v0.69.3

What's Changed

• fix(cli): remove duplicate checkmark in upgrade extension output by @Copilot in #27669
• fix: force extension upgrade for pinned gh-aw installs by @Copilot in #27679
• Add vulnerability-alerts as GITHUB_TOKEN permission scope by @salmanmkc in #27668
• Fix Integration “Workflow Misc Part 2” failures by removing deprecated network.firewall test fixtures by @Copilot in #27676
• [log] Add debug logging to safe-outputs config parsers and maintenance conditions by @github-actions[bot] in #27690
• Add supersede-older-reviews for PR reviews and shift guidance to COMMENT-first defaults by @Copilot in #27662
• [actions] Update GitHub Actions versions - 2026-04-21 by @github-actions[bot] in #27680
• Add smoke-ci coverage for cache/repo memory and update safe outputs by @Copilot in #27683
• Use hash-based stale lock validation guidance in Workflow Health Manager by @Copilot in #27696

Full Changelog: v0.69.2...v0.69.3

v0.69.2

🌟 Release Highlights

This release delivers a major new memory primitive for agentic workflows, tightens URL sanitization for agent inputs, and removes the long-deprecated network.firewall frontmatter key — with a one-command migration path.

⚠️ Breaking Changes

network.firewall frontmatter key removed — this field was previously deprecated; it is now rejected by the compiler. Migrate automatically using the built-in codemod:

gh aw fix --write

The codemod rewrites network.firewall: true → sandbox.agent: awf, network.firewall: false → sandbox.agent: false, and preserves version overrides. See #27626 for details.

✨ What's New

• comment_memory safe output (#27479) — Agents can now persist structured memory directly in a managed issue or PR comment. Memory files are materialized under /tmp/gh-aw/comment-memory/ before the agent runs, edited in-place by the agent, and automatically synced back to GitHub at the end of the workflow. This enables stateful agents that accumulate context across multiple runs without external storage.

• sandbox.agent.version support (#27626) — Pin the AWF sandbox version your workflow uses via sandbox.agent.version in frontmatter. Useful for staged rollouts and reproducibility testing.

🐛 Bug Fixes & Improvements

• URL sanitization fix (#27639) — The compute_text activation step was stripping all non-GitHub URLs from issue/PR/discussion bodies before the agent could read them, even when those domains were explicitly listed in network.allowed or safe-outputs.allowed-domains. URLs from workflow-configured allow-lists are now preserved in agent input, consistent with output-side sanitization behavior.

• MCP context overflow guard (#27657) — list_code_scanning_alerts calls in bundled workflows now enforce state: open and severity: critical,high filters to prevent 145K+ character payloads from overflowing agent context windows.

• AI Moderator Codex auth fix (#27656) — Corrected auth token precedence and allowed the required Codex domain for the AI Moderator workflow.

• Workflow Tools & MCP fixes (#27645) — Resolved integration failures triggered by the network.firewall deprecation in tooling and MCP-enabled workflows.

• comment-memory permission hardening (#27642) — Fixed permission regressions introduced by the comment-memory feature and migrated config to the tools block.

• Removed noisy MCP startup notices (#27617) — MCP server startup log lines no longer emit GitHub Actions notice annotations.

📚 Documentation

• Gemini quick-start & engine chooser (#27658) — Gemini is now included in quick-start prerequisites (including GEMINI_API_KEY setup), and a new "Which engine should I choose?" section in reference/engines helps users pick the right engine for their use case.

• CLI help alignment (#27622) — CLI reference docs for run, compile, logs, remove, fix, and validate are now synchronized with actual command output.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• compute_text step strips all non-GitHub URLs from issue/PR/discussion bodies before the agent sees them (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.3M

---

What's Changed

• Fix Workflow Features integration test fixture to align with current network schema by @Copilot in #27643
• Pass workflow allowed domains into activation compute_text sanitization by @Copilot in #27639
• Update smoke-ci to use comment-memory and write a haiku by @Copilot in #27640
• Harden safe_outputs permission tests by scoping assertions to job section by @Copilot in #27644
• Fix Workflow Tools & MCP integration failures after network.firewall deprecation by @Copilot in #27645
• docs: add Gemini quick-start coverage and engine selection guidance by @Copilot in #27658
• Guard list_code_scanning_alerts workflow usage to prevent MCP context overflow by @Copilot in #27657
• Fix comment-memory permission regressions, migrate config to tools, and exercise PR safe outputs in smoke-ci by @Copilot in #27642

Full Changelog: v0.69.1...v0.69.2

v0.69.1

🌟 Release Highlights

This release delivers significant improvements to workflow security, SHA pinning reliability, and safe-outputs extensibility — making agentic workflows more robust, auditable, and flexible out of the box.

✨ What's New

sandbox.agent.version — Pin the AWF version per workflow
You can now specify an exact AWF version override directly in your workflow frontmatter with sandbox.agent.version. This gives you fine-grained control over which agent version executes your workflow, and the compiler automatically migrates deprecated network.firewall settings to the modern sandbox.agent API. Learn more

safe-outputs.needs — Custom credential-supply job dependencies
Workflows that mint GitHub App tokens or fetch custom credentials in a separate job can now declare that job as an upstream dependency of safe_outputs using the new safe-outputs.needs field. This unblocks needs.<custom_job>.outputs.* references in safe-outputs handlers and eliminates actionlint failures caused by undeclared job dependencies. Learn more

safe-outputs:
  needs: [secrets_fetcher]
  github-app:
    app-id: $\{\{ needs.secrets_fetcher.outputs.app_id }}
    private-key: $\{\{ needs.secrets_fetcher.outputs.app_private_key }}

Hardened gh aw add SHA pinning — no more silent fallbacks
gh aw add now fails loudly when ref→SHA resolution fails instead of silently falling back to an unpinned @ref. Transient failures (rate limits, timeouts) are retried with exponential backoff before erroring. Pinned action-ref enforcement is now the default at compile/validate time, with a new --allow-action-refs flag to downgrade to warnings. Lock files also gain a resolution_failures section in the manifest for auditing unresolved pins.

🐛 Bug Fixes & Improvements

• Codex MCP gateway — Fixed startup failures caused by config.toml self-copy when CODEX_HOME pointed to the same directory as the MCP config source.
• create_issue concurrency — Eliminated a race condition where concurrent safe-output handler calls could both pass the max-issue-count check; slot reservation is now synchronized before the first await.

