This is Part 7 of our series on AI coding assistants for developers. See also: Comparing AI CLI Coding Assistants, CLIs or MCP for Coding Agents, and 6 Developer CLIs That AI Coding Agents Actually Use Well.
AI coding agents have moved beyond your terminal. In February 2026, GitHub launched Agentic Workflows — a way to run AI agents directly inside GitHub Actions, triggered by issues, PRs, and CI events. This means agents can now triage bugs, generate fixes, write tests, and open pull requests without a human sitting at the keyboard.
But here's the part most guides skip: what happens after the PR merges? The agent generated the code, CI validated it, the PR got approved — now it needs to reach your servers. That's the deployment gap, and it's where most agentic CI/CD setups fall apart.
This guide covers how to connect AI-powered CI pipelines to real deployment workflows using the DeployHQ CLI (dhq). You'll get a practical setup that goes from GitHub issue to production deployment, with the agent handling as much as you're comfortable delegating.
What Are GitHub Agentic Workflows?
GitHub Agentic Workflows let you define AI agent tasks as Markdown files in your repository. When a trigger fires — a new issue, a PR comment, a schedule — GitHub Actions spins up a coding agent that can read your codebase, make changes, run commands, and open pull requests.
The key difference from traditional CI/CD: the workflow is described in natural language, not YAML. You write what you want the agent to do, and the agent figures out how to do it.
# .github/agents/fix-bug.md
When a new issue is labeled "bug" and "auto-fix":
1. Read the issue description and any linked error logs
2. Search the codebase for the relevant code
3. Write a fix and add or update tests
4. Open a pull request referencing the issue
This compiles into a lockfile that GitHub Actions executes with strict security boundaries — filesystem isolation, scoped secrets access, and deterministic logging.
The Deployment Gap
Most agentic CI tutorials stop at the agent opens a PR.
That's useful, but it's only half the workflow. A complete agent-assisted pipeline looks like this:
flowchart LR
A[Issue Created] --> B[Agent Generates Fix]
B --> C[PR Opened]
C --> D[CI Tests Pass]
D --> E[Human Approves PR]
E --> F[Merge to Main]
F --> G[Deploy to Staging]
G --> H[Verify Deployment]
H --> I[Deploy to Production]
Steps A through F are well covered by GitHub Agentic Workflows. Steps G through I — the deployment — are where dhq comes in.
Setting Up the DeployHQ CLI in GitHub Actions
The dhq CLI is a single binary with no runtime dependencies, which makes it straightforward to install in CI environments.
Step 1: Add DeployHQ Credentials
Store your DeployHQ API credentials as GitHub Actions secrets:
DEPLOYHQ_API_KEY— your DeployHQ API tokenDEPLOYHQ_PROJECT— your project permalink (optional, can be set per step)
In your repository settings, go to Settings → Secrets and variables → Actions and add both values.
Step 2: Install dhq in Your Workflow
Add the installation step to your GitHub Actions workflow:
- name: Install DeployHQ CLI
run: |
curl -fsSL https://deployhq.com/install-cli.sh | bash
echo "$HOME/.deployhq/bin" >> $GITHUB_PATH
- name: Authenticate
run: dhq auth login --token "${{ secrets.DEPLOYHQ_API_KEY }}"
Step 3: Deploy on Merge
Here's a complete workflow that deploys to staging on every merge to main, then promotes to production after verification:
name: Deploy on Merge
on:
push:
branches: [main]
jobs:
deploy-staging:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install DeployHQ CLI
run: |
curl -fsSL https://deployhq.com/install-cli.sh | bash
echo "$HOME/.deployhq/bin" >> $GITHUB_PATH
- name: Authenticate
run: dhq auth login --token "${{ secrets.DEPLOYHQ_API_KEY }}"
- name: Deploy to Staging
run: dhq deploy --server staging --wait --json
- name: Verify Deployment
id: verify
run: |
RESULT=$(dhq deployments list --limit 1 --json)
STATUS=$(echo "$RESULT" | jq -r '.[0].status')
echo "status=$STATUS" >> $GITHUB_OUTPUT
if [ "$STATUS" != "completed" ]; then
echo "Deployment failed with status: $STATUS"
exit 1
fi
deploy-production:
needs: deploy-staging
runs-on: ubuntu-latest
environment: production
steps:
- name: Install DeployHQ CLI
run: |
curl -fsSL https://deployhq.com/install-cli.sh | bash
echo "$HOME/.deployhq/bin" >> $GITHUB_PATH
- name: Authenticate
run: dhq auth login --token "${{ secrets.DEPLOYHQ_API_KEY }}"
- name: Deploy to Production
run: dhq deploy --server production --wait --json
- name: Verify Production
run: |
dhq deployments list --limit 1 --json | jq '.[0] | {status, started_at, completed_at}'
The --wait flag makes dhq block until the deployment finishes, so the workflow knows whether it succeeded before moving to the next step. The --json flag returns structured output that subsequent steps can parse reliably.
