Skip to content

v0.60.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 17 Mar 14:26
· 1911 commits to main since this release
v0.60.0
c942baa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

v0.60.0 focuses on security hardening through a smarter guard policy system, expanded GitHub Enterprise Server (GHES) support, and a wave of reliability fixes β€” including a critical bot-detection failure that was affecting 84% of runs.

⚠️ Breaking Changes

  • Automatic lockdown replaced by automatic guard policies (#21287, #21294) β€” The runtime no longer auto-emits lockdown=true for public repos. Instead, it automatically configures min_integrity and repos guard policy fields on the GitHub MCP server for all repository types. Public repos get min_integrity=approved; private/internal repos get min_integrity=none. Remove any explicit lockdown: false from your workflow frontmatter as it is no longer needed.

✨ What's New

  • GHES domain auto-allowlisting (#21301) β€” When engine.api-target is set for a GitHub Enterprise Server instance, the compiler now automatically adds the GHES API and base hostnames to the firewall allow-list. Previously, every recompile silently blocked GHES API traffic.

  • github-app: auth in APM dependencies (#21286) β€” APM dependencies: now supports cross-org private package access via github-app: auth, solving failures where GITHUB_TOKEN couldn't reach packages in other organizations.

  • APM version pinning (#21297) β€” The compiler now pins microsoft/APM to v0.8.0 in generated workflow steps, ensuring reproducible APM package resolution.

  • Cross-host workflow resolution for GHE (#21349) β€” gh aw add and gh aw add-wizard now correctly resolve workflows from github.com when GH_HOST points to a GHE instance, preventing HTTP 404 errors on cross-host operations.

  • Runtime safe-outputs tools loading (#21323) β€” safe_outputs_tools.json is now loaded from actions/setup at runtime instead of being inlined at compile time, enabling schema updates without workflow recompilation.

πŸ› Bug Fixes & Improvements

  • Bot detection reliability (#21386) β€” Fixed an expired GH_AW_BOT_DETECTION_TOKEN causing an 84% failure rate. The step now correctly falls back to GITHUB_TOKEN when the dedicated token is unavailable.

  • checkout: false Git credentials (#21325) β€” Compiler no longer emits "Configure Git credentials" steps when checkout: false is set, eliminating fatal: not a git repository errors in workflows that skip checkout.

  • Safe-outputs prompt clarity (#21307) β€” The built-in prompt now correctly instructs agents to use safe-outputs only for "GitHub writes and completion signaling," preventing agents from ignoring mounted GitHub MCP read tools.

  • Error chain formatting (#21384) β€” Wrapped error chains are now displayed with newlines and indentation, making multi-layer errors significantly easier to debug.

  • Guard policies for non-GitHub MCP servers (#21342) β€” Write-sink guard policies are now correctly applied to non-GitHub MCP servers (Playwright, Serena, mcp-scripts, etc.) during auto-lockdown.

  • gh aw new engine list (#21348) β€” The interactive new command no longer offers the removed custom engine, preventing immediate compilation failures for newly created workflows.

  • audit absolute paths (#21331) β€” gh aw audit now returns absolute paths for downloaded files, improving compatibility with downstream tooling.

πŸ“š Documentation

  • New /reference/auth-projects/ reference page for project authentication (#21280)
  • Documented automatic minimum-integrity-approved guard policy for public repositories (#21298)
  • Condensed Multi-Repo Operations best practices guide (#21311)

For complete details, see CHANGELOG.

Generated by Release

What's Changed

  • [code-simplifier] refactor: extract parseSecretNames helper to remove duplication (#21262) by @github-actions[bot] in #21275
  • refactor(workflow): semantic function clustering β€” dedup, split, rename by @Copilot in #21277
  • docs: create missing /reference/auth-projects/ page by @Copilot in #21280
  • [log] log: add debug logging to 5 files across workflow/parser/cli packages by @github-actions[bot] in #21283
  • Support github-app: auth in dependencies: for cross-org APM packages by @Copilot in #21286
  • Replace automatic lockdown with automatic guard policy for public and private repositories by @Copilot in #21287
  • docs: document automatic minimum-integrity-approved guard policy for public repos by @Copilot in #21298
  • Remove lockdown: false from all agentic workflows by @Copilot in #21294
  • Store default GitHub lockdown value as a named constant by @Copilot in #21303
  • Compiler: auto-add GHES domains to --allow-domains when engine.api-target is set by @Copilot in #21301
  • Pin microsoft/APM version to v0.8.0 and emit it in generated apm-action steps by @Copilot in #21297
  • [docs] docs: condense MultiRepoOps best practices and remove redundant sections by @github-actions[bot] in #21311
  • fix: prompt steers model away from GitHub MCP read tools when safe-outputs is also enabled by @Copilot in #21307
  • Rename vague helper functions in add_interactive for better AI agent discoverability by @Copilot in #21324
  • fix: skip Configure Git credentials when checkout: false by @Copilot in #21325
  • fix: Multi-Device Docs Tester hits max-turns without producing safe outputs by @Copilot in #21327
  • fix(ci-coach): fallback to issue when PR touches protected files by @Copilot in #21333
  • test(fileutil): expand coverage to all exported functions by @Copilot in #21332
  • fix(audit): return absolute paths in downloaded_files by @Copilot in #21331
  • [jsweep] Clean add_reviewer.cjs by @github-actions[bot] in #21330
  • feat: load safe_outputs_tools.json from actions/setup at runtime instead of inlining by @Copilot in #21323
  • refactor: extract shared MCP renderer helpers across engine implementations by @Copilot in #21336
  • fix: activate GitHub App configuration in shared workflow configs by @Copilot in #21329
  • fix: remove github-app from smoke-claude APM dependencies by @Copilot in #21339
  • fix: replace removed custom engine with gemini in interactive new command by @Copilot in #21348
  • fix: add write-sink guard policies for non-GitHub MCP servers on auto-lockdown by @Copilot in #21342
  • [docs] Update glossary - daily scan by @github-actions[bot] in #21364
  • fix: format wrapped error chains with newlines and indentation by @Copilot in #21384
  • [fp-enhancer] Improve pkg/cli with functional patterns by @github-actions[bot] in #21359
  • fix: use GITHUB_TOKEN in bot-detection precompute step (expired GH_AW_BOT_DETECTION_TOKEN causing 84% failure rate) by @Copilot in #21386
  • fix: update docs-noob-tester with correct Playwright bridge IP instructions by @Copilot in #21385
  • Fix cross-host workflow resolution in add and add-wizard when GH_HOST is a GHE instance by @Copilot in #21349
  • Add Update Astro agentic workflow by @Copilot in #21389

Full Changelog: v0.59.0...v0.60.0

Assets 18
Loading