You already have GitHub Actions running CI/CD for your repos. In this lesson, you'll add something new alongside it: an agentic workflow — an AI agent that runs automatically on a schedule, analyzes your repository, and produces a daily status report.
Your existing .yml workflows stay untouched. You're adding a new kind of workflow file (written in Markdown) that compiles into its own Actions YAML. Two systems, one Actions tab, zero interference.
Before you start, confirm these are in place:
gh) v2.0.0+ — check with gh --version. Install here if needed.gh auth status. If scopes are missing, run gh auth login --scopes repo,workflow.If you have a GitHub Copilot subscription, start there. It requires no extra account setup — you'll just need to create a fine-grained PAT with the Copilot Requests permission.
gh extension install github/gh-aw
This adds the gh aw subcommand to your CLI. If you encounter authentication issues, you can also install via:
curl -sL https://raw.githubusercontent.com/github/gh-aw/main/install-gh-aw.sh | bash
Navigate to your repository root and run:
gh aw add-wizard githubnext/agentics/daily-repo-status
The reference format is <owner>/<repo>/<workflow-name>. This pulls the "Daily Repo Status" workflow from GitHub Next's public examples repository.
The wizard walks you through five steps:
COPILOT_GITHUB_TOKEN, ANTHROPIC_API_KEY, OPENAI_API_KEY, or GEMINI_API_KEY. The wizard tells you exactly what to create and where.
.github/workflows/ — the source markdown and its compiled lock file.
1. Create a fine-grained PAT under your account.
2. Under Permissions → Account permissions, set Copilot Requests to Read.
3. Add as a repo secret: gh secret set COPILOT_GITHUB_TOKEN < /path/to/token.txt
After the wizard completes, you have two new files:
.md file. This is what GitHub Actions actually executes. Never edit this by hand — it gets regenerated.
This is the key mental model: you author in Markdown, the toolchain compiles to YAML. The .lock.yml includes all the Actions plumbing — checkout steps, engine setup, safe output jobs, secret redaction, threat detection — so you don't have to write any of it.
They coexist in .github/workflows/. Different triggers, different jobs, no interaction.
If you didn't trigger during the wizard, do it now:
gh aw run daily-repo-status
The workflow takes 2–3 minutes. While it runs, the agent reads your repository's recent activity — issues, PRs, discussions, releases, code changes — and generates a structured status report.
Two ways to watch:
gh aw status shows workflow state. gh run watch streams the latest run's logs.When the run succeeds, a new issue titled "Daily Repo Report" appears in your Issues tab. It includes recent activity analysis, progress tracking, project status, and recommended next steps.
The workflow is yours now. To customize:
.github/workflows/daily-repo-status.md--- markers), regenerate the lock file:
gh aw compile
gh aw run daily-repo-statusOnly when you change the frontmatter (triggers, engine, permissions, network config). If you only edit the prose body (the agent's instructions), just commit and push — no recompilation needed.
You might notice: the agent job runs with read-only permissions. It can read your code, issues, and PRs, but it cannot directly write to your repository. When it wants to create an issue (like the daily report), the output is buffered as an artifact, run through a threat detection pipeline, and only then handed to a separate job with scoped write permissions.
This is the SafeOutputs architecture — even a fully compromised agent cannot directly modify your repository. Write operations are deferred, validated, and executed by separate jobs with minimal permissions. It's defense-in-depth by design.
This connects directly to Lesson 1's Layer 1 (Hooks): the permission isolation is an enforced guardrail the agent cannot bypass.
| Command | What it does |
|---|---|
gh extension install github/gh-aw |
Install the extension |
gh aw add-wizard <ref> |
Add a workflow interactively |
gh aw run <name> |
Trigger a workflow run manually |
gh aw status |
Check workflow state |
gh aw compile |
Regenerate .lock.yml from .md frontmatter |
gh aw logs |
Download and analyze run logs |
.lock.yml that Actions executes..md) with YAML frontmatter for configuration. The .lock.yml (Actions YAML) is auto-generated — you never write it by hand.gh aw compile do?compile takes your .md source file and regenerates the compiled Actions YAML (.lock.yml). You run it after changing frontmatter configuration. Body-only edits don't need recompilation.compile command regenerates the .lock.yml (the Actions YAML) from your workflow's Markdown frontmatter. It's a build step, not a run step. You only need it when frontmatter changes.You now have a working agentic workflow running in your repository. In the next lesson, we'll look at the security model — how safe outputs, sandboxing, and threat detection let you trust agents with increasing autonomy.
gh-aw Quick Start — the official guide this lesson is based on. Includes a video walkthrough and troubleshooting links.