[instructions] Sync github-agentic-workflows.md with v0.68.3

[github-actions]

Instructions Update - Synchronized with v0.68.3

This PR updates github-agentic-workflows.md based on code changes shipped in v0.68.3.

Changes Made

• Compilation flags: Added --validate-images (opt-in Docker container image validation; previously skipped silently when Docker was unavailable) and --approve (renamed from --safe-update, approves all safe update changes including new secrets and action additions/removals)
• Import file structure: Documented the full list of frontmatter fields that are merged from imported shared workflows (env:, checkout:, github-app:, on.github-app:, and others), with an updated example showing env: and checkout: in practice

Documentation Commits Reviewed

• No documentation commits since v0.68.3 release (only one commit: e44f4e7 CLI fix)

Safe-Outputs Code Audit

• Reviewed compiler_types.go and safe_outputs_config.go — all safe-output types and global configuration fields already documented in the instructions; no gaps found

Release Notes Items Addressed

• --validate-images flag (PR Skip Docker image validation when Docker is unavailable, add --validate-images flag #26074: "Skip Docker image validation when Docker is unavailable, add --validate-images flag")
• --approve flag (PR fix: rename --safe-update to --approve and improve safe update UX #26160: "--safe-update renamed to --approve")
• checkout field in shared imports (PR feat: support checkout field in importable shared workflows #26292: "feat: support checkout field in importable shared workflows")
• env field in shared imports (PR feat: support env field in shared imports #26113: "feat: support env field in shared imports")
• github-app as Allowed Import Field (PR docs: add github-app to Allowed Import Fields in imports reference #26119: "docs: add github-app to Allowed Import Fields")

Validation

• Followed prompting best practices (imperative mood, minimal examples)
• Maintained technical tone and brevity
• Updated only necessary sections
• Verified accuracy against current codebase (compiler_types.go, safe_outputs_config.go, cmd/gh-aw/main.go, pkg/parser/import_field_extractor.go)
• Removed outdated or redundant content

Generated by Instructions Janitor · ● 586K · ◷

• expires on Apr 17, 2026, 11:01 AM UTC

[utafrali]

The import-field merge-behavior table and the two new flags are a useful addition, but the last bullet in the fields list omits merge semantics for seven fields, breaking the consistent pattern established by every other entry. The --approve rename also needs a migration note to avoid silently breaking existing scripts.

[utafrali]

This line lists seven fields without describing their merge behavior, which is inconsistent with every other entry in this list. All sibling bullets explicitly describe their semantics (last-wins, first-wins, appended, etc.). A reader cannot infer merge behavior for fields like permissions: or network: without this detail. Consider expanding to something like:

- `runtimes:`, `network:`, `permissions:`, `services:`, `cache:`, `features:`, `mcp-servers:` - Last import wins; main workflow takes precedence

or split them if their merge strategies differ.

[utafrali]

The --approve flag is documented here as if it is new, but per the PR description and PR #26160 it is a rename of --safe-update. Any existing script or workflow that passes --safe-update will silently or loudly break after upgrading without knowing where to look. Adding a parenthetical like (formerly --safe-update) gives readers a clear migration path.

[utafrali]

The parenthetical (silently skipped without this flag when Docker is unavailable) is ambiguous. It could be read as: validation is skipped when (a) the flag is absent OR (b) Docker is unavailable, or that both conditions must hold simultaneously. The intended meaning is that the flag opts in to making Docker required, and the old default was a silent skip. A clearer phrasing would be:

# Enable container image validation; requires Docker (without this flag, validation is silently skipped when Docker is unavailable)