diff --git a/.github/workflows/file-size-reduction-project71.campaign.lock.yml b/.github/workflows/file-size-reduction-project71.campaign.lock.yml
index 9c49d2ff36..5f75f21998 100644
--- a/.github/workflows/file-size-reduction-project71.campaign.lock.yml
+++ b/.github/workflows/file-size-reduction-project71.campaign.lock.yml
@@ -1892,7 +1892,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
-          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10},\"create_issue\":{\"max\":1}}"
+          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10},\"create_issue\":{\"max\":1},\"create_project_status_update\":{\"github-token\":\"${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}\",\"max\":1}}"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
diff --git a/pkg/cli/templates/github-agentic-workflows.md b/pkg/cli/templates/github-agentic-workflows.md
index f8052224b8..3b3b292db4 100644
--- a/pkg/cli/templates/github-agentic-workflows.md
+++ b/pkg/cli/templates/github-agentic-workflows.md
@@ -617,6 +617,25 @@ The YAML frontmatter supports these fields:
       github-token: ${{ secrets.CUSTOM_PAT }}  # Use custom PAT instead of GITHUB_TOKEN
     ```
     Useful when you need additional permissions or want to perform actions across repositories.
+  - `allowed-domains:` - Allowed domains for URLs in safe output content (array)
+    - URLs from unlisted domains are replaced with `(redacted)`
+    - GitHub domains are always included by default
+  - `allowed-github-references:` - Allowed repositories for GitHub-style references (array)
+    - Controls which GitHub references (`#123`, `owner/repo#456`) are allowed in workflow output
+    - References to unlisted repositories are escaped with backticks to prevent timeline items
+    - Configuration options:
+      - `[]` - Escape all references (prevents all timeline items)
+      - `["repo"]` - Allow only the target repository's references
+      - `["repo", "owner/other-repo"]` - Allow specific repositories
+      - Not specified (default) - All references allowed
+    - Example:
+      ```yaml
+      safe-outputs:
+        allowed-github-references: []  # Escape all references
+        create-issue:
+          target-repo: "my-org/main-repo"
+      ```
+      With `[]`, references like `#123` become `` `#123` `` and `other/repo#456` becomes `` `other/repo#456` ``, preventing timeline clutter while preserving information.
 
 - **`safe-inputs:`** - Define custom lightweight MCP tools as JavaScript, shell, or Python scripts (object)
   - Tools mounted in MCP server with access to specified secrets