Skip to content

Releases: github/gh-aw

v0.80.9

Choose a tag to compare

@github-actions github-actions released this 22 Jun 07:16
Immutable release. Only release title and notes can be modified.
a362436

🌟 Release Highlights

This release focuses on reliability and correctness — squashing noisy error conditions in the MCP server and agentic workflows, hardening security, and keeping the observability pipeline complete.

🐛 Bug Fixes & Improvements

  • MCP stdio error handlinghandleMessage now correctly serialises plain-object throws (not just Error instances), eliminating the cryptic -32603 [object Object] failures that blocked submit_pull_request_review on the stdio transport path. (#40715)

  • Issue Monster noise reduction — Agent-availability errors ("copilot coding agent is not available for this repository") are now treated as transient and silently skipped, so the issue tracker is no longer spammed with failure issues on every 30-minute poll cycle. (#40716)

  • Observability report completeness — The daily observability report now explicitly requests agent and detection artifact sets alongside usage metrics, preventing incomplete/noop outcomes caused by missing telemetry inputs. (#40705)

  • Task session data fetch — Fixed a failing agent GitHub Actions job caused by a stale data-fetch pattern in task session handling. (#40728)

🔒 Security

  • Atomic temp-file writes — Replaced direct fs.writeFileSync calls in the safe-output evaluations script with an atomic write helper, closing a CWE-377 insecure-temporary-file vulnerability flagged by CodeQL. (#40721)

🔧 Internal

  • Safe Outputs conformance checker — Added MCE-006 check verifying that mcp_server_core.cjs enforces valid JSON-RPC 2.0 error codes (spec §8.2); split spec/script version comments for clarity. (#40737)

  • Maintenance workflow headeragentics-maintenance.yml now carries an explicit, purpose-specific header describing the maintenance schedule and how to disable it, replacing the generic compiled-workflow boilerplate. (#40706)

Generated by 🚀 Release · 31.3 AIC · ⊞ 8.2K


What's Changed

  • fix(daily-observability-report): request agent+detection artifacts in logs fetches by @pelikhan with @Copilot in #40705
  • Make agentics-maintenance.yml header maintenance-specific by @pelikhan with @Copilot in #40706
  • fix: handleMessage avoids [object Object] errors and enforces valid JSON-RPC error codes for thrown plain objects by @pelikhan with @Copilot in #40715
  • Update task session data fetch by @mnkiefer with @Copilot in #40728
  • fix(issue-monster): gracefully skip agent availability errors with ignore-if-error by @pelikhan with @Copilot in #40716
  • [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #40737
  • [blog] Weekly blog post – 2026-06-22 by @github-actions[bot] in #40724
  • [code-scanning-fix] Fix js/insecure-temporary-file: use atomic write to prevent symlink attacks by @github-actions[bot] in #40721

Full Changelog: v0.80.8...v0.80.9

v0.80.8

v0.80.8 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 22 Jun 00:35
Immutable release. Only release title and notes can be modified.
a401853

🌟 Release Highlights

This release brings a meaningful performance win, improved slash-command UX, a new Go linter, and a wave of reliability and documentation improvements.

⚡ Performance

  • Fixed a +320% regression in CompileComplexWorkflow by eliminating a redundant yaml.Unmarshal call — complex workflows now compile as fast as expected (#40662).

✨ What's New

  • Slash-command status comments are now created in the central router and reused downstream, giving users consistent, real-time feedback on slash-command progress (#40644).
  • New deferinloop Go linter flags defer statements inside for-loop bodies — a common source of resource-leak bugs — catching issues earlier in the development cycle (#40679).
  • gh-aw-detection rolled out to 50% of agentic workflows, expanding coverage of automated workflow health checks (#40698).
  • Daily Safe Output Integrator can now inspect compiler safe-output tests, broadening daily CI coverage (#40697).
  • Codex experiment models are now available in the Daily Cache Strategy Analyzer (#40682).

🐛 Bug Fixes

  • Prevented tool-denial cascade in daily-formal-spec-verifier, avoiding runaway failures when individual tools are unavailable (#40655).
  • Fixed sparse checkout path typing in the Skillet pre-activation skills checkout, resolving failures in sparse-repo workflows (#40684).
  • Migrated assignAgentToIssue to REST, retaining GraphQL fallbacks in lookup helpers for resilience (#40669).
  • Replaced SHA-256 with FNV-1a for heredoc delimiter generation, eliminating crypto-library overhead in hot compilation paths (#40696).
  • Reduced ambient prompt surface in high-traffic workflows, improving token efficiency and reducing unintended context bleed (#40695).

📚 Documentation

  • Leaner model-tables intro in the docs (#40658).
  • Fixed broken outbound links in the README (#40675).
  • Tightened authoring guidance for incident prefetch/dedup and visual baseline sourcing (#40660).
  • Extended JSON-LD schema to blog posts and inner pages for improved SEO (#40678).

Generated by 🚀 Release · 31.7 AIC · ⊞ 8.2K


What's Changed

  • fix: prevent tool denial cascade in daily-formal-spec-verifier by @pelikhan with @Copilot in #40655
  • [docs] docs: unbloat model tables intro by @github-actions[bot] in #40658
  • SPDD 2026-06-21: fix spec divergences across 5 spec files by @pelikhan with @Copilot in #40656
  • Create slash-command status comments in the central router and reuse them downstream by @pelikhan with @Copilot in #40644
  • Align checkout credential integration test with safe_outputs PR flow by @pelikhan with @Copilot in #40661
  • Tighten workflow authoring guidance for incident prefetch/dedup and visual baseline sourcing by @pelikhan with @Copilot in #40660
  • Update README to replace broken outbound links with canonical working targets by @pelikhan with @Copilot in #40675
  • Strengthen actionpins spec coverage for unresolved pinning and edge-case resolution by @pelikhan with @Copilot in #40676
  • Use available Codex experiment models in Daily Cache Strategy Analyzer by @pelikhan with @Copilot in #40682
  • Skillet: fix sparse checkout path typing in pre-activation skills checkout by @pelikhan with @Copilot in #40684
  • feat(linters): add deferinloop analyzer — flags defer inside for-loop bodies by @pelikhan with @Copilot in #40679
  • Extend docs JSON-LD schema to blog posts and inner pages by @pelikhan with @Copilot in #40678
  • fix: migrate assignAgentToIssue to REST, retain GraphQL fallbacks in lookup helpers by @pelikhan with @Copilot in #40669
  • Enable gh-aw-detection on 50% of agentic workflows by @pelikhan with @Copilot in #40698
  • Replace SHA-256 with FNV-1a for heredoc delimiter generation by @pelikhan with @Copilot in #40696
  • perf: fix +320% regression in CompileComplexWorkflow by eliminating redundant yaml.Unmarshal by @pelikhan with @Copilot in #40662
  • Allow Daily Safe Output Integrator to inspect compiler safe-output tests by @pelikhan with @Copilot in #40697
  • Reduce ambient prompt surface in high-traffic workflows by @pelikhan with @Copilot in #40695

