v0.65.6

🌟 Release Highlights

This release centers on Effective Tokens — a new end-to-end feature that tracks and surfaces AI token usage across workflow runs — alongside five community-reported bug fixes and a set of reliability improvements.

✨ What's New

• Effective Tokens visibility — Token usage is now tracked from the MCP gateway log through the agent job outputs and surfaced directly in workflow footer comments. Footer templates gain three new variables: {effective_tokens} (raw integer), {effective_tokens_formatted} (compact string like 1.2K), and {effective_tokens_suffix} (a ready-to-use suffix like · ● 1.2K). All built-in footer templates have been updated to include {effective_tokens_suffix} by default. (#24150, #24132, #24122, #24029)

• Custom model token weights — The engine frontmatter now supports custom token weight overrides per model, enabling more accurate effective-token calculations for non-default deployments. (#24134)

• Native web-fetch for Codex and Gemini — The mcp/fetch fallback has been removed; Codex and Gemini workflows now use native web-fetch, reducing latency and eliminating an unnecessary MCP dependency. (#24017)

• Staggered cron schedules — Approximately 30 workflows previously fired simultaneously at the top of each hour, exhausting the GitHub App rate limit. The compiler now hashes each workflow's identity to scatter execution within ±30 minutes, eliminating rate-limit bursts. (#24144)

🐛 Bug Fixes & Improvements

• Safe outputs MCP server now receives GH_AW_SAFE_OUTPUTS — The environment variable was not passed to the safe-outputs MCP HTTP server startup step, causing outputs.jsonl to appear empty even on success. (#24126)

• Discussion reply threading fixed — add-comment now correctly threads replies when the triggering comment is itself a reply inside a discussion thread. (#24031)

• Lenient temporary ID validation — Invalid temporary IDs (e.g. containing underscores) now emit a warning instead of failing PR creation. (#24030)

• Conclusion job concurrency now customizable — A concurrency.job-discriminator field can be applied to the conclusion job, allowing users to control grouping independently of the agent job. (#24043)

• Lock file integrity check works across organizations — Reusable workflow lock files are now resolved from the source repository rather than the calling repository, fixing cross-org integrity validation. (#24057)

• add_comment no longer fails on scheduled runs — When no triggering context is available (e.g. a schedule trigger), the add_comment handler now silently skips instead of erroring. (#24131, #24098)

• MCP gateway tool allowlist enforced at gateway layer — Tool allow/deny lists are now enforced at the gateway itself with restricted config file permissions, improving security posture. (#23933)

• Protocol-relative URLs blocked in safe-outputs sanitizer — URLs like //evil.com are now treated as blocked domains, closing a sanitization bypass. (#23930)

📚 Documentation

• Added the Effective Tokens specification documenting the token-tracking architecture, formula, and template variables.
• Developer spec consolidated into dev.md v5.0. (#24067)

---

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• add-comment for Discussion doesn't allow for replies to a threaded comment reply (direct issue)

@dsyme

• Invalide temporary ID should probably not fail PR creation (direct issue)

@jaroslawgajewski

• Lock file integrity check should resolve the lock file from the reusable workflow source repository (direct issue)

@szabta89

• Conclusion job concurrency is static per workflow and cannot be customized (direct issue)

@yaananth

• Safe outputs MCP server returns success but outputs.jsonl is empty (v0.65.5) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 747.2K

---

What's Changed

• fix: treat protocol-relative URLs as blocked domains in safe-outputs sanitizer by @Copilot in #23930
• Enforce MCP gateway tool allowlist at the gateway layer and restrict config file permissions by @Copilot in #23933
• feat: remove mcp/fetch fallback and wire native web-fetch for Codex and Gemini by @Copilot in #24017
• [jsweep] jsweep: Clean add_comment.cjs by @github-actions[bot] in #24020
• docs: expand security architecture section on homepage for non-security audiences by @Copilot in #24026
• feat(logs): parse events.jsonl as primary metrics source for Copilot CLI runs by @Copilot in #24027
• fix: use events.jsonl from copilot session-state for log parsing by @Copilot in #24028
• feat: render token-usage.jsonl in the MCP gateway step summary by @Copilot in #24029
• [code-simplifier] refactor: simplify token usage parsing in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24032
• Fix discussion reply threading when triggering comment is itself a reply by @Copilot in #24031
• [ca] fix: correct JSDoc type annotation in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24033
• fix: lenient temporary ID validation — support underscores, warn instead of fail by @Copilot in #24030
• fix: increase timeout for daily-architecture-diagram workflow by @Copilot in #24042
• [docs] Update glossary - daily scan by @github-actions[bot] in #24044
• Apply concurrency.job-discriminator to the conclusion job by @Copilot in #24043
• [community] Update community contributions in README by @github-actions[bot] in #24062
• [instructions] Sync github-agentic-workflows.md with release v0.65.5 by @github-actions[bot] in #24061
• fix: use Python venv for pip installs in shared Python workflows by @Copilot in #24053
• Set max branch limit to 10 and enable deletion on scheduled runs by @Copilot in #24064
• [docs] Consolidate developer specs into dev.md v5.0 (2026-04-02) by @github-actions[bot] in #24067
• Fix lock file integrity check for cross-org reusable workflows by @Copilot in #24057
• [rendering-scripts] fix: add pretty-print format support to copilot log parser by @github-actions[bot] in #24070
• Prevent copilot-maintenance workflow from running on forks by @Copilot in #24082
• Fix JS typecheck failures introduced by TypeScript v6 strict catch variable typing by @Copilot in #24089
• Remove unnecessary []byte casts in pkg/console golden tests by @Copilot in #24086
• Implement conclusion job step improvements by @Copilot in #24063
• Migrate pkg/repoutil tests to testify assertions by @Copilot in #24085
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #24094
• Return structured JSON instead of MCP protocol errors for invalid inputs in logs/audit/compile tools by @Copilot in #24058
• fix: silently skip add_comment when no triggering context (schedule runs) by @Copilot in #24098
• Extract Go source code analysis tools bundle into shared component by @Copilot in #24084
• fix(docs): add aria-label to Expressive Code copy-to-clipboard buttons by @Copilot in #24099
• refactor: split mixed-concern files identified by semantic function clustering analysis by @Copilot in #24101
• fix: add-wizard ls-remote default branch parsing bug by @dsyme in #24105
• docs: add Effective Tokens...

