The Aspire team, a 10-person shop building distributed app dev tools, shipped 82 feature-documentation pull requests across two repos in two release cycles, at a median of 44.8 hours after the corresponding product pull request merged. No new headcount. The tool: GitHub Agentic Workflows, a GitHub Next project that runs a model as a work-item processor inside a constrained, auditable pipeline.
The hard problem here is cross-repo automation without broad write tokens. Aspire's code lives in microsoft/aspire, docs in microsoft/aspire.dev. The security unlock is architectural: the agent gets read access and emits a JSON intent blob describing the pull requests and comments it wants to create, then a separate narrowly scoped job called the safe-outputs handler materializes those writes through a per-workflow GitHub app with explicit allow-lists. The agent never touches GitHub directly. Security review passes. Writes happen.
The article is worth reading in full for the target branch resolution logic alone: a deterministic bash resolver runs before the agent wakes up, mapping product-repo milestone titles like 13.4 to docs-repo release branches, with a four-step fallback chain ending at main. That design choice is what makes the agent's output reliable rather than creative. The prompt structure, the compiled .lock.yml workflow, and the full diff-to-draft pipeline are all shown in detail.
[READ ORIGINAL →]