From 0459433c1e49721f4a84d67b89bd5bcbe9ddc1a5 Mon Sep 17 00:00:00 2001 From: Don Syme Date: Fri, 15 Aug 2025 16:32:29 +0100 Subject: [PATCH 1/2] add more security notes --- docs/security-notes.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/security-notes.md b/docs/security-notes.md index 7f727a632b..48023b2ed5 100644 --- a/docs/security-notes.md +++ b/docs/security-notes.md @@ -49,6 +49,8 @@ In addition, the compilation step of Agentic Workflows enforces additional secur - **Tool allowlisting** - only explicitly allowed tools can be used in the workflow - **Highly restricted commands** - by default, no commands are allowed to be executed, and any commands that are allowed must be explicitly specified in the workflow - **Explicit tool allowlisting** - only tools explicitly allowed in the workflow can be used +- **Limit workflow longevity** - workflows can be configured to stop running after a certain time period, preventing long-running or runaway workflows +- **Limit chat iterations** - workflows can be configured to limit the number of chat iterations per run, preventing runaway loops and excessive resource consumption Apply these principles consistently across all workflow components: @@ -87,7 +89,9 @@ GitHub Actions workflows are designed to be steps within a larger process. Some - **Plan-apply separation**: Implement a "plan" phase that generates a preview of actions before execution. This allows human reviewers to assess the impact of changes. This is usually done via an output issue or pull request. - **Review and audit**: Regularly review workflow history, permissions, and tool usage to ensure compliance with security policies. -### Limit time of operation +### Limit operations + +#### Limit workflow longevity by `stop-time:` Use `stop-time:` to limit the time of operation of an agentic workflow. For example, using @@ -97,6 +101,20 @@ stop-time: +7d will mean the agentic workflow no longer operates 7 days after time of compilation. +#### Limit workflow runs by `max-turns:` + +Use `max-turns:` to limit the number of chat iterations per run. This prevents runaway loops and excessive resource consumption. For example: + +```yaml +max-turns: 5 +``` + +This limits the workflow to a maximum of 5 interactions with the AI engine per run. + +#### Monitor costs by `gh aw logs` + +Use `gh aw logs` to monitor the costs of running agentic workflows. This command provides insights into the number of turns, tokens used, and other metrics that can help you understand the cost implications of your workflows. Reported information may differ based on the AI engine used (e.g., Claude vs. Codex). + ### MCP Tool Hardening Model Context Protocol tools require strict containment: From 4efb4d718e6dfeaa5a563fdcb23cb1a9b6fca7c5 Mon Sep 17 00:00:00 2001 From: Don Syme Date: Fri, 15 Aug 2025 16:34:15 +0100 Subject: [PATCH 2/2] Clarify workflow longevity limitation in security notes --- docs/security-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security-notes.md b/docs/security-notes.md index 48023b2ed5..9eb602d4d2 100644 --- a/docs/security-notes.md +++ b/docs/security-notes.md @@ -49,7 +49,7 @@ In addition, the compilation step of Agentic Workflows enforces additional secur - **Tool allowlisting** - only explicitly allowed tools can be used in the workflow - **Highly restricted commands** - by default, no commands are allowed to be executed, and any commands that are allowed must be explicitly specified in the workflow - **Explicit tool allowlisting** - only tools explicitly allowed in the workflow can be used -- **Limit workflow longevity** - workflows can be configured to stop running after a certain time period, preventing long-running or runaway workflows +- **Limit workflow longevity** - workflows can be configured to stop triggering after a certain time period - **Limit chat iterations** - workflows can be configured to limit the number of chat iterations per run, preventing runaway loops and excessive resource consumption Apply these principles consistently across all workflow components: