v0.58.3

🌟 Release Highlights

This release focuses on security hardening, GHES compatibility, and developer experience improvements — with better MCP write protection, a new Copilot pre-flight diagnostic for enterprise environments, and a noticeably improved run details summary.

✨ What's New

• MCP Write-Sink Guard Policy — All non-GitHub MCP servers configured via the gateway now enforce a write-sink guard policy, preventing unintended writes through third-party MCP tools. This improves the security posture of workflows using custom MCP integrations. (#21005)

• Copilot Pre-flight Diagnostic for GHES — A new pre-flight check helps diagnose Copilot configuration issues in GitHub Enterprise Server environments before a workflow run fails, saving time when debugging enterprise setups. (#20975)

• Action Pins Mode with gh-aw-actions v0 — The action-tag step now uses action pins mode, enabling stable and auditable action references via gh-aw-actions at the v0 tag. (#20991)

• Enhanced Run Details Step Summary — Workflow run summaries now render as structured bullet points, display the gh-aw version, and include full aw_info output for easier post-run inspection. (#20989)

⚡ Performance

• Faster Workflow Name Extraction — extractWorkflowNameFromFile no longer performs an unnecessary full YAML parse, reducing overhead when processing large workflow collections. (#21012)

🐛 Bug Fixes & Improvements

• GHES Host Leakage Prevention — The "Install GitHub Copilot CLI" step now explicitly emits GH_HOST: github.com, preventing GHES host values from leaking into the Copilot CLI installation context. (#20992)
• Workflow Call Artifact Downloads Fixed — Artifact prefix handling in the conclusion job and script step downloads now works correctly in workflow_call contexts. (#21011)
• TypeScript Type Error Fixed — Resolved a type error in json_object_to_markdown.cjs that could cause runtime failures in certain output scenarios. (#21010)
• Go Firewall Rule for Shared Workflows — The shared/go-make.md shared workflow now includes go in its firewall allowed set, enabling Go toolchain downloads during builds. (#21014)

📚 Documentation

• Accessibility: Live Search Results — The docs site search now announces results to screen readers via aria-live, improving accessibility for keyboard and assistive technology users. (#21019)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Optimize qmd-docs workflows: explicitly instruct models to use qmd-query for doc search by @Copilot in #20987
• Add Copilot pre-flight diagnostic for GHES environments by @claude in #20975
• Improve run details step summary: bullet points, aw version, and full aw_info rendering by @Copilot in #20989
• feat: update action-tag to use action pins mode (gh-aw-actions) with v0 by @Copilot in #20991
• fix: emit GH_HOST: github.com on Install GitHub Copilot CLI step to prevent GHES host leakage by @Copilot in #20992
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #21001
• [docs] docs: condense CentralRepoOps intro and remove duplicate cross-repo notes by @github-actions[bot] in #21003
• feat: add write-sink guard policy to all non-GitHub MCP servers configured by gateway by @Copilot in #21005
• Add go firewall allowed set to shared/go-make.md by @Copilot in #21014
• perf: optimize extractWorkflowNameFromFile by eliminating unnecessary YAML parse by @Copilot in #21012
• fix: use artifact prefix in conclusion job and script step downloads for workflow_call context by @Copilot in #21011
• Remove copilot-preflight script and associated step generation by @Copilot in #21016
• docs: add aria-live enhancement for search results accessibility (#issue) by @Copilot in #21019

Full Changelog: v0.58.2...v0.58.3