level environment variables |
cache | object / array | No | — | GitHub Actions cache configuration |
concurrency | string / object | No | — | Workflow concurrency control |
runs-on | string / array | No | ubuntu-latest | Runner label for main job |
timeout-minutes | integer | No | 20 | Maximum execution time |
if | string | No | — | Conditional execution expression |
run-name | string | No | Workflow name | Custom run display name |
private | boolean | No | false | Prevent external installation |
labels | string[] | No | — | Workflow categorization tags |
metadata | object | No | — | Custom key-value pairs |
resources | string[] | No | — | Companion files for gh aw add |
runtimes | object | No | — | Override default runtime versions |
features | object | No | — | Experimental feature flags |
Trigger Events (on:)
30+ triggersThe on: field uses standard GitHub Actions trigger syntax, extended with gh-aw-specific controls.
Standard Triggers
| Trigger | Key | Common Types | Use Case |
|---|---|---|---|
| Issues | issues | opened, edited, labeled | React to issue lifecycle |
| Pull Request | pull_request | opened, synchronize | React to PR events |
| Issue Comment | issue_comment | created | ChatOps, respond to comments |
| Push | push | — | React to code pushes |
| Schedule | schedule | — | Recurring automation |
| Workflow Dispatch | workflow_dispatch | — | Manual trigger with inputs |
| Workflow Run | workflow_run | — | Chain after another workflow |
| Discussion | discussion | created, edited | React to discussions |
| Release | release | published | Auto-generate changelogs |
🕐 Fuzzy Schedule Syntax
Human-friendly schedules. The compiler assigns deterministic scattered times based on file path.
on:
schedule: daily # Scattered daily
schedule: daily around 14:00 # ±1 hour of 14:00
schedule: daily between 9:00 and 17:00 # Business hours
schedule: weekly on friday around 5pm # Weekly on Fridays
schedule: hourly # Every hour
schedule: every 10 minutes # Minimum 5 minutes⚡ Slash & Label Commands
# Slash command — users type /review in comments
on:
slash_command: "review"
# Label command — fires when label is added
on:
label_command: "deploy"🔧 gh-aw Trigger Extensions
| Field | Type | Description |
|---|---|---|
reaction | string | Emoji reaction on trigger (eyes, rocket, none) |
status-comment | boolean | Post started/completed comments |
stop-after | string | Auto-disable deadline (+90d, 2024-12-31) |
manual-approval | string | Environment name for human approval gate |
roles | string[] | Required repo roles (admin, maintainer, write) |
skip-bots | string[] | Skip for listed bot actors |
lock-for-agent | boolean | Lock issue during execution |
skip-if-match | string / object | Skip if GitHub search query matches |
skip-if-check-failing | boolean / object | Skip if CI checks are failing |
Permissions
⚠️ Read-only by default. In strict mode (enabled by default), write permissions are refused — you must use safe-outputs for all write operations.
# Shorthand
permissions: read-all
# Granular
permissions:
contents: read
issues: read
pull-requests: read
models: read # Required for Copilot AI model access| Scope | Values | Notes |
|---|---|---|
contents | read / write / none | Repository file access |
issues | read / write / none | Issue API access |
pull-requests | read / write / none | PR API access |
actions | read / write / none | Workflow and run access |
checks | read / write / none | Check runs and suites |
discussions | read / write / none | Discussion API |
models | read / none | GitHub Copilot AI model access |
security-events | read / write / none | Code scanning, Dependabot |
packages | read / write / none | Package registry |
statuses | read / write / none | Commit status API |
id-token | write / none | OIDC JWT tokens |
Engine Configuration
4 engines🤖 Copilot default
GitHub’s own coding agent. Uses Copilot premium requests.
engine: copilot🧠 Claude
Anthropic’s coding agent. Requires ANTHROPIC_API_KEY.
engine: claude💻 Codex
OpenAI’s coding agent. Requires OPENAI_API_KEY.
engine: codex✨ Gemini
Google’s coding agent. Requires GEMINI_API_KEY.
engine: geminiExtended Engine Configuration
engine:
id: copilot
version: "0.0.422" # Pin specific CLI version
model: gpt-5 # Override default model
agent: technical-doc-writer # Custom agent (.github/agents/<name>.agent.md)
max-continuations: 3 # Autopilot mode (Copilot only)
max-turns: 50 # Max chat iterations (Claude only)
env:
DEBUG_MODE: "true"Tools Configuration
12 built-in tools| Tool | Key | Description |
|---|---|---|
| GitHub | github: | GitHub API operations via MCP server |
| Bash | bash: | Shell command execution (sandboxed) |
| Edit | edit: | File editing in workspace |
| Web Fetch | web-fetch: | Fetch web content |
| Web Search | web-search: | Search the web |
| Playwright | playwright: | Browser automation and testing |
| Cache Memory | cache-memory: | Persistent memory across runs |
| Repo Memory | repo-memory: | Git-based context storage |
| Agentic Workflows | agentic-workflows: | Workflow introspection |
| Serena | serena: | AI-powered code intelligence (LSP) |
| QMD | qmd: | Documentation vector search |
GitHub Tool — Toolsets
tools:
github:
toolsets: [repos, issues, pull_requests, labels, code_search]
read-only: true
lockdown: trueBash — Command Allowlisting
tools:
bash: # Default safe commands only
bash: true # All commands
bash: ["echo", "git:*", "npm"] # Specific commandsComplete Example
tools:
edit:
bash: ["gh", "git:*", "npm", "node"]
github:
toolsets: [issues, pull_requests, labels]
web-fetch:
web-search:
cache-memory:
key: "project-context"
playwright:
serena: ["typescript", "python"]
timeout: 120Safe Outputs
30+ typesSafe outputs are the security boundary between read-only AI execution and write operations. The agent produces structured output; separate permission-controlled jobs execute the writes.
