# gh-aw | GitHub | Knowledge Base | Instagit

GitHub Agentic Workflows

GitHub Stars: 2.7k

Repository: https://github.com/github/gh-aw

---

## Articles

### [How to Audit Workflow Runs for Security Compliance and Tool Usage with gh-aw](/github/gh-aw/how-to-audit-workflow-runs-for-security-compliance)

Audit GitHub Actions workflow runs for security compliance and tool usage with gh aw audit. Inspect logs artifacts and permissions to identify risks and ensure MCP tool adherence.

- Tags: how-to-guide
- Published: 2026-02-19

### [How Token Counting Estimates AI Usage and Costs in gh-aw](/github/gh-aw/how-does-token-counting-estimate-ai-usage-and-costs)

Discover how gh-aw uses token counting to estimate AI usage and costs. Learn about the 4-characters-per-token heuristic and precise JSON metadata parsing for accurate financial tracking.

- Tags: deep-dive
- Published: 2026-02-16

### [How the Detection Job Determines When to Activate Workflow Runs in gh-aw](/github/gh-aw/how-does-the-detection-job-determine-workflow-activation)

Discover how the detection job activates workflow runs in github gh-aw based on safe output types or code patches. Learn the logic behind timely workflow activation to streamline your security processes.

- Tags: internals
- Published: 2026-02-16

### [How to Migrate Legacy Workflow Configurations to the Current Schema Format in gh-aw](/github/gh-aw/how-to-migrate-legacy-workflow-configurations)

Learn to migrate legacy workflow configurations to the current schema format in github/gh-aw. Replace front-matter maps with strongly-typed FrontmatterConfig for efficient transitions.

- Tags: migration-guide
- Published: 2026-02-16

### [How to Pass Environment Variables and Configure Secrets in gh-aw Workflows](/github/gh-aw/how-to-pass-environment-variables-and-configure-secrets-in-workflows)

Learn to pass environment variables and configure secrets in GitHub Actions workflows with gh-aw. Securely manage secrets using the ${{ secrets.NAME }} syntax.

- Tags: how-to-guide
- Published: 2026-02-16

### [Security Best Practices for Agentic Workflow Execution: A Defense-in-Depth Guide](/github/gh-aw/security-best-practices-for-agentic-workflow-execution)

Secure agentic workflow execution with least-privilege isolation using strict mode safe outputs and network allowlists for GitHub Actions.

- Tags: best-practices
- Published: 2026-02-16

### [How the MCP Gateway Routes Model Context Protocol Server Calls in GitHub Actions Workflows](/github/gh-aw/how-does-the-mcp-gateway-route-server-calls)

Discover how the MCP Gateway routes Model Context Protocol server calls in GitHub Actions. Learn about its unified HTTP interface and dynamic request routing based on JSON configuration.

- Tags: internals
- Published: 2026-02-16

### [How to Use Slash Commands to Trigger Workflows from Issue Comments in GitHub Agentic Workflows](/github/gh-aw/how-to-use-slash-commands-to-trigger-workflows)

Learn to trigger GitHub Actions workflows from issue comments using slash commands. Define triggers in front matter to automate tasks effortlessly.

- Tags: how-to-guide
- Published: 2026-02-16

### [How to Configure Cross-Repository Safe Output Handlers Securely in gh-aw](/github/gh-aw/how-to-configure-cross-repository-safe-output-handlers-securely)

Securely configure cross-repository safe output handlers using target-repo and allowed-repos lists. Enforce runtime validation to block unauthorized requests with error E004.

- Tags: how-to-guide
- Published: 2026-02-16

### [How to Set Up Playwright Browser Automation with Domain Allow‑Listing in gh‑aw](/github/gh-aw/how-to-set-up-playwright-automation-with-domain-allow-listing)

Set up Playwright browser automation with domain allow-listing in gh-aw by declaring an allowed_domains array in your workflow. Ensure secure outbound traffic with MCP server enforcement.

- Tags: how-to-guide
- Published: 2026-02-16

### [Workflow Concurrency Control in gh-aw: How It Prevents Duplicate Runs](/github/gh-aw/how-does-workflow-concurrency-control-prevent-duplicate-runs)

Learn how gh-aw prevents duplicate workflow runs using unique concurrency group keys and GitHub Actions concurrency stanza. Ensure only one instance runs at a time.

- Tags: internals
- Published: 2026-02-16

### [How to Configure Runtime Versions for Node, Python, Go, Ruby, and Java in gh-aw](/github/gh-aw/how-to-configure-runtime-versions-for-gh-aw-workflows)

Learn to configure Node, Python, Go, Ruby, and Java runtime versions in gh-aw workflows. Add a runtimes block to your YAML frontmatter for easy version management.

- Tags: how-to-guide
- Published: 2026-02-16

### [How to Debug Workflow Execution Using the Logs Command and Parsing in gh-aw](/github/gh-aw/how-to-debug-workflow-execution-using-gh-aw-logs)

Debug GitHub Actions workflow execution with the gh aw logs command. Easily parse logs and generate markdown reports for faster troubleshooting.

- Tags: how-to-guide
- Published: 2026-02-16

### [GitHub gh-aw Pre-Activation Checks: Team Membership, Rate Limiting, and Skip Conditions Explained](/github/gh-aw/what-pre-activation-checks-are-available-for-workflows)

Understand GitHub gh-aws pre-activation checks for team membership, rate limiting, and skip conditions. Optimize your workflows with boolean expressions.

