Main Branch

Fundamentals first, always

Issue #31

🚦 Main Branch: The One Where the Bots Run CI (If You Let Them)

By Andrea Griffiths • Leer en Español • 阅读中文版
github-actions agentic-workflows github-copilot ci-cd playwright newsletter
Listen to article

Hiya friends,

Two ships this week, and they rhyme. GitHub spent the week working out who gets to run things inside Actions: the bots that open your pull requests, and the agents you point at your repo. Both shipped with a gate attached.

🚢 What Shipped

Bot-created PRs can now run your CI, behind an approval gate

Until now, a pull request opened by github-actions[bot] couldn’t trigger your CI/CD workflows, so bot changes could reach merge without your checks ever running. As of June 11, those PRs run the configured workflows once someone with write access approves them. The approval step is deliberate: it keeps generated code from automatically running workflows that might touch secrets. If you live in Dependabot or Renovate, this closes a real gap, and it also means a human clicks before CI moves.

GitHub Agentic Workflows landed in public preview

You can now run coding agents inside Actions for the reasoning-heavy chores: issue triage, CI failure analysis, doc updates. You write the automation as a Markdown file in plain language, and it compiles to standard Actions YAML, so it runs on your existing runner groups under the policies you already enforce. By default the agent is read-only, sandboxed in a container behind an Agent Workflow Firewall, with a threat-detection job that scans proposed changes before they apply. Quickstart is at gh.io/gh-aw-quickstart.

📖 What I’m Reading

Make the System Work for You by Scott Berkun

An excerpt from Why Design Is Hard. Berkun leans on Deming’s claim that 94% of an organization’s results come from its systems, not the individuals, and argues the smart move is to map how your org actually works instead of fighting it head-on. I keep coming back to the Chesterton’s Fence line: don’t tear down a process until you understand why it’s there.

Worth your time if: you’re the person who keeps trying to fix the org by force and burning out for it.

🔧 What I’m Using

Chromium Control Canvas, a GitHub Copilot canvas extension I built. The host app’s built-in browser canvas runs on WebKit, so this one launches a real headful Chromium through Playwright and gives the agent the full action set (snapshot, click, type). It reuses the Claw Relay patterns: a persistent profile, a site blocklist, and an audit log. I reach for it when an agent needs a real logged-in Chrome session, like confirming a deploy renders or walking a signup flow, with access scoped and logged.

✨ This Week

I’ve got World Cup fever. Main Branch goes every other week through the summer so I can get some proper downtime. First up is a week in Colombia with my youngest to see family, while my oldest is on the road with houseband.live. Then in July I’m back in Berlin for WeAreDevelopers World Congress (July 8 to 10), glad to catch up with European friends. Last year I led a workshop there building GitVision, an app that turns your GitHub commits into AI-curated Eurovision playlists, one Copilot prompt at a time. A year on, I wouldn’t hand-prompt it function by function. I’d write the spec once in Spec Kit and let the coding agent work the plan and tasks while I steer and review. Back to weekly when summer’s over, which conveniently leaves more time for the World Cup.

See you in two weeks.

With gratitude, Andrea