So far the worker's been handed tasks. Now picture them running a job on their own: they read the work order, pull materials, do the work — and crucially, they don't just walk into the finished building and hand over the keys. They file a work order (a PR) so a supervisor signs off.
And the site doesn't let them roam free. There's a fence: a firewall limiting where they can reach, a setup crew that preps the trailer before they start (tools installed, power on), and a clock. Autonomy with fences — that's this lesson. An agent can act on its own and be bounded by CI plumbing, a firewall, and setup steps.
The idea, in plain English
Three official sub-skills:
- Invoke an agent in a CI workflow.
- Enable autonomous actions — including creating branches and PRs.
- Handle environment-specific constraints — firewall, setup steps, runners.
Agents run inside GitHub Actions (not locally — lesson 2.5), they act autonomously but produce a reviewable PR, and their environment is bounded by setup steps + a firewall.
Agentic workflows = invoking an agent in CI
A traditional workflow lists every step (deterministic — B0.1). A GitHub Agentic Workflow flips it: you write the goal in Markdown and the guardrails in frontmatter, and a coding agent in Actions decides the steps.
- Two parts: frontmatter (
on,permissions,tools,safe-outputs) + a Markdown body (the goal). The pair is compiled into a lock file that Actions runs. - Best for open-ended-but-bounded tasks: triage, reporting, docs maintenance, CI-failure analysis, code improvement.
- "Continuous AI" — it extends CI/CD, doesn't replace it.
- Triggers: automatic (repo events), manual (
workflow_dispatch), programmatic (API). - In CLI/CI, authenticate with
COPILOT_GITHUB_TOKEN(a PAT stored as an Actions secret).
Autonomous actions (act on its own → PR)
The agent's autonomy is bounded — it acts, but the result lands as a PR for review. The 7-step flow:
assign task → agent picks repo/branch → analyzes & plans → API creates branch + commits → PR opened → workflows validate → human reviews.
It creates branches and PRs autonomously (the named sub-skill) — but never silently merges to the base.
CLI autonomy controls (memorize):
| Flag | Effect |
|---|---|
--autopilot | keeps running follow-up steps automatically (vs pausing) |
--no-ask-user | disables ask_user so it never pauses — essential in CI (a hung prompt stalls the run) |
-p / --prompt | runs a single prompt non-interactively and exits — good for scripting |
--mode | interactive | plan | autopilot (can't combine with --autopilot/--plan) |
askUser defaults to true (may ask); set false for fully autonomous.
Environment-specific constraints (the fences)
The setup-steps file pre-configures the agent's environment before it starts:
- Path:
.github/workflows/copilot-setup-steps.yml. - Exactly one job, named
copilot-setup-steps(exact name — a known trap).timeout-minutesmax 59. - Customizations: preinstall deps, larger runners, self-hosted runners, Windows, the Git firewall. Default OS = Ubuntu.
- Without it, Copilot installs deps itself — slow, unreliable, and fails for private dependencies.
The agent firewall (a key constraint): it limits the agent's outbound network access. You MUST disable it for self-hosted runners (else the agent is blocked), and it doesn't work on Windows — use self-hosted or larger runners with Azure private networking (which needs specific outbound hosts allow-listed).
---
on:
schedule: daily # trigger: runs every day (automatic)
permissions:
contents: read # least-privilege: read code…
issues: write # …and write issues
safe-outputs:
create-issue:
label: report # the MOST it may produce
tools: ["read", "search"] # no edit/execute
---
Review yesterday's failed CI runs and open one summary issue labeled "report".on = when it runs · permissions/tools = how far it reaches · safe-outputs = what it may produce · setup-steps + firewall = the environment fence around all of it.
The cert-language version
A GitHub Agentic Workflow pairs a Markdown goal with frontmatter guardrails (
on,permissions,tools,safe-outputs), compiled to a lock file and run by a coding agent in GitHub Actions — "Continuous AI" that extends CI/CD. The agent acts autonomously (creates branches/commits/PRs) but lands a reviewable PR; in CI use--no-ask-userso it won't hang. Its environment is bounded bycopilot-setup-steps.yml(one job, that exact name) and the agent firewall (disabled for self-hosted; absent on Windows).Our summary · grounded in MS Learn — Agent tooling, MCP, and execution environments + GitHub Docs (Copilot CLI, coding-agent environment) + naim149 study gist · fetched 2026-05-30
Common confusions (read these or lose points)
- "Agentic workflows replace your CI/CD." No — Continuous AI extends it; your pipelines still run.
- "An autonomous agent merges its own work." No — it autonomously creates branches/commits/PRs, but review happens before merge.
- "Leave
ask_useron in CI." No — use--no-ask-user, or the agent hangs waiting for a human who isn't there. - "The setup-steps job can be named anything." No — exactly one job named
copilot-setup-steps, at.github/workflows/copilot-setup-steps.yml. - "The firewall always protects you." It doesn't work on Windows and must be disabled for self-hosted runners.
- "
copilot-setup-steps.ymlis the job that runs the agent." No — it prepares the environment beforehand; it isn't the agent-invoking CI job.
Ticks this lesson done on the home roadmap. Saved in this browser.