github · pelikhan · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/docs/src/content/docs/guides/deterministic-agentic-patterns.md b/docs/src/content/docs/guides/deterministic-agentic-patterns.md
@@ -7,6 +7,9 @@ sidebar:
 
 GitHub Agentic Workflows combine deterministic computation with AI reasoning, enabling data preprocessing, custom trigger filtering, and post-processing patterns.
 
+> [!CAUTION]
+> Security Notice: Custom steps, post-steps, and custom jobs run OUTSIDE the firewall sandbox. These components execute with standard GitHub Actions security but do NOT have the network egress controls that protect the agent job. Only use them for deterministic data preparation, preprocessing, filtering, or post-processing—never for agentic compute or untrusted AI execution.
+
 ## When to Use
 
 Combine deterministic steps with AI agents to precompute data, filter triggers, preprocess inputs, post-process outputs, or build multi-stage computation and reasoning pipelines.
@@ -35,6 +38,9 @@ Define deterministic jobs in frontmatter alongside agentic execution:
 └────────────────────────┘
 ```
 
+> [!WARNING]
+> The deterministic jobs and steps shown above run OUTSIDE the firewall sandbox. Only the central "Agent Job (AI)" runs with network egress controls and firewall protection. Custom steps, post-steps, and custom jobs execute with standard GitHub Actions security.
+
 ## Precomputation Example
 
 ```yaml wrap title=".github/workflows/release-highlights.md"
@@ -186,6 +192,8 @@ Reference in prompts: "Analyze issues in `/tmp/gh-aw/agent/issues.json` and PRs
 
 **Job dependencies**: Use `needs: [job-name]` to define execution order between jobs.
 
+**Security considerations**: Custom steps, post-steps, and custom jobs run OUTSIDE the firewall sandbox with standard GitHub Actions security. Use them only for deterministic operations like data fetching, preprocessing, filtering, or post-processing. Never run agentic compute or untrusted AI execution in these components—reserve that for the protected agent job.
+
 ## Related Documentation
 
 - [Custom Safe Outputs](/gh-aw/reference/custom-safe-outputs/) - Custom post-processing jobs

diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md
@@ -385,6 +385,9 @@ steps:
 
 Use custom steps to precompute data, filter triggers, or prepare context for AI agents. See [Deterministic & Agentic Patterns](/gh-aw/guides/deterministic-agentic-patterns/) for combining computation with AI reasoning.
 
+> [!CAUTION]
+> Security Notice: Custom steps run OUTSIDE the firewall sandbox. These steps execute with standard GitHub Actions security but do NOT have the network egress controls that protect the agent job. Do not run agentic compute or untrusted AI execution in custom steps—use them only for deterministic data preparation, preprocessing, or filtering.
+
 ## Post-Execution Steps (`post-steps:`)
 
 Add custom steps after agentic execution. Run after AI engine completes regardless of success/failure (unless conditional expressions are used).
@@ -402,6 +405,9 @@ post-steps:
 
 Useful for artifact uploads, summaries, cleanup, or triggering downstream workflows.
 
+> [!CAUTION]
+> Security Notice: Post-execution steps run OUTSIDE the firewall sandbox. These steps execute with standard GitHub Actions security but do NOT have the network egress controls that protect the agent job. Do not run agentic compute or untrusted AI execution in post-steps—use them only for deterministic cleanup, artifact uploads, or notifications.
+
 ## Custom Jobs (`jobs:`)
 
 Define custom jobs that run before agentic execution. Supports complete GitHub Actions step specification.
@@ -420,6 +426,9 @@ jobs:
 
 The agentic execution job waits for all custom jobs to complete. Custom jobs can share data through artifacts or job outputs. See [Deterministic & Agentic Patterns](/gh-aw/guides/deterministic-agentic-patterns/) for multi-job workflows.
 
+> [!CAUTION]
+> Security Notice: Custom jobs run OUTSIDE the firewall sandbox. These jobs execute with standard GitHub Actions security but do NOT have the network egress controls that protect the agent job. Do not run agentic compute or untrusted AI execution in custom jobs—use them only for deterministic preprocessing, data fetching, or static analysis.
+
 ### Job Outputs
 
 Custom jobs can expose outputs accessible in the agentic execution prompt via `${{ needs.job-name.outputs.output-name }}`:

diff --git a/docs/src/content/docs/setup/creating-workflows.mdx b/docs/src/content/docs/setup/creating-workflows.mdx
@@ -42,7 +42,7 @@ Follow these steps to create an agentic workflow using VSCode or your coding age
 
 After merging the pull request, you can run the workflow to see it in action. Either:
 - trigger runs manually from the Actions tab in GitHub.com, or
-- use [the `gh aw run` command](/gh-aw/reference/cli/#gh-aw-run) to trigger runs from your terminal.
+- use [the `gh aw run` command](/gh-aw/setup/cli/#run) to trigger runs from your terminal.
 
 ## Creating Agentic Workflows with ChatGPT