You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/content/docs/reference/safe-outputs-pull-requests.md
+17-1Lines changed: 17 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -275,14 +275,30 @@ This protects against supply chain attacks where an AI agent could inadvertently
275
275
276
276
### Policy Options
277
277
278
-
Configure the `protected-files` field on either safe output:
278
+
The `protected-files` field accepts either a string policy value or an object with a `policy` and an `exclude` list.
279
+
280
+
**String form** — set a single policy for all protected files:
279
281
280
282
| Value | Behaviour |
281
283
|-------|-----------|
282
284
| `blocked` (default) | Hard-block: the safe output fails with an error |
283
285
| `fallback-to-issue` | Create a review issue with instructions for the human to apply or reject the changes manually |
284
286
| `allowed` | No restriction — all protected file changes are permitted. **Use only when the workflow is explicitly designed to manage these files.** |
285
287
288
+
**Object form** — set a policy and exclude specific files from the protected set:
289
+
290
+
```yaml wrap
291
+
safe-outputs:
292
+
create-pull-request:
293
+
protected-files:
294
+
policy: fallback-to-issue # same values as string form (default: blocked)
295
+
exclude:
296
+
- AGENTS.md # allow the agent to update its own instruction file
297
+
- .agents/ # allow updates to the .agents/ directory
298
+
```
299
+
300
+
The `exclude` list names files by **basename** (e.g., `AGENTS.md`) or **path prefix** (e.g., `.agents/`) to remove from the default protected set. The remaining protected files still enforce the configured policy. This is useful when a workflow is explicitly designed to manage one specific instruction file without disabling all protection.
301
+
286
302
**`create-pull-request` with `fallback-to-issue`**: the branch is pushed normally, then a review issue is created with a PR creation intent link, a `[!WARNING]` banner explaining why the fallback was triggered, and instructions to review carefully before creating the PR.
287
303
288
304
**`push-to-pull-request-branch` with `fallback-to-issue`**: instead of pushing to the PR branch, a review issue is created with the target PR link, patch download/apply instructions, and a review warning.
**`--approve` flag:** When compiling a workflow that already has a lock file, the compiler enforces *safe update mode* — any newly added secrets or custom actions not present in the previous manifest require explicit approval. Pass `--approve` to accept these changes and regenerate the manifest baseline. On first compile (no existing lock file), enforcement is skipped automatically and `--approve` is not needed.
261
263
262
264
**Error Reporting:** Displays detailed error messages with file paths, line numbers, column positions, and contextual code snippets.
263
265
@@ -318,7 +320,7 @@ gh aw run workflow --push --ref main # Push to specific branch
318
320
gh aw run workflow --json # Output triggered workflow results as JSON
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments