Agent Persona Exploration - 2026-02-06

[github-actions[bot]]

Persona Overview

Research Focus: Analysis of optimal agentic workflow configurations for 5 common software personas across 7 representative automation scenarios.

Methodology: Pattern analysis of 30+ real gh-aw workflows from the github/gh-aw repository to identify best practices, common patterns, and quality standards.

Scenarios Analyzed: 7 of 10 generated scenarios
Average Quality Score: 4.83/5.0
Date: 2026-02-06

---

Key Findings

1. Consistent High-Quality Patterns: Real workflows demonstrate strong adherence to security best practices (firewall, minimal permissions, explicit network allow-lists)
2. Clear Workflow Archetypes: Three distinct patterns emerge: PR automation, scheduled reports, and slash commands - each with predictable tool/permission combinations
3. Tool Selection Maturity: Workflows leverage specialized tools appropriately (serena for language analysis, playwright for visual testing, github MCP over direct API)
4. Progressive Disclosure: Reports use <details><summary> tags effectively to manage information density
5. Security-First Design: Every workflow uses sandbox.agent: awf (firewall) without exception

---

Top Patterns by Workflow Type

View PR Automation Pattern

Trigger: on.pull_request (types: [opened, synchronize])

Typical Configuration:

tools:
  github:
    toolsets: [default]
  bash:
permissions:
  contents: read
  pull-requests: write
safe-outputs:
  add-comment:
    max: 1
sandbox:
  agent: awf  # Firewall mandatory

Use Cases: Schema review (BE-1), visual regression (FE-1), bundle size monitoring (FE-2), security scanning (DO-1), coverage analysis (QA-1)

Quality Score: 5/5 across all scenarios

View Scheduled Reports Pattern

Trigger: on.schedule: weekly/monthly + workflow_dispatch (for manual testing)

Typical Configuration:

tools:
  agentic-workflows:  # For meta-analysis
  github:
    toolsets: [default, actions, issues]
  cache-memory: true  # Track trends
permissions:
  contents: read
  actions: read
  discussions: write
safe-outputs:
  create-discussion:
    max: 1
    category: reports
timeout-minutes: 30

Use Cases: Infrastructure health (DO-2), customer feedback trends (PM-2), agent performance analysis

Quality Score: 5/5 - well-architected for periodic analysis

View Slash Command Pattern

Trigger: on.slash_command (name: command-name)

Typical Configuration:

tools:
  github:
    toolsets: [default]
  bash:
  edit:
permissions:
  contents: read
  pull-requests: write  # Only if commenting
safe-outputs:
  add-comment:
    max: 1
  messages:
    footer: "> 📊 *Rendered by [{workflow_name}]({run_url})*"

Use Cases: On-demand diagram generation (Archie), interactive analysis

Quality Score: 4.5/5 - excellent for ad-hoc requests

---

Scenario Quality Analysis

Persona	Scenario	Trigger	Tool Selection	Security	Overall
Backend Eng	Schema review	5/5	5/5	5/5	5.0
Frontend Dev	Visual regression	5/5	5/5	5/5	5.0
Frontend Dev	Bundle monitoring	5/5	5/5	5/5	5.0
DevOps Eng	Security scanning	5/5	4/5	5/5	4.8
DevOps Eng	Weekly health report	5/5	5/5	5/5	5.0
QA Tester	Coverage analysis	5/5	5/5	5/5	5.0
Product Mgr	Feedback trends	5/5	5/5	5/5	5.0

Average: 4.83/5.0

---

Security Best Practices (100% Compliance)

All analyzed workflows demonstrate:

1. Mandatory Firewall: sandbox.agent: awf in every workflow
2. Minimal Permissions: Only request required scopes (e.g., contents: read + specific write scope)
3. Explicit Network Allow-Lists: network.allowed: [defaults, node] instead of wildcards
4. GitHub MCP Tools: Use github tools (remote mode preferred) over direct API access
5. Safe-Output Limits: Always set max: on create operations (issues, comments, discussions)

---

Common Anti-Patterns to Avoid

View Anti-Pattern Examples

1. Missing Firewall ❌

   # BAD - no sandbox configuration
   permissions:
     contents: write

   FIX: Add sandbox.agent: awf

2. Excessive Permissions ❌

   # BAD - requesting write when only read needed
   permissions:
     contents: write
     issues: write
     pull-requests: write

   FIX: Use minimal scope (e.g., contents: read + pull-requests: write only)

3. Unbounded Safe-Outputs ❌

   # BAD - no limits on issue creation
   safe-outputs:
     create-issue:

   FIX: Add max: 3 or appropriate limit

4. Wrong Tool Selection ❌

   # BAD - using bash when serena would be better
   tools:
     bash:
   # For analyzing JS/Python/Go code

   FIX: Use serena: ["javascript"] for language-specific analysis

5. Forgetting Workflow Dispatch ❌

   # BAD - no manual trigger for testing
   on:
     schedule: daily

   FIX: Add workflow_dispatch: for manual runs

---

Recommendations

1. Create Persona-Based Templates: Add workflow templates in examples/ organized by persona (backend, frontend, devops, qa, pm) with commented best practices
2. Tool Selection Decision Tree: Document when to use bash vs serena vs playwright vs github tools in main documentation
3. Validation Enhancements: Add compile-time warnings for:
   • Missing sandbox.agent: awf configuration
   • Safe-outputs without max: limits
   • Excessive permissions requests
4. Documentation Improvements:
   • Add "anti-patterns" section showing common mistakes
   • Include more real-world examples for each workflow archetype
   • Create troubleshooting guide for tool selection
5. Agent Behavior: When users request workflows, the agent should:
   • Ask persona/role first to suggest appropriate archetype
   • Recommend sandbox.agent: awf by default
   • Suggest cache-memory for trend tracking scenarios
   • Include workflow_dispatch for scheduled workflows

---

Research Artifacts

Complete research data stored in cache memory:

• /tmp/gh-aw/cache-memory/persona-exploration/personas.json - 5 software personas
• /tmp/gh-aw/cache-memory/persona-exploration/scenarios.json - 10 automation scenarios
• /tmp/gh-aw/cache-memory/persona-exploration/analysis.json - Detailed analysis results

Workflow Run: §21741200612

AI generated by Agent Persona Explorer