You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Analysis Date: 2026-06-21 Scope: 249 total workflows, 121 using Copilot engine (49%)
📊 Executive Summary
This is the first deep research run on Copilot CLI usage across the github/gh-aw repository. The repo shows strong Copilot adoption: 52% of Copilot workflows use copilot-sdk: true, 84% have safe-outputs, and bash/github tools are well-used. The primary gaps are security hygiene (strict, network), missing SDK-specific configuration (max-tool-denials), and underutilized continuation and agent features.
🔴 High Priority
1. max-tool-denials missing from all 63 SDK workflows (0% adoption)
Every copilot-sdk: true workflow is missing max-tool-denials. The default is 5 — too low for complex multi-step runs. Add max-tool-denials: 10 to medium-complexity and 15 to long-running workflows.
2. 37 workflows have safe-outputs but no strict: true (36% gap) strict: true enforces write-sink guard policies. Any workflow that creates issues/PRs/comments should have it. Affected: agent-performance-analyzer, architecture-guardian, breaking-change-checker, ci-coach, code-scanning-fixer, contribution-check, craft, daily-community-attribution, daily-experiment-report, and 28 more.
3. 36 high-timeout workflows (20–60 min) have no network: firewall
Workflows without a network allowlist run with full internet access. Affected: agent-performance-analyzer (30m), ci-coach (30m), daily-security-observability (60m), refiner (30m), security-compliance (30m), stale-pr-cleanup (30m), workflow-health-manager (30m), and 29 more.
network:
allowed:
- defaults
- github
🟡 Medium Priority
4. max-continuations underused — 7/121 (6%)
15 workflows run ≥30 min without autopilot continuation. Candidates: daily-doc-updater (45m), slide-deck-maintainer (45m), stale-repo-identifier (45m), update-astro (45m), security-compliance (30m), weekly-blog-post-writer (30m).
6. engine.args and engine.harness never used (0/121)
Both features offer CLI customization that no workflow has explored yet.
7. web-fetch underused at 7% (9/121)
Native built-in tool, no MCP server needed. Research workflows using bash: [curl] should prefer tools: web-fetch:.
🟢 Low Priority
Version pinning at 7% (9/121) — critical release workflows benefit from pinning
engine.bare at 7% (9/121) — save tokens for pure data-gathering workflows
engine.api-target — never used; readiness opportunity for GHEC/GHES migrations
2️⃣ Feature Usage Matrix
Feature
Count
Adoption
copilot-sdk
63
52%
safe-outputs
102
84%
strict
78
64%
network
58
48%
cache-memory
40
33%
repo-memory
20
17%
engine.model
24
20%
max-continuations
7
6%
engine.bare
9
7%
web-fetch
9
7%
engine.version
9
7%
engine.agent
4
3%
BYOK
3
2%
max-tool-denials
0
0%⚠️
engine.args
0
0%
engine.harness
0
0%
engine.api-target
0
0%
7️⃣ Action Items
Immediate (this week):
Add max-tool-denials: 10 to all 63 copilot-sdk: true workflows
Add strict: true to the 37 safe-outputs workflows missing it
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Analysis Date: 2026-06-21
Scope: 249 total workflows, 121 using Copilot engine (49%)
📊 Executive Summary
This is the first deep research run on Copilot CLI usage across the
github/gh-awrepository. The repo shows strong Copilot adoption: 52% of Copilot workflows usecopilot-sdk: true, 84% havesafe-outputs, andbash/githubtools are well-used. The primary gaps are security hygiene (strict,network), missing SDK-specific configuration (max-tool-denials), and underutilized continuation and agent features.🔴 High Priority
1.
max-tool-denialsmissing from all 63 SDK workflows (0% adoption)Every
copilot-sdk: trueworkflow is missingmax-tool-denials. The default is 5 — too low for complex multi-step runs. Addmax-tool-denials: 10to medium-complexity and15to long-running workflows.2. 37 workflows have
safe-outputsbut nostrict: true(36% gap)strict: trueenforces write-sink guard policies. Any workflow that creates issues/PRs/comments should have it. Affected:agent-performance-analyzer,architecture-guardian,breaking-change-checker,ci-coach,code-scanning-fixer,contribution-check,craft,daily-community-attribution,daily-experiment-report, and 28 more.3. 36 high-timeout workflows (20–60 min) have no
network:firewallWorkflows without a network allowlist run with full internet access. Affected:
agent-performance-analyzer(30m),ci-coach(30m),daily-security-observability(60m),refiner(30m),security-compliance(30m),stale-pr-cleanup(30m),workflow-health-manager(30m), and 29 more.🟡 Medium Priority
4.
max-continuationsunderused — 7/121 (6%)15 workflows run ≥30 min without autopilot continuation. Candidates:
daily-doc-updater(45m),slide-deck-maintainer(45m),stale-repo-identifier(45m),update-astro(45m),security-compliance(30m),weekly-blog-post-writer(30m).5. 5 custom agent files completely unused
grumpy-reviewer,interactive-agent-designer,create-safe-output-type,custom-engine-implementation,w3c-specification-writer— zero workflow references.grumpy-revieweralone could improve 10 code review workflows (pr-code-quality-reviewer,pr-nitpick-reviewer,breaking-change-checker,cli-consistency-checker, etc.):6.
engine.argsandengine.harnessnever used (0/121)Both features offer CLI customization that no workflow has explored yet.
7.
web-fetchunderused at 7% (9/121)Native built-in tool, no MCP server needed. Research workflows using
bash: [curl]should prefertools: web-fetch:.🟢 Low Priority
engine.bareat 7% (9/121) — save tokens for pure data-gathering workflowsengine.api-target— never used; readiness opportunity for GHEC/GHES migrations2️⃣ Feature Usage Matrix
copilot-sdksafe-outputsstrictnetworkcache-memoryrepo-memoryengine.modelmax-continuationsengine.bareweb-fetchengine.versionengine.agentmax-tool-denialsengine.argsengine.harnessengine.api-target7️⃣ Action Items
Immediate (this week):
max-tool-denials: 10to all 63copilot-sdk: trueworkflowsstrict: trueto the 37safe-outputsworkflows missing itShort-term (this month):
network: { allowed: [defaults, github] }to high-risk unguarded workflowsmax-continuations: 2-3to 6+ long-running workflows (≥30 min)engine.agent: grumpy-reviewerin 3+ code review workflowsLong-term (this quarter):
safe-outputswithoutstrict: trueAGENTS.mdfor workflow authorsBaseline saved to repo-memory for future trend tracking. Next run will show adoption trends.
References: §27894527379
Beta Was this translation helpful? Give feedback.
All reactions