📚 Documentation

• CLI reference (docs/src/content/docs/setup/cli.md) corrected to accurately reflect --repeat semantics and complete option lists for compile, logs, remove, fix, and validate commands.
• Docs site improvements: high-contrast accessibility support, explicit logo dimensions for layout stability, and lazy-loading hints for video embeds.

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• Allow extending safe_outputs.needs from frontmatter for custom credential-supply jobs (direct issue)

@verkyyi

• gh aw add: silent fallback to @ref when SHA resolution fails produces asymmetric .md/.lock.yml that fails ERR_CONFIG at runtime (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.8M

---

What's Changed

• [actions] Update GitHub Actions versions - 2026-04-20 by @github-actions[bot] in #27428
• Disable threat-detection phase in copilot-token-optimizer by @Copilot in #27426
• Align safe-jobs env setup step naming with Safe Outputs terminology by @Copilot in #27420
• Harden gh aw add SHA pinning, enforce .md/.lock.yml frontmatter hash parity, require pinned action refs by default, and audit pin-resolution failures by @Copilot in #27419
• fix: add CODEX_HOME env var to MCP gateway step for Codex engine workflows by @lpcox in #27457
• SEC-004 conformance: sanitize close-issue comment body and add explicit handler exemptions by @Copilot in #27448
• Align CLI/workflow package specs with actual public surface by @Copilot in #27461
• Fix Codex smoke gateway auth by syncing converted config into writable CODEX_HOME by @Copilot in #27418
• [safe-output-integrator] Add missing merge-pull-request safe-output test workflow and compiler test by @github-actions[bot] in #27456
• Document OpenCode/Crush MCP, permission, and API-routing gotchas in troubleshooting guide by @Copilot in #27451
• Fail loudly when preserve-branch-name collides with existing remote branch by @Copilot in #27458
• Add experimental OpenCode engine support, smoke workflow, and reassign LLM gateway ports by @Copilot in #27466
• Design Decision Gate: raise ADR-path turn budget from 5 to 10 by @Copilot in #27477
• Add configurable agentic engine driver script support by @Copilot in #27453
• Error on unknown single-word ecosystem identifiers in network.allowed by @Copilot in #27475
• Support extending safe_outputs dependencies via safe-outputs.needs by @Copilot in #27476
• [workflow-style] Normalize report formatting guidance across reporting workflows by @Copilot in #27481
• [docs] docs: reduce bloat in common-issues.md by 22% by @github-actions[bot] in #27483
• Bump default AWF firewall to v0.25.26, merge main, and recompile lock outputs by @Copilot in #27478
• Remove imports.apm-packages from workflow schema and schema-driven docs by @Copilot in #27493
• [jsweep] Clean messages_staged.cjs by @github-actions[bot] in #27487
• Emit agent output metrics on OTLP conclusion spans for all outcomes by @Copilot in #27495
• Add cadence clarification prompt for scheduled workflow trigger selection by @Copilot in #27505
• Document bash allowlist decision rule for trusted vs untrusted workflow inputs by @Copilot in #27506
• Raise Design Decision Gate turn cap to prevent false-failure on successful ADR runs by @Copilot in #27514
• [docs] Update Astro dependencies - 2026-04-21 by @github-actions[bot] in #27543
• [docs] Update documentation for features from 2026-04-21 by @github-actions[bot] in #27542
• [instructions] Sync github-agentic-workflows.md with v0.68.3 by @github-actions[bot] in #27541
• [spec-enforcer] Enforce specifications for actionpins, agentdrain, cli by @github-actions[bot] in #27539
• [spec-extractor] Update package specifications for gitutil, logger, stringutil, timeutil by @github-actions[bot] in #27536
• [docs] Update glossary - daily scan 2026-04-21 by @github-actions[bot] in #27535
• [docs] Consolidate developer docs v6.7: document OTLP agent output metrics by @github-actions[bot] in #27549
• build(deps-dev): Bump typescript from 6.0.2 to 6.0.3 in /actions/setup/js by @dependabot[bot] in #27532
• build(deps-dev): Bump @types/node from 25.5.2 to 25.6.0 in /actions/setup/js by @dependabot[bot] in #27530
• [architecture] Update architecture diagram - 2026-04-21 by @github-actions[bot] in #27521
• build(deps-dev): Bump prettier from 3.8.2 to 3.8.3 in /actions/setup/js by @dependabot[bot] in #27528
• build(deps-dev): Bump @actions/github from 9.0.0 to 9.1.0 in /actions/setup/js by @dependabot[bot] in #27526
• build(deps-dev): Bump vite from 8.0.8 to 8.0.9 in /actions/setup/js by @dependabot[bot] in #27525
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #27567
• Docs: address multi-device accessibility/layout warnings (contrast, logo sizing, video loading) by @Copilot in #27583
• [code-simplifier] Simplify OTLP error extraction in send_otlp_span.cjs (#27495) by @github-actions[bot] in #27507
• Harden create_issue concurrency limits and remove dead copilot assignment queue code by @Copilot in #27533
• Prevent Codex MCP gateway startup failures from config.toml self-copy by @Copilot in #27582
• Refactor sanitizer APIs to separate artifact identifiers from code identifiers by @Copilot in #27584
• [fp-enhancer] Improve pkg/actionpins: extract pure helpers, eliminate duplicate init by @github-actions[bot] in #27523
• Fix lint-go and test failures in actionpins and cli specs by @Copilot in #27608
• Refactor log parser shared...

v0.69.0

🌟 Release Highlights

v0.69.0 delivers significant safe-output workflow improvements — team reviewers, dynamic branch configuration, and update-branch support — plus the new Crush AI engine and a wave of community-reported bug fixes improving MCP reliability, secret redaction, and token reporting.

✨ What's New

🤖 Crush Engine Replaces OpenCode
The OpenCode engine has been retired and replaced with Crush across all runtime paths. Update your workflows with engine: crush to use the new engine. Learn more

👥 Team Reviewer Support for Safe Outputs
create-pull-request and add-reviewer safe outputs now support team reviewers in addition to individual users — resolving a long-requested community feature. Learn more

🌿 Dynamic Base Branch for create_pull_request
Workflows can now specify a per-run base branch via policy-gated configuration. The patch generator also correctly honors the configured base_branch instead of defaulting to the triggering repo's default branch.

🔄 Update-Branch Support in update-pull-request
Safe-output update-pull-request now supports the update-branch operation, enabling workflows to keep pull requests up to date with their base branch automatically.

↩️ Redirect Support for Workflow Updates
Workflow update operations now support a --no-redirect flag and safe-update approval checks, giving you more control over automated workflow changes.

