Top AI Product

GitHub Agentic Workflows (gh-aw) — GitHub’s system for running event-triggered and scheduled AI agent jobs in your repos — shipped an update focused on the unglamorous but critical parts: permissions and observability.

## What’s new

Claude’s permission mode is now decoupled from bash wildcard access. You set engine.permission-mode explicitly in workflow frontmatter for fine-grained control over what an agent can do, rather than the all-or-nothing bash access that’s been the default failure mode. On observability, OpenTelemetry cross-job trace hierarchy now propagates parent span IDs through the workflow context, giving end-to-end distributed traces across multi-job workflows in Tempo, Honeycomb, or Datadog.

## The supported engines

gh-aw runs GitHub Copilot, Claude, Gemini, and OpenAI Codex as the agent behind event-triggered and scheduled jobs — wire an agent to a PR open, an issue label, or a cron schedule, natively in GitHub Actions.

## Why it matters

Running agents in CI is moving from experiment to production, and production needs two things hobby setups skip: scoped permissions, so a misbehaving agent can’t run arbitrary commands, and traceability, so you can debug what an agent did across a multi-step workflow. This release hardens exactly those layers — the boring infrastructure that decides whether agentic CI is safe to actually ship.