Bringing technical clarity to the unknown

GitHub Actions Agentic Workflows

16 Jun 2026 🔖 security devops
💬 EN

Table of Contents

  1. This is a deterministic CI/CD pipeline, authored in YAML (a classic GitHub Actions “workflow”).
  2. This is a nondeterministic CI/CD pipeline, authored in Markdown (a public-preview GitHub Actions “agentic workflow”).

I’m not sure how to feel about that. Lots of “lethal trifecta” (see Simon Willison’s blog) and “software supply chain security” (see Andrew Nesbitt’s blog) issues to be explored, that’s for sure.

Agentic ops

Update: I got to have a great conversation with some other developers about the promises and threats of LLM GenAI-based approaches to troubleshooting operational issues.

First, I clarified:

“Like this?

  1. “Letting an LLM nondeterministically use its embedded powers of probability to decide amongst the following options for how a given error in CI/CD pipeline logs is best handled:
    • by quietly running diagnostics and authoring a pull request and running regression tests against the pull request it just authored, vs.
    • by Slack-pinging a repo owner
  2. “Rather than, say, hard-coding a deterministic rule of:
    • if this error, and if repeated 5 times or more in 30 seconds,
    • then Teams-ping a repo owner”

History of AI ops

I pondered, about the idea of programming such things using English as a programming language:

“Yeah, I mean, probability-based approaches to troubleshooting have definitely existed as service operations techniques used for the last decade+ at adequate levels of scale.

“Having a bit of ‘machine learning’ helping constantly readjust the threshholds at which a questionably performing container in a Kubernetes cluster, for example, gets destroyed and recreated, rather than just setting and forgetting it at ‘XYZ must be <90%.’

“I think it was previously mostly seen at massive scale of service traffic, though, because programming older probability-based tools was a lot harder than writing plain English, so you had to have a bunch of data science PhDs embedded in the ops teams to get it to work right, or whatever.

“I suppose an advantage to having all of those probability and statistics PhDs running around, though, is that they’ve got that deep level of familiarity with when a nondeterministic probability-based solution ain’t the right solution.

“It’ll probably be both a blessing and a curse for it to be accessible to the rest of us to try to make that architectural/design decision, for any given solution implementation.”

Dangers of AI ops

I also think that as a culture, we haven’t yet latched onto widespread understanding of what it means to be deterministic vs. nondeterministic, so most of us tend to presume if it’s a computer, it behaves more or less deterministically, because that’s how they did behave for decades.

  • We’ll get there – formerly highly technical jargon makes its way into common usage all the time once wider audiences suddenly have a reason to understand a tricky subject at a conceptual level.
  • But in the meantime, I think we’re facing down a lot of potentially confused people trying to make generative AI to do things that would be better solved with a deterministic approach.

Statistical methods as social sciences

One person in the conversation had this absolute gem:

“‘AI’ appears to be reinventing people but worse.”

Speaking of trying to reinvent the human by using probability and statistics math, check out Chris Wiggins and Matthew Jones’s “How Data Happened: a History from the Age of Reason to the Age of Algorithms.” It turns out that “data-driven” decisionmaking about how to organize ourselves, as groups of people, is only about 500 years old. Before that, you had philosophers Aristotle and Machiavelli just arguing. (The book covers the ways in which it’s debatable whether data-driven decisionmaking is actually an improvement to human life. Which Annalee Newitz’s “Stories Are Weapons: Psychological Warfare and the American Mind” makes a great companion piece to, by the way – they both touch on early-20th-century American advertising’s impacts on the social sciences, and vice-versa.)

Naming AI

Also, remember:

As soon as it works, no one calls it AI anymore.

(As I heard on, I believe it was the .NET Rocks podcast, once we know what it’s “for,” we instead give it a name like “machine learning,” “natural language processing,” “optical character recognition,” “automatic speech recognition,” “data mining,” “heuristic search,” etc. And then “AI” gets recycled to describe the next thing we don’t quite understand.)

We still don’t actually know everything about what LLM-based GenAI is and isn’t good at.

--- ---