For engineering and platform teams, the high-signal review is a path review: agent-assisted PR -> workflow or script change -> CI job -> credential -> action -> target. If that chain exists, PR review alone may not answer who approved the credentialed action.
Where the secret path appears
Workflow file changes
Changes to GitHub Actions, GitLab CI, Buildkite, CircleCI, Harness, or similar config can change which jobs run and which secrets are available.
Package scripts
Install, postinstall, build, test, release, or publish scripts may execute inside CI with environment variables or tokens present.
Reusable jobs
A seemingly local repo change may call shared workflows, runners, deploy jobs, signing steps, or package publishing paths.
Tool calls
MCP tools or internal automation may use service tokens even when the original task looked like normal code assistance.
Three indirect ways access happens
| Path | What to check |
|---|---|
| Workflow edit | An AI-assisted PR changes a workflow file, reusable job, or runner setting that later receives repository or organization secrets. |
| Script execution | A package, build, test, release, or migration script runs inside CI where tokens or cloud roles are already present. |
| Tool delegation | An MCP tool, bot, or internal automation uses its own service token, even if the agent never sees the secret value directly. |
Checklist for one workflow
- Can agent-authored work change workflow files, runner config, package scripts, or release scripts?
- Which secrets, cloud roles, package tokens, signing keys, or deploy credentials are available to the job?
- Can the job write, deploy, publish, delete, migrate, or call an internal system?
- Does approval happen before merge, before job run, before credential use, or only after the action?
- Can you reconstruct actor, human owner, PR, workflow, credential, target, approval, validation, and outcome?
What should require approval?
Keep normal edits fast. Add approval where the path crosses from code assistance into credentialed action: workflow-file changes, deployment jobs, package publishing, artifact signing, database migrations, infrastructure changes, cloud commands, and internal tool calls.
Source notes
- GitHub Copilot cloud agent docs describe agents working in a GitHub Actions-powered environment where they can make code changes and run tests.
- GitHub responsible-use guidance states that workflows triggered by Copilot cloud-agent pull requests require approval before they run.
- Claude Code permissions docs show why file edits, shell commands, and tool access need explicit permission decisions.
Map one credentialed path.
Clyra maps selected workflows and returns the action path, credential reach, approval gap, and evidence packet.
Map one workflow