Skip to content

v0.2.8

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 Mar 18:14
· 871 commits to main since this release
v0.2.8
2ab0c8d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

v0.2.8 is a focused security, stability, and correctness release β€” hardening session handling, improving DIFC label precision, and resolving several race conditions and integration issues.

πŸ”’ Security Improvements

  • Session ID truncation in logs (#2731): Session IDs (API keys) are now consistently truncated across all log calls in session.go, preventing accidental plaintext credential exposure in log files and debug output.
  • Scoped DIFC labels (#2641): The generic secret secrecy tag has been replaced with scoped private:owner/repo labels, enabling finer-grained information flow control that accurately reflects the owning repository context. See the Guard Response Labeling docs for details.

πŸ› Bug Fixes

  • Race condition in session pool (#2634): Eliminated a race condition in SessionConnectionPool.Get that could cause intermittent failures under concurrent load.
  • GHEC proxy support via GITHUB_SERVER_URL (#2676): Proxy mode now correctly detects and routes requests when GITHUB_SERVER_URL points to a GitHub Enterprise Cloud (GHEC) instance. See the Proxy Mode docs.
  • WASM guard panic handling (#2698): WASM guard traps (panics) are now detected, logged with context, and the failed module is marked as such β€” preventing silent failures from propagating through the guard pipeline.
  • go-sdk integration fixes (#2647): Corrected content types, error messages, pagination behavior, and tool annotations in the go-sdk integration layer for more reliable MCP protocol compliance.

πŸ“š Documentation

  • gateway.port clarified (#2733): The docs now explicitly note that gateway.port does not affect the server's listen address (use --listen flag for that) and the trustedBots configuration field is now documented. See the Configuration docs.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.8
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • [Repo Assist] fix(launcher): eliminate race condition in SessionConnectionPool.Get by @github-actions[bot] in #2634
  • πŸ”„ chore: update schema URL to v0.64.2 by @github-actions[bot] in #2637
  • Replace secret secrecy tag with scoped private:owner/repo labels by @Copilot in #2641
  • rust-guard: consolidate github-baseline match arms + add Display for ScopeKind by @Copilot in #2640
  • refactor: move ExpandEnvArgs and NormalizeScopeKind to correct packages by @Copilot in #2645
  • refactor(proxy): extract writeJSONResponse and forwardAndReadBody helpers in handler.go by @Copilot in #2646
  • Fix go-sdk integration: content types, error messages, pagination, tool annotations by @Copilot in #2647
  • Remove unused callListMethod function by @lpcox in #2657
  • [test-improver] Improve tests for mcp package by @github-actions[bot] in #2567
  • [test] Add tests for server.logServerGuardPolicies by @github-actions[bot] in #2577
  • [test-improver] Improve tests for mcptest harness by @github-actions[bot] in #2631
  • [test] Add tests for server.registerAllTools and related tool_registry functions by @github-actions[bot] in #2656
  • fix: update mcp test mocks for SDK streamable transport by @lpcox in #2664
  • fix: confirm and surface proxy mode GITHUB_SERVER_URL support for GHEC by @Copilot in #2676
  • fix: replace ${PWD} with absolute path placeholder in config.toml serena entry by @Copilot in #2681
  • Add comprehensive safe-outputs configuration enforcement smoke tests by @Copilot in #2685
  • chore: recompile workflows for gh-aw v0.64.2 and fix safeoutput smoke tests by @lpcox in #2688
  • [log] Add debug logging to server/session.go by @github-actions[bot] in #2673
  • fix: detect and log WASM guard traps; mark module failed after panic by @Copilot in #2698
  • fix(security): truncate session IDs in all log calls in session.go by @Copilot in #2731
  • [log] Add debug logging to internal/proxy/graphql_rewrite.go by @github-actions[bot] in #2710
  • [test-improver] Improve tests for difc package by @github-actions[bot] in #2716
  • [test] Add tests for guard.parseResourceResponse and guard.parseCollectionLabeledData by @github-actions[bot] in #2717
  • docs: clarify gateway.port has no effect on listen address; document trustedBots field by @Copilot in #2733
  • fix: resolve duplicate test declarations and fix wantOperation defaults by @lpcox in #2737

Full Changelog: v0.2.7...v0.2.8

Contributors

lpcox
Assets 8
Loading