v0.65.5

🌟 Release Highlights

This release focuses on security hardening, observability improvements, and setup performance — with a meaningful reduction in firewall install time and new token usage visibility for AI cost tracking.

✨ What's New

• Token Usage Visibility — The Agentic Workflow Firewall now logs per-model token consumption to token-usage.jsonl. gh aw audit and gh aw logs surface a full breakdown (input, output, cache read/write tokens, cache hit %, avg request duration) per model. A new step summary step appends a markdown table to your workflow run's summary page. (#23943)

• 140× Faster Firewall Install — AWF v0.25.10 ships a single awf-bundle.js file (~357 KB). On GitHub-hosted runners with Node.js ≥ 20 (the default), setup now downloads 357 KB instead of ~50 MB — a 140× reduction. Self-hosted runners without Node.js ≥ 20 automatically fall back to the platform binary. (#23993)

• Richer Threat Detection Context — The detection job now performs a conditional repository checkout when a patch is present, giving the threat detection engine full codebase context to review code changes. Previously, the engine saw diffs in isolation without surrounding source files. (#23961)

• GitHub Actions Expression Support — timeout-minutes, engine.version, tools.timeout, and tools.startup-timeout now accept GitHub Actions expressions (e.g., $\{\{ inputs.timeout }}), enabling reusable workflow_call workflows where callers can customize these values without forking the workflow. (docs)

🐛 Bug Fixes & Improvements

• Session Logs Now Collected — events.jsonl files written by Copilot CLI inside session subdirectories were silently missed by the log-copy step (flat glob only matched the top level). Fixed with a recursive find-based copy that preserves session IDs in filenames. (#23992)

• Security: Git Hook Injection Prevented — Cache-memory git repos now have .git/hooks/ cleared and core.hooksPath set to /dev/null on every setup. Previously, a compromised run could plant executable hooks that fired on the host runner before the AWF sandbox was active. (#23929)

• gh aw add-wizard No Longer Loses Work on Push Failure — If the branch push failed after downloading workflow files, the command previously rolled back everything and left users with nothing. Files and the local commit are now preserved, with actionable recovery instructions printed to the console. (#23926)

• Label Pagination Fixed for Large Repos — create_discussion and update_discussion silently dropped any labels beyond the first 100 when resolving label names to IDs. The paginated fetch now loops until all labels are loaded. (#23915)

• CLI Help Text Fixes — Dynamic column width in root command usage (fixing truncated hash-frontmatter), corrected logs --timeout flag description, and improved mcp add help text. (#23912)

📚 Documentation

• Updated reference docs for expression support in frontmatter.md, engines.md, and tools.md — including new "Tool Timeout Configuration" section.
• Condensed verbose troubleshooting sections in common-issues.md (−49 lines, −8%).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@ajfeldman6

• Error: "Failed to add workflow" during Quick Start Guide for creating an agentic workflow (direct issue)

@yskopets

• add_labels.cjs only fetches first page of labels (pagination bug) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix 4 CLI consistency issues: dynamic column width, flag description, mcp add docs, command group tests by @Copilot in #23912
• refactor: split checkout_manager.go into state management, step generation, and config parsing by @Copilot in #23911
• Split pkg/constants/constants.go into domain-grouped files by @Copilot in #23913
• fix: paginate label fetch in create_discussion and update_discussion by @Copilot in #23915
• refactor: split trial_command.go (1,007 lines) into focused files by @Copilot in #23917
• fix: preserve workflow files and guide user on manual push when branch push fails by @Copilot in #23926
• feat: Add conditional workspace checkout to detection job for patch context by @lpcox in #23961
• [docs] Update documentation for GitHub Actions expression support in frontmatter fields by @github-actions[bot] in #23947
• fix(security): clear .git/hooks/ and disable hooksPath in cache-memory git setup by @Copilot in #23929
• feat: bump firewall to v0.25.8 and surface token-usage.jsonl by @lpcox in #23943
• feat: bump AWF to v0.25.10 and use lightweight esbuild bundle by @Mossaka in #23993
• fix: events.jsonl not collected — copy step uses flat glob, misses session subdirectories by @lpcox in #23992
• [docs] condense verbose sections in common-issues.md by @github-actions[bot] in #24010

Full Changelog: v0.65.4...v0.65.5

v0.65.4

🌟 Release Highlights

This release focuses on workflow parameterization for workflow_call reuse, automatic service container access, and a strong set of community-driven bug fixes and features.