Full Changelog: v0.80.7...v0.80.8

v0.80.7

v0.80.7 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 21 Jun 17:16
Immutable release. Only release title and notes can be modified.
0d05475

🌟 Release Highlights

v0.80.7 brings powerful new automation options, compiler safety guardrails, and a set of targeted bug fixes that improve reliability across workflows, CLI tools, and the safe-outputs system.

⚠️ Breaking Changes

  • allow-team-members renamed to allowed-collaborators in safe-outputs.mentions (#40394)
    Run gh aw fix --write with codemod add-allow-team-members-collaborators to migrate automatically.

✨ What's New

  • Auto-upgrade workflow generation: Set auto_upgrade: true in aw.json to automatically generate a weekly agentic-auto-upgrade.yml workflow that keeps your setup current (#40414).
  • Auto-pin unversioned action refs: The compiler now auto-pins unversioned uses: references and fails compilation when no pin is resolvable — preventing silent runtime failures (#40475).
  • allowed-teams in mentions config: Authorize entire GitHub teams to trigger agentic mentions without enumerating every user (#40368).
  • Wildcard suffix for slash_command: Use a trailing * to match a family of related commands with a single workflow (#40369).
  • max-turn-cache-misses top-level field: Configure cache-miss guardrail thresholds directly in workflow frontmatter (#40388).
  • code_quality MCP toolset: The code_quality toolset is now mapped in GitHub MCP toolsets configuration (#40625).

🐛 Bug Fixes & Improvements

  • Call-workflow permissions: Job permissions are now correctly derived from the caller, not the worker (#40175 — thanks @dsyme!).
  • gh aw logs reliability: Fixed context-deadline cancellation for --timeout (#40498) and added a --report-file flag to avoid shell redirect failures (#40425).
  • Idle-timeout resolved as success: When output has been collected and all tools are complete, idle-timeout no longer marks a run as failed (#40419).
  • set_issue_field temporary ID resolution: set_issue_field can now resolve temporary_id values from a create_issue in the same batch (#40615).
  • Firewall-mode LLM routing: All LLM traffic in firewall mode is now correctly routed through the AWF gateway (#40616).
  • Improved error guidance: Empty-arguments errors now include schema guidance to prevent missing-tool reports (#40542); hide_comment validation surfaced GraphQL node ID guidance (#40361).
  • Template-injection scanner: Fixed false positive that rejected the compiler's own generated Configure Git credentials step (#40613).
  • /help command: Fixed routing fallthrough, error handling, reactions, and mention sanitization (#40476).

📚 Documentation

  • CLI setup guide streamlined for clarity (#40484, view docs).
  • allowed-teams option surfaced in the agentic mentions configuration docs (#40421).
  • /help now uses structured headings and links commands to their source workflows (#40500).

Generated by 🚀 Release · 41.4 AIC · ⊞ 8.2K


What's Changed

  • optimize(glossary-maintainer): prompt trim, turn guardrail, batch reads, haiku sub-agent for term discovery by @pelikhan with @Copilot in #40353
  • Update slides by @mnkiefer in #40364
  • fix: replace local .github/aw/ paths with public URLs in agentic-workflows agent by @pelikhan with @Copilot in #40358
  • fix(daily-spdd-spec-planner): add sed -n to bash allowlist to prevent tool denial threshold by @pelikhan with @Copilot in #40366
  • Avoid LFS-dependent checkout in Documentation Unbloat by @pelikhan with @Copilot in #40365
  • Tighten Daily Formal Spec Verifier safe-output contract by @pelikhan with @Copilot in #40367
  • Recursively order nested with/env/secrets maps during YAML serialization by @pelikhan with @Copilot in #40362
  • [linter-miner] feat(linters): add sprintferrdot — flag redundant .Error() calls in fmt format functions by @github-actions[bot] in #40371
  • Make safe-job conclusion dependencies deterministic by @pelikhan with @Copilot in #40363
  • fix(hide_comment): surface GraphQL node ID guidance in comment_id validation error by @pelikhan with @Copilot in #40361
  • Enforce per-type safe-output max count at MCP invocation time (MCE4) by @dsyme with @Copilot in #40348
  • Support wildcard suffix matching for slash_command by @pelikhan with @Copilot in #40369
  • feat(safe-outputs): add allowed-teams to mentions configuration by @pelikhan with @Copilot in #40368
  • Enable Smoke Pi safeoutputs CLI mounting and migrate 20 non-smoke workflows to Pi by @pelikhan with @Copilot in #40375
  • feat(codemods): rename allow-team-membersallowed-collaborators in safe-outputs.mentions by @pelikhan with @Copilot in #40394
  • [docs] Self-healing documentation fixes from issue analysis - 2026-06-20 by @github-actions[bot] in #40402
  • Add top-level max-turn-cache-misses support with env-managed default by @pelikhan with @Copilot in #40388
  • Add skillet skill-routed PR reviewer workflow by @pelikhan with @Copilot in #40399
  • Add step authoring guidance to .github/aw instruction files by @pelikhan with @Copilot in #40413
  • Add centralized /dependabot-burner grouping and retry-aware single-workflow remediation by @pelikhan with @Copilot in #40396
  • [community] Update community contributions in README by @github-actions[bot] in #40424
  • docs: surface allowed-teams in agentic mentions config docs by @pelikhan with @Copilot in #40421
  • Refresh docs site theme toward neutral GitHub-style surfaces by @pelikhan with @Copilot in #40422
  • fix(sdk-driver): resolve idle-timeout as success when output collected and all tools complete by @pelikhan with @Copilot in #40419
  • [docs] Consolidate developer specifications into instructions file (v9.18) by @github-actions[bot] in #40465
  • [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #40456
  • [instructions] Sync instruction files with release v0.80.6 by @github-actions[bot] in #40453
  • [docs] Update editor preview screenshots – 2026-06-20 by @github-actions[bot] in #40451
  • fix: add --report-file flag to gh-aw logs to avoid shell redirect failure by @pelikhan with @Copilot in #40425
  • model-inventory: alias updates 2026-06-20 by @pelikhan with @Copilot in #40420
  • Handle pi threat verdicts in detection log parser by @pelikhan with @Copilot in #40469
  • [WIP] Fix failing GitHub Actions job Integration: Workflow Features by @pelikhan with @Copilot in #40471
  • [jsweep] Clean write_daily_aic_usage_cache.cjs by @github-actions[bot] in #40433
  • feat: run code-scanning-fixer every 6h; replace MCP tool calls with gh CLI by @pelikhan with @Copilot in #40470
  • Roll out gh-aw-detection to 20% of repository workflows by @pelikhan with @Copilot in #40477
  • feat: add top-level auto_upgrade to generate a weekly agentic-auto-upgrade workflow by @pelikhan with @Copilot in #40414
  • [docs] docs: unbloat CLI setup guide by @github-actions[bot] in #40484
  • Refine workflow-creation guidance for workflow_run scoping, scheduled report windows, and visual-regression minimal config by @pelikhan with @Copilot in #40482
  • Auto-pin unversioned action uses refs in compiler; fail compilation when no pin is available by @pelikhan with @Copilot in #40475
  • Fix /help routing fallthrough, error handling, reaction, and mention sanitization by @pelikhan with @Copilot in #40476
  • [linter-miner] linter: add sprintferrorsnew — flag errors.New(...
Read more