Connecting Agentic Workflows to Deployment
Now let's put it all together. Here's how an AI agent can handle the full lifecycle — from issue triage to production deployment — using GitHub Agentic Workflows and dhq.
The Full Pipeline
name: Agentic Fix and Deploy
on:
issues:
types: [labeled]
jobs:
agent-fix:
if: contains(github.event.issue.labels.*.name, 'auto-fix')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Agent generates fix
uses: github/agentic-workflow@v1
with:
agent-file: .github/agents/fix-bug.md
issue: ${{ github.event.issue.number }}
# Agent opens a PR — CI runs on the PR automatically
deploy-on-merge:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Install DeployHQ CLI
run: |
curl -fsSL https://deployhq.com/install-cli.sh | bash
echo "$HOME/.deployhq/bin" >> $GITHUB_PATH
- name: Authenticate
run: dhq auth login --token "${{ secrets.DEPLOYHQ_API_KEY }}"
- name: Deploy to Staging
run: |
dhq deploy --server staging --wait --json
echo "Staging deployment complete"
- name: Smoke Test
run: |
# Run your smoke tests against staging
curl -sf https://staging.yourapp.com/health || exit 1
- name: Deploy to Production
run: dhq deploy --server production --wait --json
- name: Report Status
if: always()
run: |
STATUS=$(dhq deployments list --limit 1 --json | jq -r '.[0].status')
gh issue comment ${{ github.event.issue.number }} \
--body "Deployment status: **$STATUS** — deployed from merge of agent-generated fix."
What Each Step Does
- Issue labeled
auto-fix— triggers the agentic workflow - Agent reads the issue, searches the codebase, writes a fix, and opens a PR
- CI runs on the PR — tests, linting, type checking (your existing pipeline)
- Human reviews and merges — this is the approval gate
dhq deploy --server staging— pushes to staging via DeployHQ- Smoke test — verifies staging is healthy
dhq deploy --server production— promotes to production- Agent comments on the issue — closes the loop with deployment status
The human stays in the loop at the PR review step. Everything before and after is automated.
Handling Failures: Automatic Rollback
Deployments fail. When they do, your pipeline should recover automatically rather than leaving a broken staging or production environment.
- name: Deploy to Production
id: deploy
continue-on-error: true
run: dhq deploy --server production --wait --json
- name: Rollback on Failure
if: steps.deploy.outcome == 'failure'
run: |
echo "Production deployment failed — rolling back"
dhq rollback --server production --wait --json
# Notify the team
gh issue comment ${{ github.event.issue.number }} \
--body "⚠️ Production deployment failed and was rolled back. Manual investigation needed."
DeployHQ's one-click rollback reverts to the previous successful deployment. Through dhq, this is a single command that your CI pipeline can trigger automatically.
What to Automate vs. What to Keep Manual
Not everything should be automated. Here's a practical guide based on what we see teams doing successfully:
Safe to Fully Automate
- Staging deployments — deploy every merge to staging automatically
- Deployment verification — check health endpoints, run smoke tests
- Status reporting — comment on issues/PRs with deployment results
- Rollback on failure — revert automatically when health checks fail
Keep Human Approval
- Production deployments — use GitHub's
environmentprotection rules to require approval - PR merges — the agent opens the PR, but a human reviews and merges
- Infrastructure changes — anything that modifies servers, databases, or DNS
- First deployment of new services — let a human verify the initial setup
Optional Automation (Team Dependent)
- Hotfix deployments — some teams auto-deploy PRs labeled
hotfixdirectly to production - Off-hours deployments — schedule deployments via
dhqduring low-traffic windows - Multi-server rollouts — deploy to one server first, verify, then deploy to the rest
GitHub's environment protection rules pair well with dhq here. You can require manual approval for the production environment while letting staging deployments run automatically:
deploy-production:
environment: production # Requires manual approval in GitHub settings
steps:
- run: dhq deploy --server production --wait --json
Monitoring Agent-Triggered Deployments
When an AI agent triggers a deployment, you want extra visibility into what happened and why. dhq provides structured output that you can feed into your monitoring stack.
