GitHub has released GitHub Agentic Workflows in public preview, adding support for coding agents inside GitHub Actions.
The public preview follows a technical preview GitHub announced in February. At the time, the company described Agentic Workflows as a way to automate repository tasks using AI agents that run within GitHub Actions.
The earlier preview covered issue triage, pull request reviews, CI failure analysis, and repository maintenance.
GitHub said the feature supports reasoning-based engineering tasks, including issue triage, CI failure analysis, and documentation updates. Teams can define automations in natural language Markdown files, which GitHub then compiles into standard GitHub Actions YAML.
Built into GitHub Actions
The workflows run as Actions, so they can use runner groups and policy constraints already configured by an organisation. As a result, the workflows can follow the same runner and policy settings used for other GitHub Actions workflows.
GitHub said Agentic Workflows can now use GitHub Actions’ built-in GITHUB_TOKEN. That removes the need to create and manage a personal access token for the feature.
The update removes a separate token-management step for teams using the feature.
The announcement came alongside other GitHub Actions updates. GitHub added new hosted runner images in public preview, including Ubuntu 26.04 for x64 and arm64, and Windows 11 arm64 with Visual Studio 2026.
The runner images add newer operating system and architecture options for GitHub Actions workflows.
GitHub also updated how bot-created pull requests interact with CI/CD workflows. Pull requests created by github-actions[bot] can now run workflows after approval from a user with write access.
GitHub said the approval step is intended to stop generated code from automatically running workflows with access to sensitive information.
GitHub cited Carvana and Marks & Spencer among early users of the feature. Carvana said it is using Agentic Workflows for engineering work that includes changes across multiple repositories.
Marks & Spencer said it has built reusable workflows across security, quality, and delivery. The company said those workflows cover tasks such as issue triage, vulnerability remediation, dependency maintenance, and routine change reviews.
The workflows can be adopted across repositories and used to automate routine engineering tasks, according to the company.
Security controls around automated changes
GitHub lists several security controls for Agentic Workflows. Agents access GitHub content according to integrity filter rules and run with read-only permissions by default.
The agents also execute inside a sandboxed container behind the Agent Workflow Firewall. Outputs are checked through a safe outputs process.
A separate threat detection job scans proposed changes before they are applied.
GitHub Actions and developer automation have also appeared in recent software supply-chain attack reports. TechRadar, citing Cloudsmith and OpenSourceMalware, reported that Microsoft disabled 73 GitHub repositories after a campaign involving stolen GitHub Actions secrets.
According to those reports, attackers used the secrets to compromise repositories and inject malicious packages.
Cloudsmith linked the incident to the Miasma worm and said the campaign targeted developer environments, CI/CD runners, and cloud identities.
The reports were not connected to GitHub Agentic Workflows. However, the campaign involved workflow secrets and CI/CD environments, areas also addressed by GitHub’s controls around permissions, sandboxing, token handling, and approval gates.
Hud.io CTO May Walter said the challenge was not getting an agent to open a pull request, but trusting the output enough to merge it. Walter said GitHub Agentic Workflows can automate checks across the software development lifecycle.
Those checks include steps intended to prevent performance issues or production failures.
CI/CD risks around agentic workflows
A recent arXiv paper examined risks associated with agent-driven CI/CD workflows. One May 2026 paper described “agentic workflow injection” as a risk involving untrusted repository content being passed into agent prompts or downstream workflow logic.
That content can include issue text, pull request descriptions, or comments.
The public preview runs agent-based automation inside GitHub Actions. The feature extends the Actions framework to tasks that require code changes, review steps, and repository-level controls.
Those control areas include permissions, secrets, runner environments, review gates, and audit logs.
(Photo by Praveen Thirumurugan)
See also: GitHub restricts Copilot as agentic AI workflows strain infrastructure
Want to dive deeper into the tools and frameworks shaping modern development? Check out the AI & Big Data Expo, taking place in Amsterdam, California, and London. Explore cutting-edge sessions on machine learning, data pipelines, and next-gen AI applications. The event is part of TechEx and co-located with other leading technology events. Click here for more information.
Developer Tech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.