v0.80.6

v0.80.6 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 19 Jun 17:03
Immutable release. Only release title and notes can be modified.
2a5482d

🌟 Release Highlights

v0.80.6 focuses on safe-outputs reliability, GHES host support, and new agentic workflow capabilities — with dozens of targeted fixes that make credential handling, asset uploads, and compilation more robust.

✨ What's New

  • Headroom context compression — A new shared agentic workflow compresses agent context when headroom is low, reducing token burn for long-running workflows. (#40223)
  • Tool output previews in Copilot CLI — The conversation renderer now shows inline previews of tool outputs, making it easier to follow what an agent did at a glance. (#40116)
  • AWF reflect summary surfaced to GitHub Actionsawf reflect output is now written to core.info, making reflection results visible in the Actions run log without extra steps. (#40069)
  • Auto-detect GHES host in compilegh aw compile now automatically detects GitHub Enterprise Server hosts, so GHES users no longer need manual host configuration for correct repo validation. (#40030)
  • Cached owner-type API call — The compiler now caches the repository owner-type lookup once per compilation run, eliminating redundant API calls on large workflows. (#40258)
  • gh aw init aligned to Copilot MCP schema — The MCP suggestion emitted by gh aw init now matches the official .github/mcp.json schema used by GitHub Copilot. (#40327)
  • External threat-detect binary — Threat detection has migrated to an external threat-detect binary behind a feature flag, improving isolation and upgrade flexibility. (#40166)

🐛 Bug Fixes & Improvements

Safe-outputs & credential handling:

  • Fixed git credential loss in safe_outputs job checkouts — credentials are now reliably preserved throughout the job. (#40161, #40147)
  • Fixed duplicate Authorization header (HTTP 400) on git operations in push_to_pull_request_branch. (#40281)
  • Checkout manifest relocated into safeoutputs/ so the containerized safe-outputs MCP server can read it. (#40025)
  • Cross-repo checkout directories from the manifest are now trusted, resolving dubious-ownership errors. (#40080)
  • Base branch is now validated with git check-ref-format before use in safe-outputs jobs. (#40001)
  • Corrected stale 1 MB default for safe-outputs max-patch-size in schema and derived files. (#39999)
  • Added configurable URL sanitization policy for code-region-safe suggestion handling. (#39927)

Compilation & workflow correctness:

  • Fixed compiler incorrectly passing undeclared payload inputs for call-workflow steps. (#40154)
  • Fixed invalid YAML generated for GitHub App token checkout steps in safe_outputs jobs. (#40301)
  • Fixed actions-lock.json accumulating orphaned entries on full compile. (#39905)
  • Added regression guard to ensure deterministic actions-lock.json key ordering. (#40324)
  • Enforced non-empty dispatch_workflow names across safe-output schema and MCP registration. (#40315)

Asset uploads & authentication:

  • upload_assets now resolves staged assets via a single GH_AW_ASSETS_DIR, fixing a path mismatch between RUNNER_TEMP and /tmp. (#40122, #40062)
  • Added fallback to unauthenticated GitHub API when a SAML-enforced token blocks requests. (#40250)
  • push_repo_memory now seeds new memory branches via the GitHub API to satisfy signed-commit requirements. (#40188)

Observability & reliability:

  • Fixed stdout/stderr interleaving in mcp_cli_bridge for large outputs. (#40037)
  • Token usage table is now rendered to core.info in the parse_token_usage step for better visibility. (#40227)
  • Improved Copilot harness classification for opaque exitCode=1 failures. (#39959)
  • Improved Copilot 403 auth guidance for copilot-requests mode. (#40052)

⚡ Performance

  • Memory efficiency — Replaced 187 map[string]bool sets with map[string]struct{} across the codebase, reducing allocations throughout the compiler and runtime. (#39954)

🔍 Code Quality & Linting

  • errstringmatch linter extended to cover HasPrefix, HasSuffix, EqualFold, Index, LastIndex, and Compare — catching more brittle error-string comparisons. (#40248)
  • New linter detects bare discarded json.Marshal/json.Unmarshal calls. (#39993)
  • Hardened OpenTelemetry compatibility contract. (#40006)