🔀 Fallback PR Flow for Diverged Branches
When push-to-pull-request-branch diverges, the workflow now automatically falls back to an alternative PR flow. Opt-out is available for workflows that prefer the previous strict behavior.

📦 latex Network Ecosystem Group
A new latex network ecosystem identifier is available for workflows that need to fetch LaTeX packages during agentic runs. Learn more

⬆️ gh aw upgrade Improvements

• New --pre-releases flag to opt into pre-release versions
• Fixed duplicate success symbol display
• Extended rename+retry workaround to Windows

🏷️ LOW_QUALITY Comment Minimization
Safe outputs now support LOW_QUALITY as a valid comment minimization reason, expanding control over comment visibility on noisy threads.

🐛 Bug Fixes & Improvements

• Fixed MCP stdout corruption — gh aw mcp-server no longer writes diagnostic banners to stdout, preventing JSON-RPC stream poisoning (community report by @edburns)
• Fixed duplicate Token Usage section in agent summaries when MCP Gateway content was present (community report by @Daidanny008)
• Eliminated secret-redaction EACCES warnings — Redact secrets in logs no longer fails on MCP log files owned by another user (community report by @yskopets)
• Fixed pre-steps outputs unavailable to safe_outputs/conclusion/activation jobs that mint GitHub App tokens (community report by @bbonafed)
• Fixed markdown fence balancer corrupting sequential code blocks
• Fixed false-positive role assertion match in single-string test patterns (community report by @jeffhandley)
• Cap native action updates at the running CLI version to prevent over-upgrading
• Fixed missing state-reason field in close-issue JSON schema
• Added --allow-host-ports to AWF command for MCP gateway port 8080

🔒 Security

• SEC-005 allowlist validation now enforced for workflow_dispatch target repo overrides
• New gh aw fix codemods available for strict-mode secret leaks in step run and engine.env

📚 Documentation

• FAQ entry clarifying slash-command trigger noise and LabelOps mitigation
• CLI help text and engine documentation aligned with latest behavior

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• pre-steps outputs unavailable to safe_outputs/conclusion/activation jobs that mint GitHub App tokens (direct issue)

@Calidus

• Safe-output patch generator uses triggering repo's default branch instead of configured base_branch (direct issue)

@Daidanny008

• Extra Token-Usage Section Rendered in Agent Summary (direct issue)

@edburns

• 🐳 MCP Fail Whale: gh aw mcp-server writes diagnostic banners to stdout, poisoning the JSON-RPC stream (direct issue)

@IEvangelist

• Feature request: dynamic/per-run base branch for create_pull_request safe output (direct issue)

@jeffhandley

• Likely false-positive match on single-string role test assert (direct issue)

@jsoref

• Types of parameters 'options' and 'encoding' are incompatible. -- Type 'string' is not assignable to type 'WriteFileOptions | undefined'. (direct issue)

@seangibeault

• Safe outputs create-pull-request / add-reviewer don't support team reviewers (spec says they should) (direct issue)

@tinytelly

• triggering unwanted actions (direct issue)

@yskopets

• Refactor *.cjs scripts to support SideRepoOps pattern natively (direct issue)
• agent: "Redact secrets in logs" step emits 3 warnings — EACCES permission denied on MCP log files (direct issue)

⚠️ Attribution Candidates Need Review

The following community issues were closed during this period but could not be automatically linked to a specific merged PR. Please verify whether they should be credited:

• @Ray961123 for Question: Why do some GitHub Actions steps intermittently have no logs (data-log-url) after completion? — closed 2026-04-19, closed as NOT_PLANNED, no confirmed PR linkage found

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.6M

---

What's Changed

• test: tighten single-role GH_AW_REQUIRED_ROLES assertion (fixes #26799) by @Copilot in #26804
• Add daily Claude workflow for cross-repo gh-aw compilation compatibility checks by @Copilot in #26802
• Replace archived OpenCode engine with Crush across runtime, compiler, and workflow assets by @Copilot in #26819
• fix: prevent markdown fence balancer from corrupting sequential code blocks by @dsyme in #26785
• [architecture] Update architecture diagram - 2026-04-17 by @github-actions[bot] in #26831
• [jsweep] Clean resolve_mentions_from_payload.cjs by @github-actions[bot] in #26809
• [docs] Update glossary - daily scan by @github-actions[bot] in #26840
• [spec-extractor] Update package specifications for constants, cli (run 1) by @github-actions[bot] in #26841
• [spec-enforcer] Enforce specifications for timeutil, logger, constants by @github-actions[bot] in #26842
• [docs] Update documentation for features from 2026-04-17 by @github-actions[bot] in #26845
• [docs] docs: consolidation v6.3 — tone fixes and package structure update by @github-actions[bot] in #26851
• [docs] Self-healing documentation fix: update FAQ engine list - 2026-04-17 by @github-actions[bot] in #26872
• deps: bump bubbletea v2.0.5 → v2.0.6 for wide-char rendering fix by @Copilot in #26838
• fix: cap gh-aw native action updates at the running CLI version by @Copilot in #26827
• [aw-compat] Downgrade strict missing-permission failures for default GitHub toolsets to warnings by @Copilot in #26816
• Refactor MCP gateway converters to shared pipeline and thin engine adapters by @Copilot in #26858
• ci: compile gh-aw-marketplace workflows in CI by @Copilot in #26888
• Bump default CLI/tool versions (Claude, Copilot, Codex, GitHub MCP) and recompile lockfiles by @Copilot in #26810
• docs: clarify BYOK and MCP registry enforcement behavior by @Copilot in #26900
• Refactor activation job builder to eliminate function/file size architecture violations by @Copilot in #26879
• Reduce token overhead in Daily Compiler Quality workflow by @Copilot in #26907
• Add redirect support for updates with --no-redirect and safe-update approval checks by @Copilot in #26903
• [WIP] Fix failing GitHub Actions workflow lint-go by @Copilot in #26912
• Fix CI js typecheck errors in gateway config conversion scripts by @Copilot in #26913
• Add team reviewer support to create-pull-request an...

v0.68.7

🌟 Release Highlights

This release delivers targeted bug fixes and internal reliability improvements, including a community-reported fix for on.roles configuration handling and a Codex runtime stability fix.