# Get deployment details in JSON
dhq deployments list --limit 5 --json | jq '.[] | {
status,
started_at,
completed_at,
commit_message,
server
}'
# Check deployment logs for errors
dhq deployments logs --latest
For teams using build pipelines in DeployHQ, the dhq output includes build step results — so your agent (or your monitoring) can identify exactly which step failed.
Audit Trail
Every deployment triggered through dhq in CI is logged with the commit SHA, the GitHub Actions run ID, and the deployment result. This gives you a clear audit trail: which issue triggered the agent, which PR the agent created, and what was deployed.
Beyond GitHub: Other CI/CD Platforms
While this guide focuses on GitHub Actions (because that's where Agentic Workflows live), the dhq integration works with any CI/CD platform:
GitLab CI:
deploy:
stage: deploy
script:
- curl -fsSL https://deployhq.com/install-cli.sh | bash
- dhq auth login --token "$DEPLOYHQ_API_KEY"
- dhq deploy --server production --wait --json
Bitbucket Pipelines:
- step:
name: Deploy
script:
- curl -fsSL https://deployhq.com/install-cli.sh | bash
- dhq auth login --token "$DEPLOYHQ_API_KEY"
- dhq deploy --server production --wait --json
The pattern is the same everywhere: install dhq, authenticate, deploy. The CI platform handles the trigger logic; dhq handles the deployment.
Frequently Asked Questions
Is it safe to let AI agents trigger deployments?
It depends on your setup. We recommend keeping a human approval gate between the agent's code changes and production deployment. The agent opens the PR, CI validates it, a human approves the merge, and the deployment pipeline triggers automatically. The agent never deploys directly to production without human review.
Do I need to change my existing DeployHQ setup?
No. dhq triggers the same deployments you'd trigger manually through the DeployHQ dashboard or via automatic Git deployments. Your server configurations, build pipelines, and notification settings all stay the same. You're just adding a CLI trigger from CI.
How does dhq handle deployment failures in CI?
dhq deploy --wait returns a non-zero exit code when a deployment fails, which causes the GitHub Actions step to fail. You can use continue-on-error: true with a subsequent rollback step to handle failures gracefully, as shown in the rollback example above.
Can I use this with DeployHQ's zero-downtime deployments?
Yes. If your DeployHQ project is configured for zero-downtime deployments, dhq deploy triggers that same zero-downtime process. The CLI doesn't change how DeployHQ executes the deployment — it just triggers it programmatically.
What's the difference between dhq in CI and DeployHQ's automatic deployments?
Automatic deployments trigger when you push to a configured branch — no CI step needed. Using dhq in CI gives you more control: you can run tests first, deploy to staging before production, add smoke tests between deployments, and trigger rollbacks automatically. Use automatic deployments for simple setups; use dhq in CI when you need orchestration.
AI agents are getting better at writing code, but shipping code to production still requires a reliable deployment pipeline. GitHub Agentic Workflows handle the code generation and review side. The DeployHQ CLI handles the deployment side — deploying to your own servers with structured output that CI pipelines can parse, verify, and act on.
The result is a pipeline where an agent can take a bug report, generate a fix, get it reviewed, and deploy it to production — with a human in the loop at the right moment. Not fully autonomous, not fully manual. Just the right amount of automation for shipping with confidence.
Ready to connect your CI/CD pipeline to your deployment workflow? DeployHQ deploys to any server you own — VPS, cloud, or bare metal — with zero-downtime deployments, one-click rollback, and a CLI built for automation. Get started for free.
For questions or feedback, reach out at support@deployhq.com or on Twitter/X.