Generated by 🚀 Release · 40.8 AIC · ⊞ 8.2K


What's Changed

  • Require RUNNER_TOOL_CACHE for tool-cache discovery by @zarenner with @Copilot in #40157
  • feat: add Monte Carlo forecast compliance test suite (P1–P13) and fix fixture AIC gap by @pelikhan with @Copilot in #40126
  • fix: add configurable safe-outputs URL sanitization policy for code-region-safe suggestion handling by @pelikhan with @Copilot in #39927
  • [community] Update community contributions in README by @github-actions[bot] in #40206
  • Bump default gh-aw-firewall to v0.27.7 and refresh generated artifacts by @lpcox with @Copilot in #40208
  • fix(push_repo_memory): seed new memory branches via GitHub API to satisfy signed-commit rules by @pelikhan with @Copilot in #40188
  • Render token table to core.info in parse_token_usage step by @pelikhan with @Copilot in #40227
  • fix: expand Network Mapping and Pattern Heuristics tables in agentic-workflow-designer SKILL.md by @pelikhan with @Copilot in #40249
  • [jsweep] Clean update_pull_request_branches.cjs by @github-actions[bot] in #40246
  • errstringmatch: extend brittle error-string detection to HasPrefix/HasSuffix/EqualFold/Index/LastIndex/Compare by @pelikhan with @Copilot in #40248
  • [WIP] Fix failing GitHub Actions job for integration add by @pelikhan with @Copilot in #40239
  • fix: fall back to unauthenticated GitHub API when SAML-enforced token… by @pelikhan in #40250
  • [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #40286
  • [docs] Update glossary - daily scan by @github-actions[bot] in #40289
  • [docs] Update documentation for features from 2026-06-19 by @github-actions[bot] in #40291
  • [instructions] Sync instruction files with release v0.80.4 by @github-actions[bot] in #40275
  • feat(workflow): cache repository owner-type API call once per compilation run by @pelikhan with @Copilot in #40258
  • Add headroom context compression as a shared agentic workflow by @pelikhan with @Copilot in #40223
  • logs: download only usage artifact by default by @pelikhan with @Copilot in #40259
  • fix(constraint-solving-potd): prevent body: "." sentinel misuse in create_discussion by @pelikhan with @Copilot in #40300
  • Add regression guard for deterministic actions-lock.json key ordering by @pelikhan with @Copilot in #40324
  • build(deps): bump undici from 6.24.0 to 6.27.0 in /actions/setup/js in the npm_and_yarn group across 1 directory by @dependabot[bot] in #40326
  • Align gh aw init MCP suggestion with Copilot .github/mcp.json schema by @pelikhan with @Copilot in #40327
  • [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #40329
  • Fix invalid YAML from checkout GitHub App token steps in safe_outputs jobs by @pelikhan with @Copilot in #40301
  • Migrate threat detection to external threat-detect binary behind feature flag by @pelikhan with @Copilot in #40166
  • Enforce non-empty dispatch_workflow names across safe-output schema and MCP registration by @pelikhan with @Copilot in ...
Read more

v0.80.4

v0.80.4 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 18 Jun 05:51
Immutable release. Only release title and notes can be modified.
2fcf71d

🌟 Release Highlights

This release delivers a focused wave of reliability improvements, infrastructure hardening, and safe-outputs enhancements — making your agentic workflows more robust and predictable.

✨ What's New

  • merge-pull-request schema parity (#39767) — The merge-pull-request safe-output now supports samples and cross-repo targeting, bringing it to full feature parity with other safe-output operations.
  • GHES-friendly action pinning (#39908) — gh aw no longer applies its hardcoded action-pin fallback when GH_HOST targets a non-github.com host, removing friction for GitHub Enterprise Server users.
  • Cleaner UX for personal repos (#39923) — The copilot-requests onboarding tip is now suppressed for individual (non-org) repository owners, reducing noise where it doesn't apply.

🐛 Bug Fixes & Improvements

  • Fixed phantom asset failures (#39900) — Aligned the safe-outputs staging path with RUNNER_TEMP to eliminate spurious asset-not-found errors.
  • Fixed MCP container tmp access (#39950) — Added the /tmp/gh-aw bind mount to the safeoutputs MCP container so tools that write there during workflow runs work correctly.
  • Fixed assign-to-agent mutations (#39941) — Corrected the GraphQL mutations used to assign issues to agents, following the official API docs.
  • Fixed silent add_comment skips (#39926) — add_comment no longer silently no-ops when the integration token lacks discussion write permissions; the error is now surfaced clearly.
  • Fixed SDK driver timeouts (#39933) — Increased sendAndWait timeout in sample SDK drivers from 60 s to 10 min, preventing premature failures on longer agent tasks.
  • Fixed null-byte corruption in step summaries (#39910) — Stripped null bytes from gateway.md before writing to the step summary to prevent rendering errors.
  • Fixed unintended dependabot.yml writes (#39909) — gh aw no longer modifies dependabot.yml unless the --dependabot flag is explicitly passed.
  • Hardened PR Sous Chef emission path (#39951) — Reinforced the safe-output emission path for PR Sous Chef to prevent dropped outputs under edge-case conditions.
  • Isolated SDK driver test state (#39940) — copilot_sdk_driver tests now write session state in isolation, eliminating false-positive tool-denial failures.

📚 Documentation

  • Terminology update (#39913) — Renamed "Copilot Skills" → "Skills" throughout the custom-agent-for-aw reference to align with current product naming.

Generated by 🚀 Release


What's Changed

  • docs: rename "Copilot Skills" → "Skills" in custom-agent-for-aw reference by @Copilot in #39913
  • fix: strip null bytes from gateway.md before writing to step summary by @Copilot in #39910
  • Skip hardcoded action pin fallback when GH_HOST targets a non-github.com host by @Copilot in #39908
  • fix: only touch dependabot.yml when --dependabot flag is used by @Copilot in #39909
  • Fix phantom asset failures: align safe-outputs staging path with RUNNER_TEMP by @Copilot in #39900
  • Skip copilot-requests tip for individual (non-org) repository owners by @dsyme in #39923
  • safe-outputs: add merge-pull-request schema parity for samples and cross-repo targeting by @Copilot in #39767
  • fix: add_comment silently skips when integration token can't write to discussions by @Copilot in #39926
  • fix: correct assign-to-agent GraphQL mutations per official docs by @Copilot in #39941
  • fix: isolate copilot_sdk_driver test session state writes to prevent false-positive tool-denial issues by @Copilot in #39940
  • fix: increase sendAndWait timeout in sample SDK drivers from 60s to 10min by @Copilot in #39933
  • Extract hardcoded file paths to named constants by @Copilot in #39938
  • [aw] Harden PR Sous Chef safe-output emission path by @Copilot in #39951
  • fix: add /tmp/gh-aw bind mount to safeoutputs MCP container by @Copilot in #39950

Full Changelog: v0.80.3...v0.80.4

v0.80.3

v0.80.3 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 17 Jun 21:57
Immutable release. Only release title and notes can be modified.
b6909fb

🌟 Release Highlights

v0.80.3 brings smarter MCP server configuration, improved Copilot billing detection in the setup wizard, and a focused set of reliability fixes across compilation, logs, and push workflows.