✨ What's New

• Expression parameterization for workflow_call — Multiple frontmatter fields now accept GitHub Actions expressions, enabling reusable workflows to customize behavior at call time:

  • timeout-minutes: $\{\{ inputs.timeout }}
  • engine.version: $\{\{ inputs.engine-version }}
  • tools.timeout, tools.startup-timeout, and tools.playwright.version

• Auto-generate --allow-host-service-ports from services: mappings — Workflows using GitHub Actions service containers (PostgreSQL, Redis, etc.) no longer need manual port configuration. The compiler now extracts declared port mappings and emits runtime $\{\{ job.services.<name>.ports['<port>'] }} expressions automatically, so agents can reach service containers out of the box.

• Step templating support — Workflows can now use templating patterns for steps, enabling more expressive and reusable workflow definitions.

• Restrict Copilot CLI built-in tools via frontmatter — Fine-grained control over which Copilot CLI built-in tools are available to agents in a workflow.

• Discussion post commenting and editing — Workflows can now comment on and edit posts within GitHub Discussions, expanding discussion interaction capabilities.

🐛 Bug Fixes & Improvements

• Cross-repo org ruleset timestamp check fixed — The "Check workflow file timestamps" step no longer fails with ERR_CONFIG when workflows run cross-repo via organization rulesets.
• <safe-output-tools> prompt expression inlining resolved — Compiled prompts no longer inline $\{\{ }} expressions verbatim, which was re-triggering the expression-size limit.
• create-code-scanning-alert safe-output fixed — The code scanning alert safe-output handler now works correctly for all supported alert configurations.
• Cross-repo import path resolution corrected — gh aw add no longer rewrites \{\\{\#import shared/X.md}} with an incorrect path; imports now resolve from .github/workflows/ as expected.
• Audit tool: Codex metrics and firewall root cause — gh aw audit now surfaces token/turn metrics and firewall-blocked domain root causes for failed Codex runs.

📚 Documentation

• New "Supported Languages & Ecosystems" reference page — A dedicated reference mapping popular languages (Python, Go, Java, Rust, TypeScript, etc.) to their ecosystem identifiers, package managers, and configuration examples. Learn more

⚡ Dependency Updates

• Playwright v1.59.0 — New Screencast API (page.screencast), Browser Interoperability (browser.bind()), Observability Dashboard, and CLI debugger for agents.
• MCP Gateway v0.2.11 — WASM guard startup time reduced (wazero compilation cache), accurate /health endpoint, embedded config schema.
• Playwright MCP v0.0.70 — Tracks Playwright v1.59.0.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• Request: Allow commenting, editing posts within a Discussion (direct issue)

@deyaaeldeen

• Feature: allow restricting Copilot CLI built-in tools via frontmatter (direct issue)

@ericstj

• Feature request: allow for templating of steps (direct issue)

@jaroslawgajewski

• "Check workflow file timestamps" step fails with ERR_CONFIG when workflow runs cross-repo via org rulesets (direct issue)

@johnpreed

• gh aw add rewrites {\{#import shared/X.md}} with incorrect cross-repo path (resolves from repo root instead of .github/workflows/) (direct issue)

@kbreit-insight

• create-code-scanning-alert safe-output doesn't seem to work as it should (direct issue)

@strawgate

• Compiled (safe-output-tools) prompt inlines ${{ }} expressions, re-triggering expression-size limit (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] docs: remove duplicate Claude plugins section and condense create-discussion FAQ by @github-actions[bot] in #23816
• fix: extract ${{ }} expressions from <safe-output-tools> max: values to avoid 21KB heredoc limit by @Copilot in #23812
• feat: auto-generate --allow-host-service-ports from services: port mappings by @Mossaka in #23760
• fix: use GITHUB_WORKFLOW_REF to resolve source repo for cross-repo lock file hash check by @Copilot in #23808
• [jsweep] Clean messages_run_status.cjs by @github-actions[bot] in #23824
• feat: bump MCP Gateway v0.2.11, Playwright Browser v1.59.0, Playwright MCP 0.0.70, Firewall v0.25.6 by @Copilot in #23821
• fix: body-level {{#import shared/X.md}} rewritten with wrong cross-repo path in gh aw add by @Copilot in #23817
• [ca] fix: update golden files for awf v0.25.6 and mcpg v0.2.11 by @github-actions[bot] in #23846
• [instructions] Sync github-agentic-workflows.md with v0.65.2 by @github-actions[bot] in #23856
• [docs] Update glossary - daily scan by @github-actions[bot] in #23853
• [docs] Developer Documentation Consolidation v4.9 by @github-actions[bot] in #23858
• [code-simplifier] refactor: simplify imports.go and add_command.go from PR #23817 by @github-actions[bot] in #23844
• fix: use token instead of github-token for upload-sarif action by @Copilot in #23837
• fix: thread discussion replies when add_comment triggered by discussion_comment event by @Copilot in #23836
• Docs: Add "Supported Languages & Ecosystems" reference page by @Copilot in #23833
• docs: add concrete steps/mcp-servers/jobs import examples to imports reference by @Copilot in #23835
• docs: update APM to use shared/apm.md imported workflow by @Copilot in #23877
• bump: gh-aw-firewall v0.25.6, gh-aw-mcpg v0.2.11 by @Copilot in #23879
• Remove noisy negative-result messages from compile output by @Copilot in #23878
• fix: update_cache_memory must not run if agent job failed by @Copilot in #23876
• Improve test quality: pkg/parser/frontmatter_utils_test.go by @Copilot in #23868
• [q] fix: improve patch size logging with warning level and diff stat breakdown (#23865) by @github-actions[bot] in #23871
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #23882
• feat: allow timeout-minutes to accept GitHub Actions expressions by @Copilot in #23863
• feat: parameterize engine.version to accept GitHub Actions expressions (injection-safe) by @Copilot in #23870
• [WIP] Fix daily mcp concurrency analysis by adding jq and git log to bash allowlist by @Copilot in #23886
• fix: integer/bool step env values silently dropped during workflow compilation by @Copilot in #23887
• fix: YAML syntax error in ci.yml caused by heredoc body at column 0 by @Copilot in #23895
• fix: align qmd step names with established naming conventions by @Copilot in #23891
• feat: parameterize tools.timeout and tools.startup-timeout to accept GitHub Actions expressions by @Copilot in #23888
• fix(audit): surface Codex firewall blocks from agent-stdio.log and populate action_minutes by @Copilot in #23889
• fix: use assert.Positive instead of assert.Greater with 0 in testifylint by @Copilot in #23910

Full Changelog: v0.65.3...v0.65.4

v0.65.3

🌟 Release Highlights

This release focuses on improving the gh aw update experience, prerelease handling, and release channel management — with important fixes for import path preservation and service container documentation.

⚠️ Breaking Changes

• Stable release channel removed (#23755): The releases.json aliases and stable release channel have been removed. If you were pinned to the stable channel, switch to latest. The update-stable-release.yml workflow has also been removed.

✨ What's New

• Prerelease-aware updates (#23810): gh aw update now skips prerelease versions when resolving the latest release, so you'll always land on a stable release by default.
• Release promotion workflow (#23811): A new internal workflow makes it easy to promote a prerelease to the latest stable channel with a single trigger.

🐛 Bug Fixes & Improvements

• gh aw update no longer rewrites local imports (#23809): Fixed a bug where running gh aw update would overwrite local relative imports: paths with cross-repo paths that fail at runtime.
• DeepReport workflow reliability (#23807): Switched from Codex to Claude engine and corrected the memory path so the deep-report workflow runs reliably.

📚 Documentation

• Service containers from the agent sandbox (#23776): Clarified that services (e.g., Postgres) started via services: are bound to the runner host and must be reached from the agent container using host.docker.internal:<port> — not localhost.

---

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@johnpreed

• gh aw update rewrites local imports: to cross-repo paths that fail at runtime (direct issue)

@srgibbs99

• BUG: AWF agent cannot reach Postgres started via services: (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [log] Add debug logging to metrics, observability, and workflow compilation by @github-actions[bot] in #23785
• [actions] Update GitHub Actions versions - 2026-03-31 by @github-actions[bot] in #23778
• fix(deep-report): switch to claude engine and fix memory path by @Copilot in #23807
• [docs] docs: clarify service container accessibility from agent sandbox by @github-actions[bot] in #23776
• Remove releases.json aliases and stable release channel support by @Copilot in #23755
• Add workflow to promote a release to latest/non-prerelease by @Copilot in #23811
• Ignore prerelease releases when fetching GitHub releases by @Copilot in #23810
• fix: preserve local relative imports during gh aw update by @Copilot in #23809

Full Changelog: v0.65.2...v0.65.3

v0.65.2

🌟 Release Highlights

This patch release brings a new configurability option for pull request workflows, a reliable fix for external-repository checkout scenarios, and a round of CLI consistency improvements — plus three community-reported issues resolved.

✨ What's New

• Configurable create-pull-request auto-close behavior — The create-pull-request safe-output now lets you control whether the triggering issue is automatically closed when the PR is merged. Previously this was always-on; now it can be tuned per workflow. (Requested by the community — see #23736)

🐛 Bug Fixes & Improvements

• Restore actions/setup after external root checkout — When a workflow checks out an external repository to the workspace root (no path: specified), actions/checkout was overwriting $GITHUB_WORKSPACE and deleting the locally checked-out actions/setup directory, causing a post-step failure (Can't find 'action.yml'). The compiler now appends a Restore actions folder step (if: always()) in dev mode when this pattern is detected. (#23751)

• CLI consistency improvements — Addressed redundant flags, unexplained jargon, and discrepancies between help text and documentation to make the CLI more approachable. (#23750)

• MCP table output routing — mcp list-tools and mcp inspect now route table output through explicit console.RenderTable() calls with unambiguous stdout routing, aligning with the established pattern in mcp list. (#23752)

• WASM golden files updated for firewall v0.25.5 (#23743)

• Release tooling — New releases are now created as pre-releases by default, preventing automated releases from being promoted to "latest" without explicit maintainer action. (#23754)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@abillingsley

• Make create-pull-request auto-close issue behavior configurable (direct issue)

@Rubyj

• MCP safe-output tools not accessible to Codex in AWF chroot on self-hosted runners (file permission issue) (direct issue)

@strawgate

• AWF agent PATH misses GITHUB_PATH additions (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: update WASM golden files for firewall version v0.25.5 by @Copilot in #23743
• fix: reduce docs-noob-tester scope to prevent timeout by @Copilot in #23742
• Make create-pull-request auto-close issue behavior configurable by @Copilot in #23738
• [slides] Fix mcp-servers allowed field syntax in slides by @github-actions[bot] in #23749
• fix: address CLI consistency issues - redundant flags, unexplained jargon, and doc discrepancies by @Copilot in #23750
• Migrate MCP list/inspect table output to explicit console.RenderTable() with stdout routing by @Copilot in #23752
• Mark new releases as pre-release and suppress auto-latest promotion by @Copilot in #23754
• fix: restore actions/setup after external root checkout in agent job by @Copilot in #23751

Full Changelog: v0.65.1...v0.65.2

v0.65.1

What's Changed

• feat: default to stable version and resolve aliases in install-gh-aw.sh by @Copilot in #23628
• Add CI job to test install-gh-aw.sh with stable release by @Copilot in #23633
• fix: sync install.sh with install-gh-aw.sh and update test for stable version default by @Copilot in #23632
• docs: add Releases and Versioning reference page by @Copilot in #23635
• [jsweep] Clean add_reaction.cjs by @github-actions[bot] in #23639
• feat: add approval-label cookie to all workflows with min-integrity: approved by @Copilot in #23627
• Fix qmd indexing job failure due to TypeScript peer dependency conflict by @Copilot in #23645
• chore: bump @playwright/mcp 0.0.68→0.0.69 and MCP Gateway v0.2.9→v0.2.10 by @Copilot in #23644
• fix: correct YAML indentation for detection job permissions block by @Copilot in #23647
• [architecture] Update architecture diagram - 2026-03-31 by @github-actions[bot] in #23657
• Recompile workflows to sync lock files with source markdown by @Copilot in #23676
• [docs] Update Astro dependencies - 2026-03-31 by @github-actions[bot] in #23670
• [instructions] Sync github-agentic-workflows.md with release v0.65.0 by @github-actions[bot] in #23669
• [docs] Consolidate developer specs into dev.md v4.8 by @github-actions[bot] in #23671
• [community] Update community contributions in README by @github-actions[bot] in #23667
• [docs] Update glossary - daily scan by @github-actions[bot] in #23665
• [code-simplifier] refactor: simplify detection job permissions and WASM result building by @github-actions[bot] in #23651
• chore(deps): bump github.com/rhysd/actionlint from 1.7.11 to 1.7.12 by @dependabot[bot] in #23661
• fix(functional-pragmatist): replace make+len patterns to avoid CodeQL violations by @Copilot in #23685
• [dead-code] chore: remove dead functions — 7 functions removed by @github-actions[bot] in #23693
• chore: update @sentry/mcp-server to 0.31.0 by @Copilot in #23697
• chore(deps): bump @sentry/mcp-server from 0.29.0 to 0.31.0 in /.github/workflows by @dependabot[bot] in #23660
• feat: add Release Punter workflow by @Copilot in #23694
• [q] refactor(console): migrate list.go from Bubble Tea to huh Select (#23690) by @github-actions[bot] in #23700
• fix: move protected files details section inside alert block by @Copilot in #23702
• Fix engine failure message: include engine ID and use blob URL for workflow source by @Copilot in #23703
• chore: bump gh-aw-firewall (AWF) to v0.25.5 by @Copilot in #23711
• Improve test quality: scripts/lint_error_messages_test.go by @Copilot in #23706
• Skip update_cache_memory job when agent job is skipped by @Copilot in #23720
• refactor: eliminate semanticVersion duplicate struct and findGitRoot passthrough wrapper by @Copilot in #23707
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-31 by @github-actions[bot] in #23728
• Remove unused integrityLevelOrder variable to fix lint by @Copilot in #23721
• fix: close @mention neutralization bypass via U+200E/200F/00AD/034F invisible chars by @Copilot in #23735

Full Changelog: v0.65.0...v0.65.1

v0.65.0

🌟 Release Highlights

v0.65.0 is a feature-rich release focused on MCP Gateway security controls, GitHub App org-level API access, and workflow lifecycle management — alongside a new Microsoft APM shared workflow and significant compiled output improvements.

✨ What's New

🔐 GitHub App Token: Org-Level Permissions

You can now grant org-scoped API access (e.g. members: read, organization-administration: read) directly in your workflow frontmatter — no more silent null responses when calling org-level GitHub APIs:

tools:
  github:
    toolsets: [orgs, users]
    github-app:
      app-id: $\{\{ vars.APP_ID }}
      private-key: $\{\{ secrets.APP_PRIVATE_KEY }}
      permissions:
        members: read

🛡️ MCP Gateway: Trusted Users & OIDC Authentication

Two powerful new MCP Gateway security features ship in this release:

• trusted-users — Elevate specific GitHub usernames to approved integrity without lowering the global min-integrity policy. Useful for contractors or partner developers who need elevated access without becoming repo collaborators.
• GitHub OIDC authentication — HTTP MCP servers can now authenticate using GitHub Actions OIDC tokens, enabling secure server-to-server trust without static credentials:

tools:
  mcp-servers:
    my-server:
      type: http
      url: "(myserver.example.com/redacted)
      auth:
        type: github-oidc
        audience: "(myserver.example.com/redacted)"

🔄 Version Update Check on Activation

Workflows now check at runtime whether the compiled gh-aw version is still supported. Blocked versions fail fast; below-recommended versions emit a warning. This protects against running workflows compiled with revoked or outdated versions. Disable with check-for-updates: false (emits a compile-time warning).

📦 Microsoft APM via shared/apm.md

APM package support is now available as a clean shared workflow import, replacing the deprecated dependencies: field:

imports:
  - uses: shared/apm.md
    with:
      packages:
        - microsoft/apm-sample-package

🧹 Cleaner Compiled Lock Files

The prompt heredoc consolidation refactor reduces compiled .lock.yml output by ~900 lines across the repo, making diffs dramatically easier to review when prompt content changes.

🐛 Bug Fixes & Improvements

• Fix actions/setup restore after cross-repo checkout in safe_outputs and upload_assets jobs — prevents runner post-step failures in dev mode (#23587, #23604)
• Fix add_labels schema — labels field is now correctly marked required in the safe-outputs inputSchema, preventing silent omission by JSONL-mode agents (#23610)
• Fix Daily Doc Updater — cookie-labeled issues (filed by automation workflows) are now surfaced correctly with approval-labels: [cookie] (#23613)
• Remove unused APM constants from pkg/constants and CI checks (#23624)

📚 Documentation

• Fixed sitemap (sitemap-index.xml) and RSS feed (blog/rss.xml) 404s on the docs site (#23585)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• Feature Request: GitHub OIDC token support for custom HTTP MCP server authentication (direct issue)

@dholmes

• Can not fetch members from org when using an app token (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• feat: group all concatenations in "Create prompt with built-in context" into a single section by @Copilot in #23588
• fix(step-names): align cache-memory git setup step with Setup <component> convention by @Copilot in #23586
• docs: fix sitemap and RSS feed 404s by @Copilot in #23585
• fix: restore actions/setup after cross-repo checkout in safe_outputs job by @Copilot in #23587
• [log] add debug logging to 5 pkg files (batch 2) by @github-actions[bot] in #23593
• feat: add version update check for compile-agentic activation by @Copilot in #23575
• [actions] Update GitHub Actions versions - 2026-03-30 by @Copilot in #23599
• fix: restore actions/setup in upload_assets job after git branch switch (dev mode) by @Copilot in #23604
• feat: Allow extra permissions on tools.github.github-app token for org-level API access by @Copilot in #23600
• fix(daily-doc-updater): add cookie-label approval and Step 1d to surface automation-filed doc gaps by @Copilot in #23613
• feat: add shared/apm.md shared workflow with Microsoft APM support by @Copilot in #23509
• feat: add trusted-users to MCP Gateway guard policy by @Copilot in #23608
• MCP Gateway: Add upstream OIDC authentication to schema, spec, and compiler by @Copilot in #23611
• fix(safeoutputs): add required: ["labels"] to add_labels inputSchema by @Copilot in #23610
• fix(instructions-janitor): use GitHub MCP get_latest_release instead of git describe by @Copilot in #23625
• fix: remove unused APM constants and references by @Copilot in #23624
• Add release alias map to releases.json by @Copilot in #23626

Full Changelog: v0.64.5...v0.65.0

v0.64.5

🌟 Release Highlights

This release focuses on compiler correctness and reliability — fixing several community-reported bugs around permissions, roles, and memory operations, while also hardening lock file security.

🐛 Bug Fixes & Improvements

• Permissions preserved with read-all + copilot-requests — When combining permissions: read-all with features: copilot-requests: true, the agent job was silently losing all read-all scopes and the detection job received no permissions block at all. This caused checkout failures, GraphQL API errors, and Copilot CLI auth failures. Both jobs now receive the correct permission sets. (#23574)

• roles: [read] now accepted by the compiler — The read role was documented as a valid permission level but was incorrectly rejected by the compiler with a validation error. This is now fully supported and the documentation has been aligned. (#23570)

• push_repo_memory no longer fails on sparse-checkout orphan branches — On the first run when creating an orphan branch in a sparse-checkout repository, git add would fail. The fix uses git add --sparse to handle this case correctly. (#23571)

• Lock file integrity hardened — The timestamp check has been removed from lock file validation; integrity is now verified solely via the frontmatter hash. This eliminates false-positive integrity failures caused by timestamp drift while maintaining strong tamper detection. (#23561)

🔧 Internal

• Eliminated duplicate GitHub host resolution and removed a circular-dependency workaround, simplifying the internal resolution path. (#23562)
• Refactored tool parameter list building into a single pass for cleaner, more maintainable code. (#23522)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@jaroslawgajewski

• push_repo_memory fails with sparse-checkout error on first run when creating orphan branch (direct issue)

@pholleran

• Lock file generator drops permissions on agent job and omits them on detection job (direct issue)

@PureWeen

• roles: [read] documented as available but rejected by compiler (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [code-simplifier] refactor: combine requestedTools and paramsList building into single pass (#23515 follow-up) by @github-actions[bot] in #23522
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #23531
• [blog] Weekly blog post – 2026-03-30 by @github-actions[bot] in #23554
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #23534
• [docs] Consolidate 4 uncovered subdirectory spec files into dev.md (v4.7) by @github-actions[bot] in #23535
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #23533
• [specs] Update layout specification - 2026-03-30 by @github-actions[bot] in #23525
• [slides] Fix default toolsets comment in slides by @github-actions[bot] in #23564
• refactor: eliminate duplicate GitHub host resolution and circular-dependency workaround by @Copilot in #23562
• fix(security): remove timestamp check, rely solely on frontmatter hash for lock file integrity by @Copilot in #23561
• fix: use git add --sparse to handle sparse-checkout on orphan branch first run by @Copilot in #23571
• Add read role support to compiler; align docs with compiler behavior by @Copilot in #23570
• fix: preserve read-all permissions when copilot-requests feature is enabled by @Copilot in #23574

Full Changelog: v0.64.4...v0.64.5

v0.64.4

🌟 Release Highlights

This release delivers safe-output tooling improvements, sibling import resolution, and enhanced runner flexibility — driven largely by community feedback from @j-srodka.

✨ What's New

• runs-on-slim for compile-stable jobs — Override the runner for compile-stable framework jobs using the new runs-on-slim key, giving you precise control over job execution environments (#23490)
• Compile-time validation of safe-output job ordering — The compiler now validates needs: ordering on custom safe-output jobs at compile time, catching dependency misconfigurations before they reach runtime (#23486)
• DIFC proxy feature flag — The new difc-proxy feature flag gates DIFC proxy emission, enabling opt-in integrity enforcement for supported environments (#23471)

🐛 Bug Fixes & Improvements

• Sibling nested imports resolved correctly — ./file.md imports now resolve relative to the parent file's directory, fixing broken modular workflow imports (#23475)
• Custom tools included in <safe-output-tools> prompt — Custom jobs, scripts, and actions are now surfaced in the <safe-output-tools> prompt block so agents are aware of all available safe-output mechanisms (#23487)
• Repo-memory concurrency scope tightened — Push concurrency keys are now scoped to the actual branch target, eliminating unnecessary serialization across unrelated branches (#23489)
• MCP error message clarity — Docker-unavailable error messages now use correct parameter syntax for MCP compatibility (#23515)

📚 Documentation

• MemoryOps guide streamlined for better readability (#23506)
• Broken anchor link in safe-outputs specification fixed (#23474)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@j-srodka

• Generated jobs lack a compile-stable runner override/inheritance mechanism (direct issue)
• Compiled (safe-output-tools) can omit custom safe-output tools/jobs (direct issue)
• Custom safe-output jobs cannot declare needs / ordering relative to generated jobs (direct issue)
• Compiler-generated repo-memory push concurrency is broader than the actual write surface (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] Self-healing documentation fixes from issue analysis - 2026-03-29 by @github-actions[bot] in #23460
• fix: add Node.js 24 runtime to daily-multi-device-docs-tester by @Copilot in #23464
• feat: guard DIFC proxy emission with difc-proxy feature flag by @Copilot in #23471
• Fix broken anchor link in safe-outputs-specification TOC by @Copilot in #23474
• ci-cleaner: add protected-files fallback-to-issue by @Copilot in #23472
• [docs] Update documentation for features from 2026-03-29 by @github-actions[bot] in #23481
• fix: resolve sibling nested imports (./file.md) relative to parent file's directory by @Copilot in #23475
• Add DIFC proxy sh integration test to ci.yml by @Copilot in #23476
• [log] Add debug logging to workflow pkg files lacking coverage by @github-actions[bot] in #23492
• Fix: include custom jobs, scripts, and actions in <safe-output-tools> prompt block by @Copilot in #23487
• feat: compile-time validation of needs: ordering on custom safe-output jobs by @Copilot in #23486
• fix: tighten repo-memory push concurrency key to actual branch targets by @Copilot in #23489
• feat: add runs-on-slim for compile-stable framework job runner override by @Copilot in #23490
• [docs] Update documentation for features from 2026-03-30 by @github-actions[bot] in #23503
• Add CI repro test for GH_HOST proxy/PR checkout mismatch (issue #23461) by @Copilot in #23496
• [docs] docs: unbloat MemoryOps guide by @github-actions[bot] in #23506
• bump gh-aw-firewall to v0.25.4 by @Copilot in #23514
• fix: use parameter syntax in Docker-unavailable error message for MCP compatibility by @Copilot in #23515
• chore: update MCP Gateway to v0.2.9 by @Copilot in #23513

Full Changelog: v0.64.3...v0.64.4

v0.64.3

🌟 Release Highlights

This release delivers significant security hardening, a major improvement to cache-memory integrity guarantees, and a wave of community-driven bug fixes across safe-outputs, the DIFC proxy, and workflow tooling.

✨ What's New

Integrity-Aware Cache-Memory with Git-Backed Branching

Cache-memory now enforces integrity isolation at the storage level using git branches — merged, approved, unapproved, and none. Each run reads only from its integrity tier and above, preventing lower-integrity agents from poisoning data consumed by higher-integrity runs. Cache keys now include the integrity level and a compile-time policy hash, so any change to your allow-only guard policy automatically invalidates stale cache entries.