Issues & Discussions
| Type | Key | Max | Description |
|---|---|---|---|
| Create Issue | create-issue | 1 | Create GitHub issues with labels, assignees |
| Update Issue | update-issue | 1 | Update issue status, title, body |
| Close Issue | close-issue | 1 | Close issues with comment |
| Create Discussion | create-discussion | 1 | Create GitHub discussions |
Pull Requests
| Type | Key | Max | Description |
|---|---|---|---|
| Create PR | create-pull-request | 1 | Create PRs with code changes |
| Push to PR | push-to-pull-request-branch | 1 | Push changes to existing PR branch |
| Review Comments | create-pull-request-review-comment | 10 | Line-specific review comments |
| Submit Review | submit-pull-request-review | 1 | APPROVE / REQUEST_CHANGES / COMMENT |
Labels, Assignments & Comments
| Type | Key | Max | Description |
|---|---|---|---|
| Add Comment | add-comment | 1 | Post comments on issues/PRs/discussions |
| Add Labels | add-labels | 3 | Add labels (with allowlist) |
| Remove Labels | remove-labels | 3 | Remove labels |
| Add Reviewer | add-reviewer | 3 | Add reviewers to PRs |
| Assign to Agent | assign-to-agent | 1 | Assign Copilot to issues/PRs |
Workflows & Security
| Type | Key | Max | Description |
|---|---|---|---|
| Dispatch Workflow | dispatch-workflow | 1 | Trigger other agentic workflows |
| Call Workflow | call-workflow | 1 | Call reusable workflows (fan-out) |
| Code Scanning | create-code-scanning-alert | ∞ | Generate SARIF security advisories |
| Upload Asset | upload-asset | 10 | Publish files to orphaned git branch |
Examples
safe-outputs:
create-issue:
title-prefix: "[ai] "
labels: [automation, agentic]
assignees: [copilot]
max: 5
expires: 7
create-pull-request:
title-prefix: "[ai] "
draft: true
reviewers: [copilot]
auto-merge: true
protected-files: "blocked"
add-labels:
allowed: [bug, enhancement, docs]
max: 5
add-comment:
max: 3
hide-older-comments: trueCustom MCP Servers
Three connection modes for external tools:
📡 Process (stdio)
mcp-servers:
slack:
command: "npx"
args: ["-y", "@slack/mcp-server"]
env:
SLACK_BOT_TOKEN: "${{ secrets.SLACK_TOKEN }}"🐳 Container (Docker)
mcp-servers:
custom-db:
container: "ghcr.io/org/db-mcp:latest"
env:
DATABASE_URL: "${{ secrets.DB_URL }}"🌐 HTTP Endpoint
mcp-servers:
remote-api:
url: "https://api.example.com/mcp"
headers:
Authorization: "Bearer ${{ secrets.TOKEN }}"Network Configuration
Controlled by the Agent Workflow Firewall (AWF). Only whitelisted domains are accessible.
network: defaults # Basic infrastructure only
network:
allowed:
- defaults # Basic infra
- python # PyPI ecosystem
- node # NPM ecosystem
- github # GitHub domains
- "api.example.com" # Custom domain
blocked:
- "cdn.tracker.com" # Block specific (takes precedence)Ecosystem Identifiers
| ID | Covers |
|---|---|
defaults | Certificates, JSON schema, Ubuntu mirrors |
github | GitHub and adjacent domains |
python | PyPI, pip |
node | npm, yarn, pnpm |
go | proxy.golang.org |
rust | crates.io |
java | Maven Central, Gradle |
dotnet | NuGet |
containers | Docker Hub, GHCR, Quay |
terraform | HashiCorp domains |
playwright | Browser downloads |
linux-distros | Debian, Alpine repos |
Advanced Configuration
Imports — Shared Configuration
imports:
- "./shared/base-config.md" # Local file
- "githubnext/agentics/shared/security.md@main" # RemoteConcurrency
concurrency:
group: "gh-aw-${{ github.workflow }}"
cancel-in-progress: trueCustom Steps
steps: # Run BEFORE agent
- uses: actions/setup-node@v4
with:
node-version: "20"
post-steps: # Run AFTER agent
- run: echo "Agent completed"Complete Workflow Example
---
name: "CI Failure Investigator"
description: "Investigates CI failures and proposes fixes"
on:
workflow_run:
workflows: ["CI"]
types: [completed]
roles: [admin, maintainer]
stop-after: "+90d"
permissions:
contents: read
actions: read
issues: read
engine:
id: copilot
max-continuations: 3
tools:
edit:
bash: ["gh", "git:*", "npm"]
github:
toolsets: [repos, issues, pull_requests]
safe-outputs:
create-pull-request:
title-prefix: "[ci-fix] "
labels: [ci-fix, automation]
draft: true
add-comment:
max: 2
network:
allowed:
- defaults
- node
- github
timeout-minutes: 15
---
# CI Failure Investigator
When a CI workflow fails, investigate the failure:
1. Read the failed workflow logs
2. Identify the root cause
3. Search the codebase for the relevant code
4. Propose a fix as a pull request
5. Comment on the triggering issue with your analysis