✨ What's New

  • repo-memory JSON formatting (#39540) — New format-json: true option ensures AI-written JSON memory files are always pretty-printed before committing, making diffs reviewable and files easy to edit. Learn more

  • mcp-scripts.dependencies fully wired (#39739) — The dependencies field in MCP script tool configs is now parsed, propagated through the runtime, and installed with pinned release-tag validation — eliminating late module not found failures.

  • Smarter add-wizard billing detection (#39810) — The setup wizard probes the org's Copilot CLI billing status before rendering the auth prompt. copilot-requests is pre-selected when billing is enabled and visually blocked (with a clear label) when it is not.

  • MCP server tool allowlist (#39863, #39866) — github-agentic-workflows MCP server now explicitly exposes only its six declared tools (compile, audit, logs, inspect, status, audit-diff). The server now runs directly from the local binary, removing the need for a globally installed gh aw extension in dev and CI environments.

  • Failure category filtering for report-failure-as-issue (#39721) — Workflows can now pass an array of failure categories to suppress transient infrastructure noise (Docker timeouts, AI 5xx, MCP image pulls) without losing signals from real failures.

  • Improved outcome intent attribution (#39718) — A dedicated intent resolver replaces ad-hoc outcome root tracing, adding attribution status and source to reports and marking PRs with multiple closing issues as ambiguous rather than silently selecting one.

⚡ Performance

  • Faster action pin resolution (#39707) — ActionResolver now checks the embedded action pins table first, eliminating ~1.2 s gh-api subprocess calls for built-in actions whose SHA is already compiled into the binary.

🐛 Bug Fixes & Improvements

  • Compilation: Stale container pins are pruned before compilation and UpdateContainerPins runs after, preventing stale-pin conflicts (#39770).
  • Git: Resolved "dubious ownership" errors on checkout by adding git safe.directory and moving git config to a shell script (#39771).
  • Logs: Fixed pagination in all-workflows mode when a full batch filters to zero runs (#39741).
  • Push: push_signed_commits now recovers gracefully from shallow/partial-clone object failures during rebase (#39859).
  • Copilot assignment: Both GraphQL-Features flags are always sent when assigning Copilot to an issue (#39719).
  • Safe-outputs: Rate-limit failures during PR review safe-output operations are mitigated (#39797).
  • Linters: regexpcompileinfunction resolves package identity via the type checker; uncheckedtypeassertion now recognises safe comma-ok forms in var initialisers and parenthesised assertions (#39773, #39774).
  • Installer: ANSI colour codes are suppressed in CI and NO_COLOR environments for cleaner log output (#39875).

📚 Documentation

  • New billing reference page — detailed guidance on Copilot billing configuration. Read more
  • Improved billing setup tip — the copilot-requests auth tip now includes the org requirement note and links directly to the billing docs (#39873).

Generated by 🚀 Release


What's Changed

  • fix: always send both GraphQL-Features flags when assigning Copilot to an issue by @Copilot in #39719
  • ci: store Windows Defender scan logs as artifact on cross-platform build by @Copilot in #39726
  • Improve outcome intent attribution by @mnkiefer in #39718
  • Use IssueOrPRNumber for submit_pull_request_review.pull_request_number by @Copilot in #39723
  • Consolidate ~25 duplicate helper implementations by @Copilot in #39720
  • Fix misplaced zizmor ignore comment in GHES host step generator by @Copilot in #39740
  • logs: keep paging in all-workflows mode when full batches filter to zero runs by @Copilot in #39741
  • chore: bump Claude Code 2.1.178→2.1.179, Pi 0.79.4→0.79.6 by @Copilot in #39772
  • fix(regexpcompileinfunction): resolve package identity via type checker instead of identifier name by @Copilot in #39773
  • perf(workflow): check embedded action pins before gh-api network call in ActionResolver by @dsyme in #39707
  • fix: prune stale container pins and move UpdateContainerPins to after compilation by @Copilot in #39770
  • uncheckedtypeassertion: recognize safe comma-ok form in var init and parenthesized assertions by @Copilot in #39774
  • feat(repo-memory): add format-json option to pretty-print JSON files before commit by @Copilot in #39540
  • Add failure category filtering to report-failure-as-issue by @Copilot in #39721
  • Mitigate safe-output PR review rate-limit failures by @Copilot in #39797
  • Fix Impact report objective mapping guidance to match resolver outputs and available datasets by @Copilot in #39784
  • Implement mcp-scripts.dependencies end-to-end with runtime-manager install flow and pinned release-tag validation by @Copilot in #39739
  • fix: retry defender scan on transient WinDefend service unavailability by @Copilot in #39847
  • add-wizard: detect org Copilot billing and pre-select/disable copilot-requests accordingly by @Copilot in #39810
  • docs: add billing reference page by @dsyme in #39854
  • Add tools array to github-agentic-workflows by @pelikhan in #39863
  • fix(push_signed_commits): recover from shallow/partial-clone object failures during rebase by @dsyme in #39859
  • fix(daily-formal-spec-verifier): add sed -n to bash allowlist by @Copilot in #39864
  • Update MCP server command and arguments by @pelikhan in #39866
  • Suppress ANSI installer colors in CI and explicit no-color environments by @Copilot in #39875
  • Improve copilot billing tip: add org requirement note and billing docs link by @Copilot in #39873
  • Clarify Test Quality Sentinel safe-output comment invocation to prevent Copilot engine permission failures by @Copilot in #39867
  • fix: add git safe.directory and refactor git config to shell script to resolve dubious ownership error by @Copilot in #39771

Full Changelog: v0.80.2...v0.80.3

v0.80.2

v0.80.2 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 17 Jun 03:27
Immutable release. Only release title and notes can be modified.
1663f6b

🌟 Release Highlights

v0.80.2 is a focused reliability and polish release that tightens Copilot API compatibility, hardens the safe-outputs tooling, clarifies CLI flag semantics, and improves documentation precision.

