From 624a077904d11c21e46fd1ee30968acfe50c36b7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 05:52:54 +0000
Subject: [PATCH 1/2] Initial plan


From 8c479c45a00b5c8bf6274d7e1c0f519031c677bb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 06:08:26 +0000
Subject: [PATCH 2/2] docs: add bash allowlist decision rule for trusted vs
 untrusted workflows

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2af0241d-b129-4c33-b3e7-19271266d5b5

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/aw/github-agentic-workflows.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md
index ff7c346bfa5..7e7309b449a 100644
--- a/.github/aw/github-agentic-workflows.md
+++ b/.github/aw/github-agentic-workflows.md
@@ -527,6 +527,26 @@ The YAML frontmatter supports these fields:
   - `web-fetch:` - Web content fetching tools
   - `web-search:` - Web search tools
   - `bash:` - Shell command tools
+    - **Bash allowlist decision rule:**
+      - **PR-triggered workflows** processing **untrusted input** (issue/PR body, comment text, user-provided filenames): use a **narrow allowlist** (for example: `[find, cat, grep, wc, jq]`). This limits blast radius if shell injection attempts are embedded in untrusted content.
+      - **`schedule` or `workflow_dispatch` workflows** with **no untrusted input** (only trusted API data or internal state): `["*"]` is acceptable.
+      - **Rule of thumb**: If the workflow reads issue/PR bodies, comment text, or other user-provided strings, use a narrow list. If it only reads trusted API responses or workflow artifacts, `["*"]` is acceptable.
+    - **Examples:**
+
+      ```yaml
+      # PR-triggered workflow reading untrusted user text
+      on:
+        pull_request:
+      tools:
+        bash: [find, cat, grep, wc, jq]
+
+      # Internal scheduled workflow reading only trusted/internal data
+      on:
+        schedule:
+          - cron: "0 * * * *"
+      tools:
+        bash: ["*"]
+      ```
   - `playwright:` - Browser automation tools
   - Custom tool names for MCP servers
   - `timeout:` - Per-operation timeout in seconds for all tool and MCP server calls (integer or GitHub Actions expression). Defaults vary by engine (Claude: 60 s, Codex: 120 s).