Skip to content

Add security architecture slide to slides/index.md #17501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 3 commits into from
Feb 21, 2026
Merged

Add security architecture slide to slides/index.md #17501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5a8467c
Initial plan
Copilot Feb 21, 2026
8e6048f
Add security architecture slide to slides/index.md
Copilot Feb 21, 2026
c46575f
Replace ASCII diagram with Mermaid flowchart in security architecture…
Copilot Feb 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/src/content/docs/agent-factory-status.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
| [Daily Observability Report for AWF Firewall and MCP Gateway](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-observability-report.md) | codex | [![Daily Observability Report for AWF Firewall and MCP Gateway](https://github.com/github/gh-aw/actions/workflows/daily-observability-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-observability-report.lock.yml) | - | - |
| [Daily Project Performance Summary Generator (Using Safe Inputs)](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-performance-summary.md) | codex | [![Daily Project Performance Summary Generator (Using Safe Inputs)](https://github.com/github/gh-aw/actions/workflows/daily-performance-summary.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-performance-summary.lock.yml) | - | - |
| [Daily Regulatory Report Generator](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-regulatory.md) | copilot | [![Daily Regulatory Report Generator](https://github.com/github/gh-aw/actions/workflows/daily-regulatory.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-regulatory.lock.yml) | - | - |
| [Daily Rendering Scripts Verifier](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-rendering-scripts-verifier.md) | claude | [![Daily Rendering Scripts Verifier](https://github.com/github/gh-aw/actions/workflows/daily-rendering-scripts-verifier.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-rendering-scripts-verifier.lock.yml) | - | - |
| [Daily Safe Output Tool Optimizer](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-safe-output-optimizer.md) | claude | [![Daily Safe Output Tool Optimizer](https://github.com/github/gh-aw/actions/workflows/daily-safe-output-optimizer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-safe-output-optimizer.lock.yml) | - | - |
| [Daily Safe Outputs Conformance Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-safe-outputs-conformance.md) | claude | [![Daily Safe Outputs Conformance Checker](https://github.com/github/gh-aw/actions/workflows/daily-safe-outputs-conformance.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-safe-outputs-conformance.lock.yml) | - | - |
| [Daily Secrets Analysis Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-secrets-analysis.md) | copilot | [![Daily Secrets Analysis Agent](https://github.com/github/gh-aw/actions/workflows/daily-secrets-analysis.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-secrets-analysis.lock.yml) | - | - |
Expand Down Expand Up @@ -132,10 +133,13 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
| [Semantic Function Refactoring](https://github.com/github/gh-aw/blob/main/.github/workflows/semantic-function-refactor.md) | claude | [![Semantic Function Refactoring](https://github.com/github/gh-aw/actions/workflows/semantic-function-refactor.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/semantic-function-refactor.lock.yml) | - | - |
| [Sergo - Serena Go Expert](https://github.com/github/gh-aw/blob/main/.github/workflows/sergo.md) | claude | [![Sergo - Serena Go Expert](https://github.com/github/gh-aw/actions/workflows/sergo.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/sergo.lock.yml) | - | - |
| [Slide Deck Maintainer](https://github.com/github/gh-aw/blob/main/.github/workflows/slide-deck-maintainer.md) | copilot | [![Slide Deck Maintainer](https://github.com/github/gh-aw/actions/workflows/slide-deck-maintainer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/slide-deck-maintainer.lock.yml) | `0 16 * * 1-5` | - |
| [Smoke Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-agent.md) | codex | [![Smoke Agent](https://github.com/github/gh-aw/actions/workflows/smoke-agent.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-agent.lock.yml) | - | - |
| [Smoke Claude](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-claude.md) | claude | [![Smoke Claude](https://github.com/github/gh-aw/actions/workflows/smoke-claude.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-claude.lock.yml) | - | - |
| [Smoke Codex](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-codex.md) | codex | [![Smoke Codex](https://github.com/github/gh-aw/actions/workflows/smoke-codex.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-codex.lock.yml) | - | - |
| [Smoke Copilot](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-copilot.md) | copilot | [![Smoke Copilot](https://github.com/github/gh-aw/actions/workflows/smoke-copilot.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-copilot.lock.yml) | - | - |
| [Smoke Copilot ARM64](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-copilot-arm.md) | copilot | [![Smoke Copilot ARM64](https://github.com/github/gh-aw/actions/workflows/smoke-copilot-arm.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-copilot-arm.lock.yml) | - | - |
| [Smoke Gemini](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-gemini.md) | gemini | [![Smoke Gemini](https://github.com/github/gh-aw/actions/workflows/smoke-gemini.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-gemini.lock.yml) | - | - |
| [Smoke Multi PR](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-multi-pr.md) | copilot | [![Smoke Multi PR](https://github.com/github/gh-aw/actions/workflows/smoke-multi-pr.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-multi-pr.lock.yml) | - | - |
Comment on lines 66 to 142
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These workflow entries appear to be unrelated to the stated purpose of this PR, which is to add a security architecture slide to the main slides deck. The PR description mentions adding a security architecture slide and Mermaid script initialization, but does not mention updating the agent factory status table. Consider moving these changes to a separate PR to maintain a clear separation of concerns.

