[plan] Update developer.instructions agent to emphasize safe-outputs-only write pattern #19542
Description
Objective
Update the developer.instructions agent (.github/agents/developer.instructions.md) to more prominently document that the agent job must stay read-only, with all GitHub writes routed exclusively through the safe-outputs system.
Background
Discussion #19488 found that across 5 AI-generated workflows, one placed issues: write directly on the agent job — the only security deviation in all responses. The pattern is documented but not prominently enough for agents to consistently apply it.
Approach
-
Add a dedicated Security Posture section (or expand the existing one) in
.github/agents/developer.instructions.mdthat makes the rule explicit:- Agent job permissions must be
read-only for all scopes - All GitHub writes (issues, PRs, comments, discussions) must go through safe-outputs
- Include a concrete ✅ / ❌ example showing the correct pattern vs. the anti-pattern
- Agent job permissions must be
-
Example to add:
### ✅ Correct: Agent job read-only, writes via safe-outputs
permissions:
contents: read
pull-requests: read
issues: read
safe_outputs:
- create_issue
- add_comment
### ❌ Incorrect: Write permissions on agent job
permissions:
contents: read
issues: write # WRONG: agent job must stay read-only- Place this near the top of the security/permissions section so it appears early in the agent's context window.
Files to Modify
.github/agents/developer.instructions.md— add/expand the safe-outputs-only write pattern section- Run
make recompileto regenerate any lock files if the agent file is used in compiled workflows
Acceptance Criteria
- The safe-outputs-only write pattern is documented with ✅ / ❌ examples
- The anti-pattern (write permissions on agent job) is explicitly called out
- The section appears prominently (not buried at the end)
-
make recompileruns without errors
Generated by Plan Command for issue #discussion #19488 · ◷
- expires on Mar 6, 2026, 8:04 AM UTC