🐛 Bug Fixes & Improvements

• on.roles Single-String Support (#26789) — The compiler now accepts a single role string (e.g., roles: write) in addition to an array. Previously, using a string instead of an array produced a misleading compiler error with no clear guidance.
• Codex AWF Chroot Fix (#26787) — Fixed Codex agent failures in chroot environments by relocating runtime state to writable /tmp. Codex workflows on restricted filesystems should now run reliably.
• Failure Investigator Improvements (#26795) — Reduced issue churn in the aw-failure-investigator workflow by prioritizing closure and reusing parent issue tracking across runs.
• Firewall Update (#26798) — Default firewall version bumped to v0.25.23 with regenerated compiled artifacts.

✨ What's New

• Cross-Repo Compilation Compatibility Checks (#26802) — A new daily Claude workflow automatically discovers repositories using gh-aw, runs compilation checks against the latest build, and surfaces compatibility issues before they affect users.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@jeffhandley

• Misleading compiler error when 'roles' is set to a string instead of an array (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.3M

---

What's Changed

• Reduce aw-failure-investigator issue churn by prioritizing closure and reusing parent tracking by @Copilot in #26795
• Allow on.roles single-string role values (not just all) by @Copilot in #26789
• Fix Codex AWF chroot failures by moving Codex runtime state to writable /tmp by @Copilot in #26787
• chore: bump default firewall version to v0.25.23 and regenerate compiled artifacts by @Copilot in #26798

Full Changelog: v0.68.6...v0.68.7

v0.68.6

🌟 Release Highlights

This release brings a major new AI engine, significant security hardening, and a wave of reliability fixes — many of them driven directly by community-reported issues.

✨ What's New

• OpenCode engine support — A new engine: opencode option integrates OpenCode as a first-class AI coding agent in your agentic workflows, joining Copilot, Claude, and Codex.

• engine.bare mode — Set engine.bare: true on any workflow to skip loading AGENTS.md context. Ideal for non-code workflows (triage, reporting, ops) where the repository code context is irrelevant and you want a clean, fast agent start.

• Pre-agent steps — A new pre-agent-steps frontmatter field lets you run custom GitHub Actions steps before the AI agent starts. Use this for authentication, environment setup, or any prerequisite work. Learn more

• Idle custom agent wiring — Idle custom agents are now automatically matched and connected to their corresponding workflows, reducing manual configuration for long-running agent sessions.

• Detection caution alerts in all footers — When threat detection identifies issues in a workflow run, a mandatory caution alert is now included in every generated footer (issues, PR descriptions, comments, and more), ensuring reviewers are always informed.

• Cache-memory working-tree sanitization — Before an agent run begins, the working tree is now sanitized to remove planted executables and disallowed files from cached memory. This prevents a class of supply-chain-style attacks via stale cache. Learn more

🐛 Bug Fixes & Improvements

• MCP gateway Docker socket access — Fixed two related bugs: the Docker socket GID is now pre-computed (not evaluated inside a non-shell spawn() call), and the --group-add flag is correctly passed to the MCP gateway container — ensuring Docker-in-Docker tools work reliably inside the sandbox.

• BYOK Copilot model fallback — Fixed an issue where COPILOT_MODEL could be set to an empty string in compiled workflows when using Bring Your Own Key (BYOK) Copilot configurations, causing unexpected model selection.

• Gemini proxy handler — Fixed GEMINI_API_BASE_URL routing issues: the AWF proxy now correctly handles Gemini API requests, resolving API proxy enabled but no API keys found errors for both gemini-cli and the Gemini engine.

• Duplicate action SHA conflict — Fixed a compilation error where two different actions could resolve to the same commit SHA after a gh aw update, causing "two different actions share the exact same commit SHA" failures.

• PR head branch handling — Gracefully handles deleted PR head branches in push_to_pull_request_branch (checked both before fetch and after push failure).

• Scheduled Copilot run hardening — Scheduled Copilot runs are now resilient to transient exit-code-2 startup failures.

• PR reaction activation permissions — Fixed incorrect permission derivation for workflows triggered by pull request reactions.

• MCP gateway health check retry — The port 80 health check now retries on transient container startup delays instead of failing immediately.

• AWF firewall updated to v0.25.22 and MCP gateway updated to v0.2.22.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• Gemini engine fails with AWF proxy: GEMINI_API_BASE_URL points to proxy but proxy has no Gemini handler (direct issue)

@bmerkle

• problem after gh aw update: Two different actions share the exact same commit SHA (direct issue)

@bryanchen-d

• MCP Gateway: port 80 health check fails with no retry on transient container startup delay (direct issue)

@dkurepa

• Enabling workflow-wide Docker-in-Docker configuration breaks gh aw workflows (direct issue)

@doughgle

• Gemini CLI Failed: API proxy enabled but no API keys found in environment (direct issue)

@jaroslawgajewski

• bug: Copilot CLI 1.0.21 added a startup model validation step: when COPILOT_MODEL is set (direct issue)

@yskopets

• bug: GOROOT not propagated into agent container despite --env-all and spec §8.5 (direct issue)

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• ae832fb list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• cc2e417 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release · ● 1.5M

---

What's Changed

• Improve docs mobile table readability and homepage video accessibility metadata by @Copilot in #26660
• Add support for pre-agent-steps before agent execution by @Copilot in #26666
• Fix redact_secrets gateway-token tests after MCP config path refactor by @Copilot in #26681
• Add mandatory caution alert to all generated footers when detection finds issues by @Copilot in #26684
• Stabilize daily Copilot merged-PR report by switching to bounded pre-fetched filtering by @Copilot in #26680
• Align JavaScript MCP scripts log renderer with Copilot output style by @Copilot in #26692
• Add 6-hour [aw] failure investigation workflow by @Copilot in #26694
• Fix lint-go failure from testifylint violations in spec tests by @Copilot in #26686
• Fix CaptureStderr restoration timing in testutil to resolve CI unit test failure by @Copilot in #26687
• Fix audit tool type undercount for Copilot MCP-only runs by @Copilot in #26689
• Scope activation reactions like status-comment targets and compute activation permissions from both target sets by @Copilot in #26693
• docs: clarify MCP gateway API key is leaked by design by @Copilot in #26695
• Add features.awf-diagnostic-logs to enable AWF failure diagnostics artifact collection by @Copilot in #26699
• Allow configuring conclusion failure issue expiration via aw.json by @Copilot in #26688
• Reduce Workflow Skill Extractor token overhead by removing unused tools and pre-indexing workflows by @Copilot in #26682
• Harden MCP Gateway startup health check against transient port-binding delays by @Copilot in #26697
• Fix JS workflow typecheck failure in MCP scripts log parser by @Copilot in #26703
• Always enable Copilot integration ID and remove feature flag gating by @Copilot in #26698
• Increase mcp-cli usage to 80% of agentic workflows by @Copilot in #26715
• Fix DIFC proxy shell integration test to use step-scoped proxy environment by @Copilot in #26704
• Handle deleted PR head branches in push_to_pull_request_branch before fetch and after push failures by @Copilot in #26705
• Fix activation permissions for pull request reactions by @Copilot in #26720
• Harden scheduled Copilot runs against transient exit-code-2 startup failures by @Copilot in #26713
• [log] Add debug logging to 5 Go files by @github-actions[bot] in #26738
• [ubuntu-image] docs: update Ubuntu runner image analysis for 2026-04-16 by @github-actions[bot] in #26741
• Use sort.Strings in GetAllScriptFilenames and add focused ordering tests by @Copilot in #26731
• Use declaration-site blank identifiers in workflow validation paths by @Copilot in #26730
• Enable strict mode and sanitized PR title in refiner input-triggered workflow by @Copilot in #26744
• Fix setup-span staging attribution when aw_info is unavailable by @Copilot in #26742
• Enable engine.bare f...

