Part 2 · Scaling Out

Agentic Workflows · ~6 min

Agents in the Pipeline

An agent in CI is an agent with no human to redirect it. That changes everything — the cap on its turns, the source of its permissions, and what happens when its output merges unreviewed.

Why this, for you: headless agents are how you move work from interactive sessions into automation that runs on every PR. This lesson is the three flags that keep a pipeline predictable and bounded — and the failure modes that make a gated session the better choice.

claude -p "<prompt>" runs non-interactively and exits when done; piped stdin arrives as context before the prompt. The two things that make this safe in CI are a turn cap and a permission model that doesn't rely on prompts — because in print mode, the human isn't there to answer them.

1 Cap the turns, bound the spend

Without a turn limit, an agentic run can loop indefinitely on an ambiguous task. --max-turns N sets a hard ceiling on reasoning steps and exits with an error when reached. There is no default — without it, there is no limit. Three flags stack into layered cost control:

FlagEffect
--max-turns NCaps reasoning steps; exits with error at the limit
--max-budget-usdStops at a dollar ceiling (print mode only)
--model sonnetLower cost than opus per token

Add a workflow-level timeout-minutes in GitHub Actions as a second layer against hung jobs. --output-format json makes the response machine-readable for downstream scripts.

2 Permissions when no human is watching

PermissionRequest hooks do not fire in non-interactive mode. There's no one to prompt. Enforcement shifts to PreToolUse hooks or an explicit --allowedTools allowlist — or to a purpose-built mode.

Two modes beat --dangerously-skip-permissions for most CI work: --permission-mode dontAsk ("locked-down CI and scripts" — auto-denies anything that would prompt, runs only allowlisted tools and read-only Bash) and --permission-mode auto (a server-side classifier blocks destructive patterns; Anthropic's guidance is to prefer this over bypassPermissions for background safety). Reserve --dangerously-skip-permissions for ephemeral, isolated runners where unintended writes have bounded blast radius.

# PR review on every PR, three layers of cost protection uses: anthropics/claude-code-action@v1 with: prompt: "Review the PR diff for bugs and security issues." claude_args: "--max-turns 5 --max-budget-usd 1.00 --model sonnet" # plus timeout-minutes: 10 at the job level

When a gated session beats print mode

--max-turns cuts off mid-solution on an underspecified task — the run exits non-zero but the partial work still cost budget. Auto-merged output ships low-quality patches silently, and every noisy PR erodes review discipline across the repo. Subscription runners can hit session exhaustion that --max-budget-usd (which caps API-billed spend) won't protect against. And any policy that relied on dynamic PermissionRequest approval must be rewritten — those hooks don't fire here.

↪ Your win: a bounded, reviewable pipeline agent

Retrieval practice — recall, don't peek

Question 1In print mode, --max-turns defaults to…

Question 2In non-interactive mode, PermissionRequest hooks…

Question 3The mode explicitly labeled for locked-down CI and scripts is…

Question 4Auto-merging headless output without review tends to…

Question 5 · spaced recall from Lesson 5Beyond files and branches, git worktrees fail to isolate…

Ask me anything. Want the full GitHub Actions PR-review workflow with all three cost layers, or how the deferred-permission pattern lets a pipeline pause for out-of-band approval instead of auto-denying? Next in Part 2: Handoffs — moving work between agent and human, cloud and local.

Go deeper

✎ Feedback