⚠️ Migration note: existing caches will get a cache miss on first run after upgrading — intentional, since legacy data has no integrity provenance.

patch-format: bundle for Safe-Outputs Code-Push Flows

Code-push flows now support patch-format: bundle, which uses git bundle instead of git am/git format-patch. Bundle transport preserves the full commit graph including merge commits, authorship, and per-commit messages — resolving long-standing issues with merge-resolution-only content being silently dropped.

safe-outputs:
  create-pull-request:
    patch-format: bundle   # "am" (default) | "bundle"

🔒 Security Fixes

• Secret env var exclusion from agent container — AWF's --exclude-env flag now strips all secret-bearing environment variables (tokens, API keys, MCP secrets) from the agent container's visible environment, mitigating prompt-injection exfiltration vectors in pull_request_target workflows. Uses AWF v0.25.3+. (#23360)

• Argument injection fix in package validators — Package/image names in gh aw compile --validate-packages are now validated before being passed to npm view, pip index versions, uv pip show, and docker, preventing flag-injection attacks via maliciously crafted package names. (#23374)

🐛 Bug Fixes & Improvements

• Noop safe-output handling — Workflows no longer fail when the AI model returns a transient error after successfully capturing a noop safe-output. The conclusion job now correctly posts the noop message even when the agent job exits with code 1 in this scenario. (#23284)

• update-discussion label-only config — Configuring only allowed-labels on update-discussion no longer accidentally overwrites the discussion title or body with a JSON string. Field isolation is now enforced at both the tool schema level and at runtime. (#23279)

• DIFC proxy GHEC support — The DIFC proxy container now receives GITHUB_SERVER_URL, fixing integrity filtering for pre-agent gh CLI and actions/github-script steps on GitHub Enterprise Cloud tenants. (#23308)

• logs / audit fingerprint consistency — gh aw logs and gh aw audit now produce identical behavior_fingerprint values for the same workflow run. Previously, logs computed the fingerprint before populating run metrics from parsed log data. (#23420)

• AWF version corrected to v0.25.3 — The default firewall version was set to v0.26.0 (which was never released), causing "Install AWF binary" HTTP 404 errors. Corrected to v0.25.3, the actual release that shipped --exclude-env support. (#23396)

• update-discussion error diagnostics — GraphQL permission errors (e.g. missing discussions: write) now surface actionable messages with the exact error type, HTTP status, and remediation hint, instead of an opaque ERR_API: update discussion #N failed. (#23340)

---

🌍 Community Contributions — A huge thank you to the community members who reported issues resolved in this release!

@bryanchen-d

• Agent fails with "Failed to get response from the AI model; retried 5 times" after noop safe-output (direct issue)

@eaftan

• bug: missing-tool and missing-data have surprising create-issue behavior depending on implicit vs explicit enablement (direct issue)
• User feedback: Actions run page should link to .md file instead of .lock.yml (direct issue)

@look

• missing-tool: workflow completes successfully when MCP script tools fail (direct issue)

@strawgate

• safe-outputs: preserve merge/rebase commit history in code-push flow (direct issue)

⚠️ Attribution Candidates Need Review

The following community issue was closed during this release window but could not be automatically linked to a specific merged PR. Please verify whether it should be credited:

• @Henry-Shan for Add agentic workflow: Proactive Dependency Auto-Remediation for Dependabot PRs (#23268) — closed 2026-03-28 as NOT_PLANNED, no confirmed PR linkage found

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #18412 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #23257 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

---

What's Changed

• Remove URL fetch capability from editor.js playground by @Copilot in #23381
• ci: add integration-release-availability job to verify external dependencies by @Copilot in #23380
• fix: propagate assign-to-agent failure to step status and conclusion rendering by @Copilot in #23377
• fix: downgrade DefaultFirewallVersion and AWFExcludeEnvMinVersion from v0.26.0 to v0.25.3 by @Copilot in #23396
• [docs] docs: condense imports reference — consolidate merge-semantics table by @github-actions[bot] in #23414
• [ca] test: update wasm golden files for v0.25.3 downgrade by @github-actions[bot] in #23419
• [jsweep] Clean add_labels.cjs by @github-actions[bot] in #23417
• feat: reimplement tools.qmd as parameterized shared import, remove builtin presets by @Copilot in #23366
• Remove builtin tools.serena support; mark removed in schema by @Copilot in #23365
• fix: remove GHCR image checks from release availability CI (only verify GitHub release exists) by @Copilot in #23424
• fix: behavior_fingerprint inconsistency between logs and audit tools for the same run by @Copilot in #23420
• Add gh CLI install step for custom image runner in all workflows using gh by @Copilot in #23426
• [docs] Consolidate developer specifications into instructions file by @github-actions[bot] in #23429
• [community] Update community contributions in README by @github-actions[bot] in #23430
• Fix schema/code inconsistencies: remove engine.firewall dead code, error_patterns, and cleanup-script by @Copilot in #23423
• fix: handle uses:/path: map imports in fetchFrontmatterImportsRecursive by @Copilot in #23439
• docs: safe outputs spec v1.15.0 — cache memory integrity (git-backed branching) by @Copilot in #23443
• Remove emojis from agent failure messages by @Copilot in #23445
• feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys by @Copilot in #23425
• fix: format pkg/cli/remote_workflow_test.go with go fmt by @Copilot in #23450
• fix: correct serena-go.md import path to fix integration test failure by @Copilot in #23452
• refactor: consolidate semver utilities, merge single-function file, disambiguate MCP validator by @Copilot in #23448

Full Changelog: v0.65.0...v0.64.3