v0.68.5

🌟 Release Highlights

This release delivers two new workflow customization features, a significant security hardening for cache-memory workflows, and resolves four community-reported issues around permissions, safe-outputs protection, and GitHub App token deprecation.

✨ What's New

• pre-agent-steps frontmatter field — Inject custom steps immediately before the agent engine runs. Supports imports and merge semantics, giving you fine-grained control over pre-execution setup without forking shared workflows. (#26666)

• MCP config relocated to .github/mcp.json — The MCP configuration file now lives at .github/mcp.json (previously .mcp.json at the repository root), aligning with standard GitHub configuration conventions. The init flow creates the new path automatically; existing .mcp.json files will need to be migrated. (#26665)

• shared/reporting-otlp.md import bundle — A new composite import combines shared/reporting.md and shared/observability-otlp.md into a single import, reducing boilerplate in telemetry-enabled reporting workflows. (#26655)

• cache-memory working-tree sanitization — Cached working trees are now sanitized before agent execution to neutralize planted executables and disallowed files, hardening workflows that persist state across runs. (#26587)

🐛 Bug Fixes & Improvements

• Environment-level secrets now work correctly — The environment: frontmatter field now properly propagates to the activation job, preventing false secret-validation failures for environment-scoped secrets. (#26650)

• Activation-job permissions are now narrowly scoped — Compiled workflows no longer request broader permissions (e.g. discussions:write, pull-requests:write) than the workflow actually requires; permissions are now derived from the actual trigger events. (#26535)

• GitHub App token input migrated to client-id — Resolves the app-id deprecation warning. Includes schema-level compatibility and an automatic codemod to migrate existing workflows. (#26551)

• safe-outputs protected file manifests aligned for Claude engine — The activation-job config and handler config now use consistent protected_files/protected_path_prefixes for Claude engine workflows, fixing a mismatch that could cause safe-output failures. (#26550)

• BYOK Copilot model fallback fixed — Prevents an empty COPILOT_MODEL variable in compiled BYOK workflows. (#26566)

• Auto-Triage pre-agent auth failure resolved — Fixes no-op failed runs caused by an authentication failure before the agent step. (#26572)

• CLI Version Checker false positives eliminated — The version checker no longer reports failures when safe outputs were already produced in a prior step. (#26570)

• Security: @mention injection in create_issue body neutralized — Sanitizes @mentions in issue bodies to close a cross-workflow prompt-injection gap. (#26589)

• Security: steganographic injection via markdown link titles neutralized (#26596)

• MCP Gateway updated to v0.2.21 (#26678)

📚 Documentation

• Improved mobile table readability across the docs site — table columns now expose data-label attributes for card-layout rendering on small screens. Homepage videos gained descriptive accessibility metadata. (#26660)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@AlexDeMichieli

• environment: frontmatter does not propagate to activation job — environment-level secrets fail validation (direct issue)

@corygehr

• app-id deprecation warning — migrate to client-id in GitHub App token generation (direct issue)

@deyaaeldeen

• Compiled lock file requests broader permissions than workflow needs (discussions:write, pull-requests:write) (direct issue)

@lupinthe14th

• safe-outputs: activation config and handler config have different protected_files/protected_path_prefixes for Claude engine workflows (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.7M

---

What's Changed

• Scope activation-job permissions to actual trigger events and add status-comment discussions/issues/pull-requests toggles by @Copilot in #26535
• Migrate GitHub App token input to client-id, add schema-level compatibility, and provide codemod migration by @Copilot in #26551
• safe-outputs: align activation protected manifests with handler config for engine-specific files by @Copilot in #26550
• Generate poutine untrusted_checkout_exec suppression for workflow_call save-base steps by @Copilot in #26552
• Fix Auto-Triage Issues pre-agent auth failure that caused no-op failed runs by @Copilot in #26572
• Refactor MCP validation into focused sub-validators by @Copilot in #26573
• Prevent false CLI Version Checker failures when safe outputs were already produced by @Copilot in #26570
• Refactor dispatch workflow validation by extracting file-resolution utilities by @Copilot in #26574
• fix: sanitize @mentions in create_issue body to close XPIA gap by @Copilot in #26589
• [docs] Consolidate developer specs - tone fixes v6.2 (2026-04-16) by @github-actions[bot] in #26612
• [instructions] Sync github-agentic-workflows.md with v0.68.3 by @github-actions[bot] in #26607
• [docs] Update documentation for features from 2026-04-16 by @github-actions[bot] in #26605
• [spec-enforcer] Enforce specifications for stats, styles, testutil by @github-actions[bot] in #26601
• [spec-extractor] Update package specifications for agentdrain, fileutil, gitutil, tty by @github-actions[bot] in #26600
• [fp-enhancer] refactor(actionpins): precompile SHA regex and extract findCompatiblePin helper by @github-actions[bot] in #26597
• [architecture] Update architecture diagram - 2026-04-16 by @github-actions[bot] in #26591
• Split template injection validator by responsibility by @Copilot in #26580
• Refactor workflow tool validation by separating GitHub-specific logic from core tools validation by @Copilot in #26579
• Refactor safe-outputs max validation into dedicated module to enforce validator file size limit by @Copilot in #26581
• fix(sanitize): neutralize markdown link title text to close steganographic injection channel by @Copilot in #26596
• Ensure activation secret validation is skipped when top-level environment is configured by @Copilot in #26650
• Fix BYOK Copilot model fallback to avoid empty COPILOT_MODEL in compiled workflows by @Copilot in #26566
• Refactor daily audit import stack into shared daily-audit-base component by @Copilot in #26654
• Rename GetActionPinWithData to ResolveActionPin in pkg/actionpins by @Copilot in #26657
• Refactor workflow imports: add shared/reporting-otlp.md bundle and migrate dual-import workflows by @Copilot in #26655
• cache-memory: add pre-agent working-tree sanitization to neutralize planted executables and disallowed files by @Copilot in #26587
• Configure Architecture Guardian thresholds via repository-level .architecture.yml by @Copilot in #26664
• chore: bump DefaultMCPGatewayVersion to v0.2.21 by @lpcox in #26678
• Move MCP config from .mcp.json to .github/mcp.json by @Copilot in #26665

Full Changelog: v0.68.4...v0.68.5

v0.68.4

🌟 Release Highlights

v0.68.4 is a substantial patch release delivering over 20 community-reported bug fixes alongside new capabilities for SideRepoOps patterns, Copilot BYOK mode, and ecosystem domain improvements. This release reflects an exceptional level of community engagement — 21 issues reported and resolved in a single release cycle.

✨ What's New

• BYOK Copilot Mode — New byok-copilot feature flag wires offline Copilot support and bumps the default firewall to v0.25.21 (#26544)
• SideRepoOps: Auto-generated maintenance workflow — The compiler now auto-generates agentics-maintenance.yml for target repositories when using the SideRepoOps pattern, reducing manual setup (#26382)
• Configurable runs-on for agentics-maintenance — Specify custom runner labels for the generated maintenance workflow via runs-on in frontmatter (#26481)
• Protected-files exclusion — New protected-files: { exclude: [...] } option lets you remove specific paths from the default protected-file set, resolving long-standing conflicts with AGENTS.md (#26339)
• MCP servers as local CLIs — MCP servers can now be mounted as local CLI commands after the gateway starts, enabling richer tool integrations (#25928)
• --prompt-file for Copilot execution — Copilot now receives prompts via --prompt-file instead of inline args, with automatic fallback handling for older CLI versions (#26492)
• Lean ecosystem domain — Added the Lean theorem prover ecosystem (elan, lake) to the domain allowlist (#26424)
• Python-native (PyO3/maturin) ecosystem — Added ecosystem entry for Rust-backed Python packages (#26467)
• AI latency telemetry — A dedicated gh-aw.<job>.agent OTLP span now isolates AI execution time for better observability (#26504)

🐛 Bug Fixes & Improvements

• 4-backtick fence rule scoped correctly — The rule that upgrades triple-backtick fences to 4-backtick fences now only applies when the block truly contains a nested triple-backtick fence, fixing false triggering on mermaid and other standalone code blocks (#26506)
• Annotated tag SHA pinning — The compiler now peels annotated tag objects to the underlying commit SHA when pinning gh-aw-actions references, preventing Renovate from rewriting them (#26482)
• Import-schema default values resolved — Default values in $\{\{ github.aw.import-inputs.* }} expressions are now correctly resolved when no explicit with: inputs are provided (#26472)
• Single SHA for all actions/github-script steps — The compiler ensures every actions/github-script step in a compiled workflow resolves to the same commit SHA (#26444)
• Python ecosystem domain corrected — Removed incorrectly included crates.io domains from the Python ecosystem entry (#26430)
• MCP logs/audit: no git required — gh aw logs and gh aw audit now pass GITHUB_REPOSITORY as --repo, eliminating the unable to find git executable in PATH error in audit-workflows (#26377)
• False-positive Copilot classification fixed — Engine counts from aw_info.json are now included in the logs summary, preventing all workflows from being misclassified as Copilot-engine (#26359)
• Cross-repo activation checkout guarded — The activation job's .github sparse checkout is now guarded against GITHUB_TOKEN permission failures during workflow_call from a different repository (#26336)
• tools.github: false now overrides imports — Setting tools.github: false in a workflow now correctly disables GitHub tools even when a shared import enables them (#26323)
• Dispatch-workflow tool name periods fixed — Periods in dispatch-workflow MCP tool names are now normalized, resolving CAPIError: 400 Bad Request in strict mode (#26324)
• Claude .mcp.json format corrected — Claude's MCP config format and init-generated output are now aligned (#26532)
• Activation secret validation skipped for environments — Secret validation during activation is now skipped when environment: is configured, preventing spurious failures (#26509)
• Absolute node path for GPU runners — AWF commands now use the absolute node path, fixing node: command not found errors on GPU runners (#26427)
• Preserve agent config on PR checkout — checkout_pr_branch.cjs now preserves .github/skills/ and .github/instructions/ from the base branch after PR checkout (#26380)
• resolve_host_repo.cjs cross-repo fix — The host repo resolver now correctly resolves to the callee repository in direct cross-repo workflow_call scenarios (#21426 — fixed a long-standing issue)
• Safe-outputs add-comment preserves < and > — HTML angle brackets in markdown code blocks are no longer stripped by the add-comment safe-output handler (#18310)
• actions/create-github-app-token warning resolved — Removed the permission-discussions unexpected input that was generating warnings (#26337)
• Sandbox E2BIG crash fixed — Sandbox agents no longer crash with Argument list too long when the prompt and environment variables exceed ARG_MAX (#26045)
• Copilot CLI MCP blocking fixed — Resolved the issue where Copilot CLI v1.0.22+ blocked the safeoutputs MCP server (#25550)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arezero

• AGENTS.md in protected_files list blocks legitimate modifications (direct issue)

@bbonafed

• bug: sandbox agent fails with Argument list too long (E2BIG) when prompt + env exceed ARG_MAX (direct issue)

@bryanchen-d

• markdown.md 4-backtick rule is over-applied to standalone code blocks (e.g. mermaid) (direct issue)

@corygehr

• Bug: dispatch-workflow safe-output causes CAPIError: 400 Bad Request in strict mode (direct issue)

@jamesadevine

• ecosystem_domains.json: add lean ecosystem entry (direct issue)
• ecosystem_domains.json: python entry contains crates.io domains (direct issue)

@kthompson

• Latest Copilot CLI v1.0.22 blocks safeoutputs MCP server (direct issue)

@lupinthe14th

• gh aw compile v0.68.1 pins actions/github-script@v9 to two different SHAs (direct issue)

@MatthewLabasan-NBCU

• bug: Workflow call failing to fetch .github repository (Exit Code 128) (direct issue)

