GitHub Agentic Workflows run on top of GitHub Actions and face unique security challenges because agents are non-deterministic and consume untrusted inputs. The security architecture is built around four principles: defense in depth (substrate, configuration, and planning layers), zero-secret agents (agents are isolated in containers with no direct access to API keys or tokens, which are handled by a proxy or gateway), staged and vetted writes (a safe outputs subsystem buffers and analyzes all write operations before they execute), and comprehensive logging at every trust boundary. The post details how container isolation, chroot jails, firewalled egress, MCP gateways, and API proxies work together to limit blast radius from compromised or prompt-injected agents.
Table of contents
Threat modelDefend in depthDon’t trust agents with secretsStage and vet all writesLog everythingWhat’s next?Tags:Written bySort: