GitHub has to change

It is clear at this point is that github’s trust and data models will have to change fundamentally to accommodate agentic workflows, or risk being replaced by other SCM

One cannot do these things easily with github now:

• granular control: this agent running in this sandbox can only push to this specific branch. If an agent runs amok, it could delete everybody’s branches and close PRs. github allows for recovery of these, but still inconvenient even if it happens once
• create a bot (exists already), but remove reviewing rights from it so that an employee cannot bypass reviews by tricking the bot to approve
• in general make a distinction between HUMAN and AGENT so that you can create rulesets to govern the relationships in between

The fundamental problem with GitHub is trust: humans are to be trusted. If you don’t trust a human, why did you hire them in the first place?

Anyone who reviews and approves PRs bears responsibility. Rulesets exist and can enforce e.g. CODEOWNER reviews or only let certain people make changes to a certain folder

But the initial repo setup on GitHub is allow-by-default. Anyone can change anything until they are restricted from it

This model breaks fundamentally with agents, who are effectively sleeper cells that will try to delete your repo the moment they encounter a sufficiently powerful adversarial attack

For example, I can create a bot account on github and connect @clawdbot to it. I need to give it write permission, because I want it to be able to create PRs. However, I don’t want it to be able to approve PRs, because a coworker could just nag at the bot until it approves a PR that requires human attention

To fix this, you have to bend backwards, like create a @ human team with all human coworkers, make them codeowner on /, and enforce codeowner reviews. This is stupid and there has to be another way

Even worse, this bot could be given internet access and end up on a @elder_plinius prompt hack while googling, and start messing up whatever it can in your organization

It is clear that github needs to create a second-class entity for agents which are default low-trust mode, starting from a point of least privilege instead of the other way around

---

Originally posted on X:

• https://x.com/onusoz/status/2012490970793746652
• https://x.com/onusoz/status/2012668646829560199