- Tags: deep-dive
- Published: 2026-02-16

### [How to Implement Manual Approval Gates for Critical Workflow Operations with gh-aw](/github/gh-aw/how-to-implement-manual-approval-gates-for-workflow-operations)

Implement manual approval gates for critical workflow operations with gh-aw. Automatically configure GitHub environment protection rules to pause execution until human approval.

- Tags: how-to-guide
- Published: 2026-02-16

### [How cache-memory Persists Data Across Workflow Runs Using Artifacts in gh-aw](/github/gh-aw/how-does-cache-memory-persist-data-across-workflow-runs-using-artifacts)

Learn how cache-memory in gh-aw persists data across workflow runs by leveraging GitHub Actions cache and artifacts. Discover how to maintain state and improve efficiency.

- Tags: internals
- Published: 2026-02-16

### [How to Configure GitHub MCP Tools for Issues, Pull Requests, and Repositories](/github/gh-aw/how-to-use-github-mcp-tools-with-toolset-configuration)

Configure GitHub MCP tools for issues, PRs, and repos easily. Learn how to declare toolsets in your workflow for efficient GitHub automation and management.

- Tags: how-to-guide
- Published: 2026-02-16

### [How the Agent Workflow Firewall (AWF) Integration Provides Egress Control in GitHub Actions](/github/gh-aw/how-does-the-agent-workflow-firewall-integration-provide-egress-control)

Learn how the Agent Workflow Firewall AWF integration provides egress control in GitHub Actions by sandboxing AI engine commands and enforcing network restrictions on domains.

- Tags: internals
- Published: 2026-02-16

### [How to Configure MCP Servers in Workflow Frontmatter with Version Pinning](/github/gh-aw/how-to-configure-mcp-servers-in-workflow-frontmatter-with-version-pinning)

Configure MCP server versions in GitHub Agentic Workflows using frontmatter for reproducible builds. Learn version pinning for stdio, container, and http servers.

- Tags: how-to-guide
- Published: 2026-02-16

### [How to Configure AI Engines (Copilot, Claude, Codex, Custom) in GitHub Agentic Workflows](/github/gh-aw/how-to-configure-different-ai-engines-in-workflows)

Learn to configure AI engines like Copilot, Claude, and Codex in GitHub Agentic Workflows. Set the engine field in your YAML for seamless integration and enhanced automation.

- Tags: how-to-guide
- Published: 2026-02-16

### [Sandbox Security Architecture in GitHub gh-aw: How Agent Execution Isolation Works](/github/gh-aw/what-is-the-sandbox-security-architecture-and-how-does-it-isolate-agent-execution)

Explore the gh-aw sandbox security architecture and learn how it isolates agent execution with OS-level containers, chroot, network controls, and MCP gateway auditing.

- Tags: architecture
- Published: 2026-02-16

### [How Safe-Outputs Enable Write Operations in Read-Only Workflows in gh-aw](/github/gh-aw/how-do-safe-outputs-work-for-enabling-write-operations-in-read-only-workflows)

Discover how gh-aw safe-outputs enable write operations in read-only workflows. Learn about this declarative permission system for temporary, bounded write capabilities. Maintain security.

- Tags: internals
- Published: 2026-02-16

### [How gh-aw Compiles Markdown Workflows to GitHub Actions YAML Internally](/github/gh-aw/how-does-gh-aw-compile-markdown-workflows-to-github-actions-yaml-internally)

Discover how gh-aw compiles markdown workflows to GitHub Actions YAML using a four-phase pipeline: parse, validate, generate, and finalize. Explore the internal implementation details.

- Tags: internals
- Published: 2026-02-16

### [How gh-aw Ensures Security for AI Agent Execution: A Defense-in-Depth Analysis](/github/gh-aw/how-does-gh-aw-ensure-security-for-ai-agent-execution)

Discover how gh-aw provides robust security for AI agent execution with its defense-in-depth approach including strict mode, sandboxing, and network controls.

- Tags: deep-dive
- Published: 2026-02-16

### [How gh-aw Compiles Markdown Workflows into GitHub Actions YAML: The 4-Phase Pipeline Explained](/github/gh-aw/how-does-gh-aw-compile-markdown-workflows-into-github-actions-yaml)

Discover how gh-aw compiles markdown workflows into GitHub Actions YAML using its four-phase pipeline. Learn about the parse, validate, generate, and final validation steps.

- Tags: deep-dive
- Published: 2026-02-16

### [How to Configure Network Isolation for gh-aw Workflows: A Complete Guide](/github/gh-aw/how-to-configure-network-isolation-for-gh-aw-workflows)

Secure your gh-aw workflows with network isolation. Learn to configure allowed and blocked domains, plus firewall settings, in this complete guide.

- Tags: how-to-guide
- Published: 2026-02-16

### [How to Set Up gh-aw in a New Repository: A Complete Guide](/github/gh-aw/how-to-set-up-gh-aw-in-a-new-repository)

Easily set up gh-aw in a new repository with our guide. Install the CLI and initialize configuration files with simple commands for a smooth workflow.

- Tags: getting-started
- Published: 2026-02-16

