What are agent workflows and why security is key

Agent workflows represent an evolution of classic automation in GitHub Actions. While traditional pipelines execute predefined steps, agent systems can interpret intent, make independent decisions, and carry out tasks in real time. For example, they can analyze open issues, write a fix, create a pull request, or add documentation — all without direct human supervision.

This autonomy brings huge productivity benefits, but also expands the attack surface. Agents work with untrusted inputs, can be targets of prompt injection attacks, and in case of error or misuse can escalate privileges, leak sensitive data, or make unwanted changes to the repository. That is why GitHub has released a detailed overview of the security architecture on which its agent workflows are built.

Layered defense: Defense in depth

GitHub approaches the security of agent workflows using the principle of defense in depth. The architecture consists of three layers that complement each other and limit the impact of any potential failure.

Substrate layer: system-level isolation

The foundation is the GitHub Actions runner runtime environment in a virtual machine and isolated Docker containers. The agent runs in its own container with strictly limited system calls and network communication. Even if an attacker breaks through the agent itself, they remain trapped inside the container without the ability to affect other components.

Configuration layer: tool and communication control

The second layer determines which components are loaded, how they communicate, and what permissions they have. It includes firewall policies with a whitelist of allowed network targets, configuration of MCP servers, and management of external tokens. The key point is that this layer declaratively restricts where the agent can connect and what tools it can use.

Planning layer: secure outputs

The highest layer controls the workflow itself. GitHub divides it into explicit phases, where each phase has predetermined permissions — whether it can read or write. Writes do not go directly into the repository but pass through a safe outputs subsystem that first analyzes them.

Zero secrets: agents must not see secrets

One of the greatest risks is that an agent could gain access to API tokens, SSH keys, or access passwords stored in environment variables or configuration files. In a prompt injection attack, an attacker could trick the agent into reading and sending these sensitive details to an external server.

GitHub has therefore designed a model of zero-secret agents. The agent itself has no access to any secret keys. Instead, it runs in a chroot jail with read-only access to the host system. Communication with external services — whether LLM APIs or MCP servers — takes place through trusted proxies and gateways running in separate containers. Authentication tokens remain out of the agent's reach.

Every write under control

Even without access to secrets, a compromised agent can cause damage — for example, by creating hundreds of unnecessary issues and pull requests or inserting inappropriate content. That is why GitHub introduced the safe outputs mechanism.

Before any change reaches the repository, it goes through several review phases:

• Operation filter — the workflow author can define which actions are allowed (e.g., creating a comment but not deleting a branch).
• Volume limits — for example, a maximum of three pull requests per run.
• Content moderation — automatic detection and removal of unwanted patterns, such as suspicious URLs.
• Removal of sensitive data — final output sanitization so that no hidden secret leaks.

Only after successfully passing all these filters are the changes actually written to GitHub.

Logging everything for forensic analysis

The last pillar of security is observability. GitHub logs activity on all trusted boundaries: network traffic at the firewall, communication with the model through the API proxy, tool calls through the MCP gateway, and access to environment variables in the agent container.

This makes it possible to reconstruct the entire execution flow, detect anomalies, and quickly respond to incidents. This data also forms the basis for future informational checks, when it will be possible to automatically enforce policies based on repository visibility or the author's role.

What this means for Czech developers and companies

For Czech technology companies, startups, and corporations that use GitHub, this architecture brings crucial confidence. Agent workflows can significantly speed up development, but only on the condition that AI autonomy does not compromise code security or sensitive data.

GitHub offers its services including agent workflows within GitHub Actions at all subscription levels. Individual developers can use basic features for free, while teams and enterprise customers have access to advanced security checks and audit logs. The current pricing for teams starts at approximately USD 4 per user per month (Team plan), the enterprise variant costs around USD 21 per user per month. Agent features are currently in technical preview and are available globally, including for users from the Czech Republic.

For companies operating in Europe, it is also relevant that GitHub meets GDPR requirements and allows regional data residency settings, which is important for processing code and any personal data within CI/CD.

Conclusion

GitHub's approach shows that autonomous AI agents cannot be deployed into development pipelines without careful security design. The principles of isolation, zero access to secrets, controlled outputs, and comprehensive logging could become a standard not only in CI/CD, but also in other areas where AI agents independently work with sensitive data.