🐛 Bug Fixes & Improvements

  • Copilot assignment API fix — Resolved an issue where only one of the two required GraphQL-Features header flags was sent when assigning Copilot to an issue, which could cause silent failures against the GitHub API. Both issues_copilot_assignment_api_support and coding_agent_model_selection flags are now always included. (#39719)
  • Prevent placeholder release note submissionsupdate_release now enforces a minimum body length, blocking accidental placeholder payloads (e.g. {"body":"test"}) from overwriting real release content when max:1 is in effect. (#39713)

✨ What's New

  • Mutually exclusive compile flags enforced--gh-aw-ref, --action-tag, and --action-mode are now declared mutually exclusive in the compile command. Previously --gh-aw-ref silently overwrote the other flags; now the CLI returns a clear error. The help text also no longer lists the removed inline mode and correctly documents the valid action mode. (#39697)
  • Safe-outputs runtime image pinned — The ghcr.io/github/gh-aw-node image used by safe-outputs is now included in the default container predownload list and recorded in the compiled gh-aw-manifest. Workflows automatically prefetch it and lock headers include it, improving cold-start reliability. (#39644)

📚 Documentation

  • Safeoutputs deferred-write semantics clarified — Updated safe_outputs_prompt.md with explicit guidance: agents should trust a successful tool response without re-verifying the effect via gh or other read paths, since deferred writes are applied after the agent finishes. (#39694)

Generated by 🚀 Release


What's Changed

  • fix: enforce minLength on update_release body to block placeholder submissions by @Copilot in #39713
  • compile: clarify --action-mode/--action-tag/--gh-aw-ref relationship, enforce mutual exclusivity by @Copilot in #39697
  • docs: clarify safeoutputs deferred writes by @pelikhan in #39694
  • Include and pin safe-outputs gh-aw-node image in default container predownload and manifest by @Copilot in #39644

Full Changelog: v0.80.1...v0.80.2

v0.80.1

v0.80.1 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 16 Jun 23:57
Immutable release. Only release title and notes can be modified.
cee4f9c

test

Generated by 🚀 Release


What's Changed

  • docs: sharpen workflow-authoring guidance for PR scoping, backend compatibility checks, and coverage fallback networking by @Copilot in #39622
  • chore: bump CLI tool versions (Claude 2.1.178, Copilot 1.0.63, Codex 0.140.0, Pi 0.79.4, GH MCP Server v1.3.0, Playwright v1.61.0) by @Copilot in #39624
  • Add missing issues: read permission to pr-code-quality-reviewer by @Copilot in #39625
  • chore: expand pr to issue tracing for impact report mapped outcomes by @Copilot in #39620
  • Sync MCP server toolset/permissions mapping to v1.3.0 by @Copilot in #39650
  • Propagate Copilot BYOK provider hosts into threat-detection allowlists by @Copilot in #39653
  • Clarify github_api_calls provenance and recover snapshot-only core_consumed accounting by @Copilot in #39623
  • Ensure inline sub-agents always trigger interpolation step generation by @Copilot in #39651
  • Consolidate near-duplicate WorkflowListItem ⊂ WorkflowStatus structs in pkg/cli by @Copilot in #39637
  • Add configurable OTLP resource attributes to workflow observability by @Copilot in #39636
  • Support array/object runner specs for runs-on-slim and safe-outputs runner fields by @Copilot in #39654
  • fix: restore interaction permissions for workflow_call workflows with reaction/status-comment by @Copilot in #39652
  • schema: add normalize-closing-keywords to create-issue, add-comment, create-pull-request branches by @Copilot in #39643
  • schema: allow required-category in safe-outputs.create-discussion and add regression coverage by @Copilot in #39640
  • fix: sanitize HTML error pages in getErrorMessage to avoid noisy safe_outputs logs by @Copilot in #39655
  • Record compiler ref in lock metadata for --action-tag compiles by @Copilot in #39687
  • fix: restore MCP CLI concept explanation and fix safeoutputs framing by @dsyme in #39689

Full Changelog: v0.80.0...v0.80.1

v0.80.0

v0.80.0 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 16 Jun 18:14
Immutable release. Only release title and notes can be modified.
96acd10

🌟 Release Highlights

v0.80.0 expands CI/CD orchestration to ARC/DinD environments, adds powerful new portfolio and centralization-optimizer workflows, sharpens AI-credit management, and raises the bar on observability and diagnostics.

✨ What's New

ARC/DinD Container Support — Agentic workflows can now run inside Docker-in-Docker environments (ARC runners). The compiler emits chroot.binariesSourcePath, chroot.identity, and the `(redacted) Docker host, enabling full end-to-end agent execution on self-hosted container runners. (#38911, #38913)

Copilot Centralization Optimizer — New workflows identify redundant or inefficient Copilot invocations across your org and surface consolidation opportunities, helping teams reduce costs and improve consistency. (#39394, #39437, #39439)
Learn more →

Portfolio Analyst Workflow — A revived strategic-reporting workflow that generates cross-workflow portfolio summaries for executive visibility. (#39450)

Objective Impact Report — Executive-grade reports now restrict outcomes to issues linked via PR, include a simplified summary table, and compute AIC efficiency metrics, making ROI measurement actionable at a glance. (#39484, #39490, #39535, #39543)

OTel cicd.automation.* Standard — Proposed new OpenTelemetry semantic conventions for CI/CD automation signals, with W3C TRACEPARENT now propagated through all engine execution steps for end-to-end distributed tracing. (#38953, #39435, #39596)

Expanded gh aw forecast — Forecast output now includes threat-detection credits, exposes monthly low/high/stdev ranges, and inspects all completed runs—giving a more complete picture of your AI-credit spend. (#39101, #39102)
Forecast reference →

