Skip to content

v0.56.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 08 Mar 01:50
· 2256 commits to main since this release
v0.56.0
046e81c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release brings meaningful quality-of-life improvements to workflow automation: smarter add-wizard scheduling, better protection for critical files, and a proactive fix for repo-memory size failures β€” plus a notable security hardening for git authentication.

✨ What's New

  • Schedule frequency picker in add-wizard β€” When adding a scheduled workflow, gh aw add-wizard now prompts you to choose a frequency (hourly, 3-hourly, daily, weekly, monthly, or custom cron). No more being locked to whatever schedule the upstream workflow shipped with. (#19709)

  • Protected-files enforcement in safe outputs β€” Workflows can now declare protected-files to prevent agents from inadvertently modifying critical files (e.g., AGENTS.md, .github/ configs, runtime manifests). When a push attempts to touch a protected file, safe outputs surfaces a clear remediation message instead of silently failing or overwriting. (#19958)

  • Early size validation for repo-memory β€” A new push_repo_memory MCP tool validates memory size before pushing, catching oversized payloads early and giving agents a chance to trim content rather than failing at upload time. (#19977)

  • Remote workflow dependencies fetched on gh aw add β€” When adding a workflow that uses dispatch-workflow dependencies or declares resources, gh aw add now automatically fetches and saves those assets locally. (#19965)

πŸ› Bug Fixes & Improvements

  • Security: git credentials no longer written to disk β€” Git authentication tokens are now passed as environment variables to the fetch subprocess rather than written to .git/config. This closes a window where an attacker monitoring filesystem events (e.g., via inotify) could capture the token. (#19963)

  • Cleaner first-run experience for repo-memory β€” Suppressed 5 spurious GitHub Actions error annotations that appeared on the first run of push_repo_memory (where git fetch/git pull failing is expected because the memory branch doesn't exist yet). (#19979)

  • Clearer compile command help text β€” The gh aw compile short description now explicitly states it converts .md files to .lock.yml, removing a common source of confusion for new users. (#19988)

πŸ“š Documentation

  • Streamlined permissions.md reference (~18% shorter) by consolidating duplicate sections, fixing a broken callout, and correcting heading hierarchy β€” all technical content preserved. (#20003)

🌍 Community Contributions

A huge thank you to the community members who reported issues resolved in this release:

For complete details, see CHANGELOG.

Generated by Release

What's Changed

  • fix: pass git auth via environment variables instead of writing to .git/config by @Copilot in #19963
  • add-wizard: offer schedule frequency selection for scheduled workflows by @Copilot in #19709
  • feat(add): fetch dispatch-workflow dependencies and resources when adding remote workflows by @Copilot in #19965
  • [code-simplifier] refactor: extract shared sanitizeForFilename helper in generate_git_patch.cjs by @github-actions[bot] in #19980
  • Add protected-files support to runtimes and enforce protected file protection in safe outputs by @Copilot in #19958
  • fix: suppress spurious error annotations in push_repo_memory for expected git failures by @Copilot in #19979
  • feat: Add push_repo_memory MCP tool for early size validation by @Copilot in #19977
  • Improve compile command help text to clarify input/output formats by @Copilot in #19988

Full Changelog: v0.55.0...v0.56.0

Assets 18
Loading