@neta-vega

• Support configurable runs-on for the generated agentics-maintenance workflow (direct issue)

@pgaskin

• bug: multiple critical issues in push_signed_commits (direct issue)

@PureWeen

• Ability for checkout_pr_branch.cjs to preserve .github/skills/ and .github/instructions/ from base branch (direct issue)

@rspurgeon

• Compiler emits annotated tag object SHA for gh-aw-actions pins; Renovate rewrites to peeled commit SHA (direct issue)

@straub

• actions/create-github-app-token warning (direct issue)

@thi-feonir

• Bug: resolve_host_repo.cjs resolves to caller repo instead of callee in direct cross-repo workflow_call (direct issue)

@ViktorHofer

• Safe-outputs add-comment strips < and > from markdown code blocks (direct issue)

@yskopets

• bug: tools.github: false does not override tools.github.* from a shared import (direct issue)
• audit-workflows: gh aw logs MCP tool fails with 'unable to find git executable in PATH' (direct issue)
• audit-workflows: agent incorrectly classifies all workflows as Copilot-engine due to false positive string matching (direct issue)
• Support auto-generation of agentics-maintenance.yml for target repository in SideRepoOps pattern (direct issue)
• default value in $\{\{ github.aw.import-inputs.* }} expressions is not being resolved in shared imports (direct issue)

⚠️ Attribution Candidates Need Review

The following community issues were closed during this release window but could not be automatically linked to a specific merged PR. Please verify whether they should be credited:

• @dsyme for Allow push-to-pull-request-branch to optionally update the pull request title (and body?) — closed 2026-04-15, closed as NOT_PLANNED
• @justinhuangcode for Problem using GitHub Apps to auth writes to discussions — closed 2026-04-15, closed as DUPLICATE
• @strawgate for Report errors for git patch types which are not valid — closed 2026-04-15, closed as NOT_PLANNED

---

For complete details, see CHANGELOG.

Generated by Release · ● 1M

---

What's Changed

• fix: add ...

v0.68.3

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New

• Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#26229)
• checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#26292)
• env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#26113)
• Time Between Turns (TBT) metric — gh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#26321)
• OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#26121)
• API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#26150)

🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

• File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#26287)
• Copy/rename detection and C-quoted filenames are now handled correctly. (#26277)
• Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#26259)
• Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#26306)
• Submodule entries now fall back to a plain git push instead of erroring. (#26298)

Other notable fixes:

• on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#26137)
• copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#26146)
• add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#26288)
• safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#26291)
• engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#26122)
• Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#26074)
• GH_HOST env var used for GH CLI calls — gh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#26311)
• resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#26114)
• --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#26160)

📚 Documentation

• Gemini AI engine added to the introduction/how-they-work guide. (#26147)
• github-app documented as a top-level Allowed Import Field in the imports reference. (#26119)
• New working-directory navigation example in the side-repo-ops pattern. (#26123)
• Comprehensive new guide: Maintaining repos with agentic workflows at scale. (#26073)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• Feature: Auto-detect available models or gracefully fallback on 400 errors (Copilot Pro/Education) (direct issue)

@bbonafed

• on.github-token not propagated to checkout and hash check steps in activation job (breaks cross-org workflow_call) (direct issue)

@corygehr

• add-comment: reply_to_id not documented in tool schema, causing agents to skip it (direct issue)

@susmahad

• safe-outputs.actions custom action tools not exposed to agent MCP toolset (direct issue)

@tadelesh

• copilot-driver --resume fails with 'No authentication information found' after transient AI model error (direct issue)

@wtgodbe

• bug: resolveIssueNumber should strip surrounding quotes from item_number values (direct issue)

@yskopets

• feat: support checkout field in importable shared workflows (direct issue)
• Support env field in shared imports (direct issue)
• engine.max-turns is silently dropped when engine config is sourced from a shared import (direct issue)
• Remove Docker dependency from gh aw compile --validate (direct issue)
• docs: add working-directory navigation example to side-repo-ops pattern (direct issue)
• Docs: add top-level github-app to Allowed Import Fields in imports reference (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 4.1M

---

What's Changed

• Add retry with jitter to create_issue safe-output handler by @Copilot in #26056
• docs: comprehensive guide for maintaining repos with agentic workflows at scale by @Copilot in #26073
• Migrate chart image uploads to upload-artifact with skip-archive in shared workflows by @Copilot in #26075
• Update instructions to use upload-artifact with skip-archive instead of upload-asset by @Copilot in #26076
• Add spec-extractor, spec-enforcer, and spec-librarian agentic workflows by @Copilot in #26083
• feat(deep-report): increase create-issue max from 3 to 7 by @Copilot in #26077
• Skip Docker image validation when Docker is unavailable, add --validate-images flag by @Copilot in #26074
• [actions] Update GitHub Actions versions - 2026-04-13 by @github-actions[bot] in #26087
• fix: update TestMCPGSupportsIntegrityReactions for MCPG v0.2.19 default by @dsyme in #26091
• fix: add imperative verbs to "Super-linter" and "Cross-repo setup guidance" step names by @Copilot in #26095
• Add --gemini-api-target to AWF proxy for Gemini API routing by @Copilot in #26060
• [safe-output-integrator] Add missing test workflow for upload-asset safe output type by @github-actions[bot] in #26103
• Add hippo-memory shared workflow and daily learn workflow by @Copilot in #26109
• Add MemPalace as a shared MCP workflow by @Copilot in #26102
• docs: add README specifications for 15 missing packages, update console and logger specs by @Copilot in #26105
• Fix gh pr checkout failing with GH_HOST mismatch in issue_comment workflows by @Copilot in #26037
• feat: resolve upload_artifact temporary IDs to artifact URLs in safe output bodies by @Copilot in #26108
• fix: strip surrounding quotes from item_number in resolveIssueNumber by @Copilot in https...

v0.68.2

🌟 Release Highlights

This release delivers a focused wave of reliability improvements: compiler fixes that were blocking real workflows, expanded strict-mode flexibility, deeper temporary ID support, and a new integrity-reactions feature for fine-grained trust control. A huge batch of community-reported bugs across Copilot engine, safe-outputs, cross-org workflows, and MCP Gateway are now resolved.

✨ What's New

• Reaction-based integrity control — The new integrity-reactions feature flag (requires MCPG ≥ v0.2.18, now bundled as v0.2.19) lets maintainers promote or demote tool-use integrity via 👍/❤️ and 👎/😕 GitHub reactions in proxy mode. Configurable endorsement and disapproval reaction sets with sensible defaults. Learn more

• Temporary ID resolution now reaches further — #temporary_id references are now resolved inside dispatch_workflow input values, update_issue/add_comment targets, and git am patch content — closing three long-standing gaps that required manual workarounds.