Copilot uses AI. Check for mistakes.
| [Smoke Project](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-project.md) | copilot | [![Smoke Project](https://github.com/github/gh-aw/actions/workflows/smoke-project.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-project.lock.yml) | - | - |
| [Smoke Temporary ID](https://github.com/github/gh-aw/blob/main/.github/workflows/smoke-temporary-id.md) | copilot | [![Smoke Temporary ID](https://github.com/github/gh-aw/actions/workflows/smoke-temporary-id.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/smoke-temporary-id.lock.yml) | - | - |
| [Stale Repository Identifier](https://github.com/github/gh-aw/blob/main/.github/workflows/stale-repo-identifier.md) | copilot | [![Stale Repository Identifier](https://github.com/github/gh-aw/actions/workflows/stale-repo-identifier.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/stale-repo-identifier.lock.yml) | - | - |
Expand Down
53 changes: 53 additions & 0 deletions slides/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ theme: gh-aw
paginate: true
---

<script src="./js/mermaid.min.js"></script>
<script>
mermaid.initialize({ startOnLoad: true });
</script>

# GitHub Agentic Workflows
## Write AI Automation in Natural Language
### Technical Preview
Expand Down Expand Up @@ -73,6 +78,54 @@ Summarize this issue and respond in a comment.

---

# Security Architecture

## Multi-layered defense in depth

<pre class="mermaid">
flowchart TB
subgraph ActionJobVM["Action Job VM"]
subgraph Sandbox1["Sandbox"]
Agent["Agent Process"]
end

Proxy1["Proxy / Firewall"]
Gateway["Gateway<br/>(mcpg)"]
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTML <br/> tag in the Gateway label should use HTML entity encoding to match the pattern used in docs/slides/index.md (line 406). The tag should be encoded as &lt;br/&gt; instead of <br/> to ensure consistent rendering across different Marp processors and prevent potential HTML injection issues in the diagram.

Suggested change
Gateway["Gateway<br/>(mcpg)"]
Gateway["Gateway&lt;br/&gt;(mcpg)"]

Copilot uses AI. Check for mistakes.

Agent --> Proxy1
Proxy1 --> Gateway

subgraph Sandbox2["Sandbox"]
MCP["MCP Server"]
end

subgraph Sandbox3["Sandbox"]
Skill["Skill"]
end

Gateway --> MCP
Gateway --> Skill

Proxy2["Proxy / Firewall"]
Proxy3["Proxy / Firewall"]

MCP --> Proxy2
Skill --> Proxy3
end

Service1{{"Service"}}
Service2{{"Service"}}

Proxy2 --> Service1
Proxy3 --> Service2
</pre>

- **Container isolation** - Agent, MCP servers, skills in separate sandboxes
- **Proxy/firewall at every layer** - Controls egress traffic and domain access
- **MCP Gateway** - Central routing with auditable tool access

---

# Tools & Integrations

Built-in tools:
Expand Down