What if your repository could triage issues, investigate CI failures, and update documentation without you? GitHub just launched Agentic Workflows – a new way to automate repository tasks using AI coding agents, all written in plain Markdown. Here’s a look at how they work, what makes the security model interesting if you work with AI, and why you should pay attention.

Ever notice how AI assistants are brilliant at reasoning but can’t actually check your database or call your APIs? You end up playing middleman, copying data back and forth. Model Context Protocol (MCP) changes that. It’s an open standard that lets AI assistants connect directly to your data sources and tools while keeping you in control. Let me show you more about what it is, how it works, and why it matters.

Your dotfiles repository already personalizes your development environments, but what if it could do more? What if the same configurations that protect your local machine could secure your CI/CD pipelines? By adding a simple composite action to your dotfiles repo, you can apply security settings and configurations to any GitHub runner – without managing tokens or cloning anything yourself. Let me show you how.

What if you could run your own Docker registry, package cache, or proxy directly on your GitHub runners? Because custom images give you administrative rights, you can deploy persistent services that stick around for every workflow. In this post, you’ll discover how to turn your runners into powerful infrastructure hubs that speed up builds and cut your external dependencies dramatically.

Waiting minutes for a massive repository to clone in every workflow run is painful. I’ll show you how to bake that repository into your custom GitHub runner image and then use Git’s reference clone feature – a clever trick that cuts clone times from minutes to seconds.

When using GitHub custom images, you may need to handle sensitive information at different stages of the image lifecycle. Today, you’ll learn to use workflow commands to mask sensitive data during both image creation and job execution, ensuring secrets stay protected in your build logs.

Sometimes you need to configure the workflow’s runner dynamically before it runs any steps. For example, you may need the runner to get access to a set of secure resources. This post shows how to use OpenID Connect (OIDC) tokens to avoid storing secrets or using long-lived credentials.

If you run your jobs in containers or use service containers, you may spend a lot of time waiting. If those images are outside of your runner environment, then you may also be seeing rising egress charges from your cloud provider. Let’s change that. Learn how pre-caching Docker images in custom runner images can significantly reduce workflow execution time by eliminating redundant layer downloads.

There’s a lot that custom runner images can do for your security. This post shows how pre-job scripts in custom runner images can enforce workflow validation that workflow authors can’t bypass – so only approved workflows run on your GitHub Actions runners.

You’ve learned about individual secret management techniques, but the real power comes from combining them. In this final post of the series, I’ll show you how to layer multiple approaches to create defense-in-depth security that actually works in practice. Through real-world examples – from GitHub Actions to dev containers – you’ll see how to transform isolated techniques into comprehensive strategies that protect your secrets at every level.