Smarter AI-Credit Guardrail — The daily guardrail is now skipped for user-initiated and command-routed runs, eliminating false blocks during development and testing. An actions/cache-based usage cache removes the need to download artifacts on every run. (#39123, #38856)

runs-on-slim: Array & Runner-Group Supportruns-on-slim now accepts label arrays and runner-group object forms, matching the full GitHub Actions runs-on syntax. (#39579, #38965)

Max Patch Size Raised to 4 MB — The default max-patch-size is increased from 1 MB to 4 MB, with clearer error messages when the limit is exceeded. Larger diffs no longer cause silent truncation. (#39118)

Token-Optimization Hints in Failure Issues — When a guardrail triggers, failure issues now include an "Optimize token consumption" section with actionable guidance. Tool-denial issues also include the last 5 tool calls for faster root-cause analysis. (#39069, #39122)

Anthropic WIF Auth (Claude) — Workload Identity Federation is now a first-class Claude authentication option, documented alongside the existing token-based flow. (#39241)
Setup →

🐛 Bug Fixes & Improvements

  • AIC usage cache always empty — Fixed an activation-job bug where cache entries were never written, causing unnecessary artifact downloads. (#39130)
  • Bundle prerequisite commit fetchgh aw bundle now fetches prerequisite commits by SHA instead of a broad --deepen, preventing shallow-clone failures. (#39466)
  • time.After timer leaks eliminated — Looped time.After calls are replaced with proper ticker management; timeafterleak linter now enforces this in CI. (#39188, #39133)
  • Copilot 429 quota-exceeded retries stopped — The Copilot harness no longer retries CAPIError: 429 quota exceeded responses, preventing runaway retry storms. (#39581)
  • Codex active-goal router retries stopped — Codex harness no longer retries on active-goal router failures, avoiding wasted credits on unrecoverable states. (#39156)
  • Script injection S7630 fixed — Maintenance workflow Record outputs steps are hardened against shell script injection. (#39578)
  • set_issue_field discovery query fixed — Removed an invalid IssueField fragment that caused field-discovery failures. (#39586)
  • Parallel-process test flakes fixed — Environment-dependent and parallel-process test failures in the test suite are resolved. (#39467)
  • Preserve engine.env scalar types — Numeric and boolean engine.env values are now preserved through compilation instead of being coerced to strings. (#39582)
  • Inline sub-agent frontmatter preserved — Sub-agent frontmatter is no longer dropped during extraction. (#39577)
  • Cache-memory threat-detection narrowed — False positives from AIC guardrail steps in cache-memory assertions are eliminated. (#39281)
  • Ambient-context token reduction — First-request token overhead in smoke-copilot and test-quality-sentinel workflows is significantly reduced. (#39157, #39280)

📚 Documentation

  • Anthropic WIF is now a first-class Claude auth option in setup docs (#39241)
  • experiments docs clarified with model, sub-agent, and subskill examples (#39226)
  • Cache-memory branch scoping and default-branch fallback behavior documented (#39265)
  • max-ai-credits: 5M removed from reference examples to prevent misconfiguration (#39128)
  • Workflow authoring guidance tightened for trigger selection, noop behavior, and workflow_run scoping (#39119, #39583)

Generated by 🚀 Release


What's Changed

  • Add logging to publish-safe-outputs-node scripts by @Copilot in #39085
  • reduce node image cooldown from 7d to 1d by @Copilot in #39086
  • fix: enforce 48h data retention on AIC usage cache entries by @Copilot in #39084
  • Harden Defender signature update with retries and failure diagnostics in release workflow by @Copilot in #39096
  • Clarify Appendix A AI credits example with explicit §3.5 cache-read deduction by @Copilot in #39098
  • Use ✅ for run-success in Test Quality Sentinel messages by @Copilot in #39099
  • Inspect all completed forecast runs in gh aw forecast by @Copilot in #39102
  • Tighten workflow authoring guidance for trigger selection, scenario mapping, and visual-regression network scope by @Copilot in #39119
  • Skip daily AI-credit guardrail for user-initiated and command-routed runs by @Copilot in #39123
  • docs: remove max-ai-credits: 5M examples from reference docs by @Copilot in #39128
  • Include last 5 tool calls in tool-denials failure issues by @Copilot in #39122
  • Emit Copilot auth migration tip for copilot-requests workflows by @Copilot in #39129
  • Include threat-detection credits in forecast totals, expose monthly low/high/stdev, and fix formal-verifier tool denials by @Copilot in #39101
  • [linter-miner] linter: add timeafterleak — flag time.After in for+select cases by @github-actions[bot] in #39133
  • Increase default max-patch-size from 1 MB to 4 MB and improve patch-size-exceeded error messages by @Copilot in #39118
  • fix(unbloat-docs): fetch LFS objects during checkout to fix docs build by @Copilot in #39145
  • Reduce ambient-context payload in daily/PR workflows and shared prompt imports by @Copilot in #39157
  • [spec-enforcer] Enforce specifications for github, typeutil by @github-actions[bot] in #39219
  • [docs] Update documentation for features from 2026-06-14 by @github-actions[bot] in #39214
  • [spec-extractor] Update package specifications for envutil, fileutil, gitutil, logger by @github-actions[bot] in #39211
  • [instructions] Sync instruction files with release v0.79.8 by @github-actions[bot] in #39207
  • [docs] Update dictation skill instructions by @github-actions[bot] in #39195
  • Fix AIC usage cache always empty in activation job by @Copilot in #39130
  • Clarify the experiments docs and add model, sub-agent, and subskill examples by @Copilot in #39226
  • Clarify sub-skill progressive disclosure in token/cost optimization guidance by @Copilot in #39227
  • Eliminate looped time.After timer leaks, propagate cancellation correctly, and enforce timeafterleak in CI by @Copilot in #39188
  • docs: add Anthropic WIF as a first-class Claude auth option by @Copilot in #39241
  • docs(playwright): align CLI visual regression version with npm package semantics by @Copilot in #39245
  • Replace raw fmt.Fprintf output in outcomes_history.go with console package by @Copilot in #39248
  • Replace raw fmt.Fprintf verbose debug output with console.LogVerbose in token_usage.go by @Copilot in #39247
  • Extract inline lipgloss styles and harden ShowWelcomeBanner styling by @Copilot in #39246
  • docs: clarify cache-memory branch scoping and default-branch fallback by @Copilot i...
Read more

v0.79.8

Choose a tag to compare

@github-actions github-actions released this 12 Jun 22:21
Immutable release. Only release title and notes can be modified.
8b02ab3

🌟 Release Highlights

v0.79.8 brings two new Go linters for code quality enforcement, a wave of targeted bug fixes improving reliability and portability, a performance boost for workflow run queries, and codemod improvements to complete the max-effective-tokensmax-ai-credits migration.