• Strict mode secrets unlocked — Strict mode now permits secrets.* in step-level with: bindings for action steps in pre-agent custom steps, and in step env: bindings — giving workflows a secure path to external secret managers without disabling strict mode entirely.

• slash_command event scoping — A new scope option lets workflows restrict which event types (issue comment, PR comment, etc.) trigger slash commands, reducing noise from unintended contexts.

• assign_to_agent multi-platform support — Copilot can now be assigned to the same issue multiple times when each assignment targets a different pull_request_repo (e.g., separate iOS and Android repositories), enabling true cross-platform agentic workflows.

• workflows: write auto-inferred — The compiler now automatically infers the workflows: write permission when a GitHub App token's allowed-files targets .github/workflows/, eliminating a confusing manual step.

🐛 Bug Fixes & Improvements

• create_issue rate-limit resilience — Added retry with jitter to the create_issue safe-output handler, preventing HTTP 403 failures when multiple daily workflows complete simultaneously and burst the API rate limit.

• create_pull_request ENOBUFS crash — Fixed a spawnSync buffer overflow that caused create_pull_request to fail on large diffs; the safe-output handler no longer crashes on oversized payloads.

• create_pull_request_review_comment tool not found — Resolved a runtime registration issue where the create_pull_request_review_comment safe-output tool was declared but not discoverable at runtime.

• Copilot engine workflows restored — Fixed two distinct failures introduced in v0.67.2–v0.67.4 that broke Copilot-engine workflows; plus resolved silent exit code 1 errors in the compiled Copilot CLI.

• Compiler: --allow-domains quoting fixed — The compiler no longer single-quotes --allow-domains values, which was breaking $\{\{ }} GitHub Actions expressions and causing HTTP 422 errors on workflow dispatch.

• inputs.* expressions in workflow_call — Expressions using inputs.* in prompt bodies are now properly resolved when a workflow is invoked via workflow_call.

• OIDC env vars forwarded to MCP Gateway — The compiler now forwards ACTIONS_ID_TOKEN_REQUEST_URL and related OIDC env vars to the docker run command for the MCP Gateway, enabling OIDC-based authentication flows.

• MCP servers on GitHub Enterprise Server — Improved documentation and policy guidance for organizations where the "MCP servers in Copilot" policy is not visible in GHE settings.

• SARIF upload permissions — Fixed Resource not accessible by integration errors during SARIF upload by correctly provisioning the required security-events: write permission.

• Cross-org workflow_call — Resolved failures in resolve_host_repo, checkout, and hash checks when invoking workflows across organization boundaries.

• push_repo_memory bot-comment guard — Fixed a bug where the push_repo_memory job ran even when the workflow was triggered by a bot comment that skipped pre_activation.

• ParseWorkflow ~18% faster — Eliminated a JSON round-trip in schema validation and optimized node traversal, reducing workflow parse time by ~18% with ~22% fewer allocations.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@apenab

• MCP servers blocked by policy on GHE — unable to find "MCP servers in Copilot" policy setting (direct issue)

@bbonafed

• Cross-org workflow_call: resolve_host_repo, checkout, and hash check all fail (direct issue)
• Compiler does not forward OIDC env vars to MCP Gateway docker run command (direct issue)

@benvillalobos

• inputs.* expressions in prompt body not resolved when called via workflow_call (direct issue)

@bryanchen-d

• bug: compiler single-quotes --allow-domains breaking $\{\{ }} GA expressions, causing HTTP 422 on workflow dispatch (direct issue)

@camposbrunocampos

• assign_to_agent: allow multiple assignments to same issue when pull_request_repo differs (direct issue)

@corygehr

• Copilot-engine workflows broken: two distinct failures across v0.67.2 and v0.67.4 (direct issue)

@devantler

• Compiler does not auto-infer workflows: write on GitHub App tokens when allowed-files targets .github/workflows/ (direct issue)
• Support temporary ID resolution for update_issue and add_comment targeting (direct issue)

@JanKrivanek

• Safe-output tool 'create_pull_request_review_comment' not found at runtime despite correct declaration (direct issue)

@johnpreed

• dispatch_workflow handler does not resolve #temporary_id references in input values (direct issue)

@kbreit-insight

• SARIF upload gives "Resource not accessible by integration" error (direct issue)

@neta-vega

• slash_command: scope option to restrict trigger event types (direct issue)

@susmahad

• Strict mode blocks secrets.* in step env: bindings — no secure path for workflows that need external secret managers (direct issue)
• Strict mode: allow secrets.* in step-level with: for action steps in pre-agent custom steps (direct issue)

@theletterf

• Copilot CLI exits with code 1 silently when compiled with v0.67.3 (pre-release) (direct issue)

@wtgodbe

• Temporary ID references in patch content are not resolved before git am (direct issue)

@yskopets

• safeoutputs create_pull_request fails with ENOBUFS on large diffs (spawnSync buffer overflow) (direct issue)
• bug: push_repo_memory job runs when workflow is triggered by a bot comment (pre_activation skipped) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.6M

---

What's Changed

• feat(test-quality-sentinel): pre-fetch PR diff, trim toolsets/bash tools, cap continuations by @Copilot in #25685
• build(deps-dev): bump basic-ftp from 5.2.1 to 5.2.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #25699
• fix: update golden test files for Copilot CLI bump to 1.0.21 by @Copilot in #25692
• feat: use job.workflow_* context for host repo resolution by @salmanmkc in #25697
• fix: add actionlint config and fix SC2129 grouped redirects by @Copilot in #25700
• fix: restore permission-discussions in GitHub App token fields by @lpcox in #25709
• fix: resolve #temporary_id references in dispatch_workflow inputs before dispatching by @Copilot in #25693
• feat: container image digest pinning in actions-lock.json with update/upgrade integration by @Copilot in #25688
• Write JSONL mirror unconditionally, decoupled from OTLP endpoint by @Copilot in #25716
• Add cross-repo allowlist validation to close_entity_helpers (SEC-005) by @Copilot in #25715
• Fix inputs.* expressions not resolved when workflow invoked via workflow_call by @Copilot in #25718
• [aw] Updates available by @github-actions[bot] in #25726
• Fix test failures after action pin updates by @Copilot in #25745
• fix: doubl...