Putting It All Together

Lesson 10 · Safe Agentic Workflows · ~15 minutes

You've learned the concepts. Now let's design a complete agentic automation plan for your repositories — combining your existing Kiro harness with gh-aw workflows to create a system where agents handle the routine while you focus on the interesting problems.

Your Current System

You already have a strong foundation:

✅ Local Harness (Kiro)

/start-work → implement → /comply → /ship → /end-work. Independent reviewer subagent. 90% compliance gate.

✅ CI/CD (GitHub Actions)

Tests, linting, builds already running on push/PR. The infrastructure is there.

🔲 Automated Agents (gh-aw)

Not yet. This is where agents run without you invoking them.

🔲 Cross-Provider

Kiro-only harness. Could add Claude Code and Codex support alongside.

The Implementation Plan

Here's a phased rollout — each phase builds on the previous one and can be completed in a single session:

Phase 1 Blueprint: Your First gh-aw Workflow

Start here. This gets you a working agentic workflow in production in 15 minutes.

Phase 3 Blueprint: Automated /comply

This is the most valuable automation for your workflow — your independent reviewer, running automatically on every PR:

auto-comply.md — Automated PR Compliance Review
---
on:
  pull_request:
    types: [opened, synchronize]

permissions:
  contents: read
  pull-requests: read

safe-outputs:
  create-pull-request-review-comment:
    max: 10
  submit-pull-request-review:
    max: 1
    allowed-events: [COMMENT]
  add-labels:
    allowed: [compliance-pass, compliance-fail, needs-review]

max-ai-credits: 10
---

## Automated Compliance Review

You are an independent code reviewer. Review this PR against
the repository's design principles and any spec file present.

### What to check

1. **Spec compliance**: If `.kiro/spec.md` exists, grade each
   acceptance criterion as met/partial/unmet with evidence.
2. **Design principles**: DRY, simplicity, surgical changes,
   backwards compatibility.
3. **Test coverage**: Are new behaviors tested?
4. **Documentation**: Do public APIs have docs?

### Output format

Post review comments on specific lines where issues exist.
Submit a review summary with:
- Overall compliance score (percentage)
- Table of criteria → status → evidence
- Verdict: pass (≥90%) or fail

### Labels

- Add `compliance-pass` if score ≥90%
- Add `compliance-fail` if score <90%
- Add `needs-review` if you can't determine (missing spec)
Key insight

This is your /comply skill — but running automatically on every PR. The same independent-reviewer principle (no access to implementation reasoning, only sees the diff and spec), now triggered by GitHub events instead of a manual command.

Phase 4 Blueprint: Weekly Quality Monitor

weekly-quality.md — Code Quality Monitor
---
on:
  schedule: "0 9 * * 1"  # Every Monday at 9am

permissions:
  contents: read
  issues: read

safe-outputs:
  create-issue:
    title-prefix: "[quality] "
    labels: [automation, quality]
    close-older-issues: true
    expires: 7

max-ai-credits: 8
---

## Weekly Code Quality Report

Analyze the repository for quality issues and create
a prioritized report.

### What to analyze

- Dead code (unused exports, unreachable branches)
- Complexity hotspots (functions > 50 lines, deep nesting)
- Dependency freshness (outdated packages)
- Test coverage gaps (untested public functions)
- Documentation staleness (docs that reference old APIs)

### Report format

Create an issue with:
- Top 5 priority items (most impactful to fix)
- Quick wins (< 15 min each)
- Trends (better or worse than last week, if prior report exists)

Keep it actionable. Skip theoretical concerns.

Decision Framework: When to Automate

Not everything should be an automated workflow. Use this test:

Automate when... Keep manual when...
You do it the same way every time It requires judgment about what to do
Forgetting to do it causes problems The cost of a wrong action is high
It can be verified by checking output It needs real-time human context
An independent reviewer adds value Speed of human response matters more

Your Automation Readiness Checklist

Before adding any gh-aw workflow to a repo, verify:

What You've Learned

Across these 10 lessons, you now understand:

  1. The three-layer architecture — hooks, commands, skills — and how your Kiro harness already implements it
  2. gh-aw — how to install, add, and customize agentic workflows that run in GitHub Actions
  3. The security model — read-only agents, safe outputs, sandboxing, threat detection
  4. Triggers — event-driven, scheduled, manual, and command-based invocation
  5. Background automation — scheduled agents that work while you sleep
  6. Design patterns — IssueOps, ChatOps, MonitorOps, SpecOps, OrchestratorOps
  7. Cross-provider portability — same patterns across Claude Code, Gemini, Codex, Cursor
  8. Cost controls — AI credit budgets, staged mode, observability
  9. Multi-agent coordination — subagents, orchestration, role collapsing
  10. Implementation planning — phased rollout from your existing system
The principle

Start with one automated workflow on one real repo. Let it run for a week. See what it catches that you would have missed. Then add the next one. Compound automation beats big-bang adoption every time.

Recommended Reading

Peli's Agent Factory — A 19-part blog series walking through real-world agentic workflows. Each post is a different automation pattern with full source. Pick the one closest to your Phase 2 goal and adapt it.

Ready to build? Come back anytime and ask me to help you implement any of the phases above. I can write the workflow markdown, help debug runs, or design custom patterns for your specific repos. Just say which phase you want to tackle.
← Back