✨ What's New

  • httpnoctx linter (#38888) — Automatically flags Go HTTP calls made without a context.Context parameter, helping catch a common source of non-cancellable requests before they reach production.
  • hardcodedfilepath linter (#38742) — Detects hard-coded file path string literals in Go code, surfacing brittle path assumptions that break across environments.
  • Code Simplifier budget caps (#38851) — Per-run hard budgets with graceful noop exit prevent runaway simplification loops from consuming unbounded AI credits.
  • --gh-aw-ref resolved to commit SHA at compile time (#38689) — Branch and tag references passed via --gh-aw-ref are now pinned to their commit SHA during compilation, ensuring deterministic and auditable workflow builds.
  • AOAI Entra smoke workflow (#38706) — New end-to-end smoke workflow validates Azure OpenAI Entra authentication for Copilot, extending CI coverage to AOAI-backed runs.

🐛 Bug Fixes & Improvements

  • environment: propagation fixed (#38918) — Top-level environment: blocks are now correctly propagated to the detection job, resolving a compilation gap that silently dropped environment bindings.
  • set_issue_field GraphQL fix (#38882) — Corrects an invalid GraphQL query in fetchIssueFields that caused set_issue_field calls to fail at runtime.
  • String-form create_issue.labels handled (#38738) — Safe-output validation and schema definitions now correctly handle labels provided as a comma-separated string in addition to arrays, fixing label assignment failures.
  • False-positive AI credits failures eliminated (#38737) — Prevents erroneous failure issues from being filed on successful runs that happened to trigger unknown-model detection logic.
  • Copilot supports arbitrary HOME directories (#38725) — The Copilot engine integration no longer assumes /home/runner as the home directory, improving portability for non-standard runner environments.
  • Designer Drift Audit permissions fix (#38855) — Added the missing pull-requests: read scope so the Designer Drift Audit workflow can read PR data without permission errors.

⚡ Performance

  • Faster workflow run queries (#38779) — listWorkflowRuns pagination now stops as soon as the 24-hour cutoff is reached rather than fetching all pages, significantly reducing API calls on active repositories.

🔧 Migration

  • max-effective-tokens: -1 codemod completed (#38850) — The effective-tokens-to-ai-credits codemod (gh aw fix --write) now correctly rewrites the -1 sentinel value for max-effective-tokens, closing the last gap in the legacy budget migration. Run gh aw fix --write if you still see max-effective-tokens: -1 in your workflows.

📚 Documentation

  • Updated docs covering features shipped through 2026-06-12 (#38828) including spec audits for fileutil, constants, timeutil, and tty packages (#38848).

Generated by 🚀 Release · 110.8 AIC · ⊞ 28.8K


What's Changed

  • Prevent false-positive AI credits/unknown-model failure issues on successful runs by @Copilot in #38737
  • Scale homepage hero slides correctly on mobile by @Copilot in #38740
  • Add hardcodedfilepath linter to detect hard-coded file path string literals by @Copilot in #38742
  • fix(copilot): support arbitrary HOME directory, not just /home/runner by @Copilot in #38725
  • Add AOAI Entra smoke workflow for Copilot by @Copilot in #38706
  • Handle string-form create_issue.labels across safe-output validation and schema/tool definitions by @Copilot in #38738
  • [community] Update community contributions in README by @github-actions[bot] in #38771
  • Resolve --gh-aw-ref branch/tag to commit SHA at compile time by @dsyme in #38689
  • Fix lint-go CGO failure by normalizing ResolveGhAwRef formatting and string construction by @Copilot in #38778
  • [spec-enforcer] Enforce specifications for styles, syncutil, testutil by @github-actions[bot] in #38831
  • [docs] Update documentation for features from 2026-06-12 by @github-actions[bot] in #38828
  • [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @github-actions[bot] in #38822
  • optimize: stop paginating listWorkflowRuns once 24h cutoff is reached by @Copilot in #38779
  • Add debug-scoped /tmp/gh-aw file inventory to setup post cleanup by @Copilot in #38780
  • refactor: semantic function clustering — dedup, shared helpers, and generics consolidation by @Copilot in #38776
  • deps(go): bump golang.org/x/tools to v0.46.0 by @Copilot in #38849
  • Add SEC-004 transport-body exemption to artifact client by @Copilot in #38853
  • docs: spec audit — add github README, update fileutil/constants/timeutil/tty specs by @Copilot in #38848
  • Add missing pull-requests: read scope to Designer Drift Audit workflow by @Copilot in #38855
  • [aw-compat] Migrate max-effective-tokens: -1 to max-ai-credits: -1 in codemod by @Copilot in #38850
  • Add SEC-005 exemption annotation for apply_samples replay driver by @Copilot in #38852
  • [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #38858
  • Cap Code Simplifier runaways with hard per-run budgets and graceful noop exit by @Copilot in #38851
  • [jsweep] Clean validate_context_variables.cjs by @github-actions[bot] in #38785
  • [linter-miner] feat(linters): add httpnoctx linter — flag HTTP calls without context by @github-actions[bot] in #38888
  • ctxbackground: resolve Background() calls by package identity, not identifier text by @Copilot in #38854
  • Refactor engine log parsing to canonical Copilot event format by @Copilot in #38781
  • [caveman] Optimize instruction verbosity — serena-tool, skills, subagents (2026-06-12) by @github-actions[bot] in #38930
  • Move auto-generated notice to first line with debugging skill URL by @Copilot in #38923
  • fix: propagate top-level environment: to the detection job by @Copilot in #38918
  • Correct OTLP CLI version attribution for scope/service/span fields by @Copilot in #38916
  • fix(set_issue_field): fix invalid GraphQL query in fetchIssueFields by @Copilot in #38882

Full Changelog: v0.79.7...v0.79.8