Problem
When using gh-aw with strict mode and safe_outputs.create-pull-request,
it is not possible to create a PR that modifies files under:
.github/workflows/
This is because:
workflows: write is disallowed in frontmatter
contents: write is also rejected in strict mode
- modifying workflow files requires elevated permissions
Use Case
I am building a CI optimization agent that:
- analyzes workflow performance
- proposes improvements
- creates PRs updating
ci.yml
Currently this is blocked by permission constraints.
Question
What is the intended pattern for:
- agents that need to propose workflow changes?
- or safe PR creation for workflow file modifications?
Should this:
- Be done via external GitHub App with workflow scope?
- Be disallowed intentionally?
- Be supported in a future version?
Would appreciate clarification or recommended architecture.
``