github-agentic-workflows
GitHub Agentic Workflows with MCP tools, Copilot coding agent orchestration, safe outputs, and OWASP Agentic security
Best use case
github-agentic-workflows is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
GitHub Agentic Workflows with MCP tools, Copilot coding agent orchestration, safe outputs, and OWASP Agentic security
Teams using github-agentic-workflows should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/github-agentic-workflows/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How github-agentic-workflows Compares
| Feature / Agent | github-agentic-workflows | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
GitHub Agentic Workflows with MCP tools, Copilot coding agent orchestration, safe outputs, and OWASP Agentic security
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# GitHub Agentic Workflows Skill
## Purpose
Comprehensive guidance for creating, deploying, and securing GitHub Agentic Workflows — AI-powered automations using Copilot coding agent, MCP servers, and custom agents for autonomous task execution.
## When to Use
- ✅ Orchestrating Copilot coding agent assignments
- ✅ Building multi-step agentic workflows with stacked PRs
- ✅ Configuring MCP servers for agent tools
- ✅ Implementing safe output handling for AI-generated content
- ✅ Securing agentic pipelines against prompt injection
## Core Concepts
### Copilot Coding Agent Assignment
```javascript
// Basic assignment
assign_copilot_to_issue({ owner: "Hack23", repo: "European-Parliament-MCP-Server", issue_number: 100 })
// Advanced with base_ref and custom instructions
assign_copilot_to_issue({
owner: "Hack23", repo: "European-Parliament-MCP-Server",
issue_number: 100,
base_ref: "feature/new-tools",
custom_instructions: "Use TypeScript strict mode. Follow MCP protocol. Add Vitest tests with 80%+ coverage."
})
// Direct PR creation with custom agent
create_pull_request_with_copilot({
owner: "Hack23", repo: "European-Parliament-MCP-Server",
title: "Add new MCP tool", body: "Implementation details",
base_ref: "main", custom_agent: "frontend-specialist"
})
// Track progress
get_copilot_job_status({ owner: "Hack23", repo: "European-Parliament-MCP-Server", job_id: "abc123" })
```
### Stacked PR Workflow
```
Step 1: Data models (PR → main)
└── Step 2: API client (PR → Step 1 branch)
└── Step 3: MCP tools (PR → Step 2 branch)
```
### MCP Server Configuration
MCP server configuration is defined in `.github/copilot-mcp.json`. Secret references (`${{ secrets.* }}`) are resolved by the GitHub Copilot runtime — they are **not** literal JSON values. The MCP client receives actual token values at startup.
**Supply chain note:** The `npx -y @modelcontextprotocol/server-github` pattern downloads the latest version on each invocation. For production environments, pin to a specific version (e.g., `@modelcontextprotocol/server-github@0.x.y`) or vendor the package locally to prevent supply chain attacks when injecting privileged tokens.
See `.github/copilot-mcp.json` in this repository for the canonical configuration.
## OWASP Agentic Security
### Threat Mitigation
| Threat | Mitigation |
|--------|-----------|
| Prompt injection | Input validation, output sanitization |
| Excessive agency | Minimal tool permissions, scope limits |
| Data exfiltration | Sandbox environments, network controls |
| Supply chain | Pinned action versions, dependency scanning |
### Safe Output Handling
- Validate AI-generated code before merging
- Use CodeQL scanning on Copilot PRs
- Require human review for security-critical changes
- Sanitize all outputs before use in downstream tools
## ISMS Policy References
- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)
- [AI Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md)
- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md)Related Skills
airflow-workflows
Apache Airflow DAG design, operators, and scheduling best practices.
agenticmail
🎀 AgenticMail — Full email, SMS, storage & multi-agent coordination for AI agents. 63 tools.
agentic-issue-assistant
Install common docs/backlog skeleton plus an AGENTS template, and wrap issue/finalization operations for an agentic workflow.
agentic-chat
AI assistant for creating clear, actionable task descriptions for GitHub Copilot agents
adaptive-workflows
Self-learning workflow system that tracks what works best for your use cases. Records experiment results, suggests optimizations, creates custom templates, and builds a personal knowledge base. Use to learn from experience and optimize your LLM workflows over time.
workflows-expert
Activate when requests involve workflow execution, CI/CD pipelines, git automation, or multi-step task orchestration. This skill provides workflows-mcp MCP server integration with tag-based workflow discovery, DAG-based execution, and variable syntax expertise. Trigger on phrases like "run workflow", "execute workflow", "orchestrate tasks", "automate CI/CD", or "workflow information".
python-github-actions
Complete Python GitHub Actions system. PROACTIVELY activate for: (1) uv-based CI workflows (10-100x faster), (2) Matrix testing across Python versions, (3) Dependency caching with setup-uv, (4) Parallel test execution, (5) Reusable workflows, (6) Publishing to PyPI with trusted publishing, (7) Code coverage with codecov, (8) Security scanning. Provides: Workflow templates, caching config, matrix strategies, composite actions. Ensures fast, reliable CI/CD pipelines.
phoenix-github
Manage GitHub issues, labels, and project boards for the Arize-ai/phoenix repository. Use when filing roadmap issues, triaging bugs, applying labels, managing the Phoenix roadmap project board, or querying issue/project state via the GitHub CLI.
interactor-workflows
Build state-machine based automation with human-in-the-loop support through Interactor. Use when implementing approval flows, multi-step processes, automated pipelines, or any workflow requiring user input at specific stages.
integration-workflows
Cross-MCP workflows that coordinate multiple systems (Linear, GitHub, n8n, Slack) for end-to-end automation. Captures patterns that span tool boundaries.
github
Access GitHub repositories via the GitHub REST API. Use this skill when the user wants to interact with GitHub including reading files, creating/updating files, listing repos, managing branches, viewing commits, working with issues, or managing pull requests. All scripts use PEP 723 inline metadata for dependencies and run via `uv run`. Requires GITHUB_TOKEN environment variable (a Personal Access Token with appropriate scopes).
github-workflow-automation
Advanced GitHub Actions workflow automation with AI swarm coordination, intelligent CI/CD pipelines, and comprehensive repository management