github github/gh-aw v0.63.0
on GitHub

10 hours ago

🌟 Release Highlights

This release delivers a major new experimental tool for semantic documentation search, two high-priority security fixes applied across all compiled workflows, a firewall and MCP gateway upgrade, and a smarter fuzzy scheduler that reduces queue contention on GitHub Actions.

✨ What's New

qmd documentation search tool (experimental)

Agentic workflows can now perform vector-similarity search over local documentation, GitHub code search results, and issue lists β€” without requiring contents: read in the agent job. The new built-in qmd tool (powered by tobi/qmd) runs a dedicated indexing job that builds and caches an embedding index, then serves it to the agent via an HTTP MCP server. GPU-accelerated indexing is supported on custom runners. 

tools:
  qmd:
    checkouts:
      - name: docs
        paths: [docs/**/*.md]
    searches:
      - name: issues
        type: issues
        max: 500
        github-token: $\{\{ secrets.GITHUB_TOKEN }}

Learn more β†’

Smarter fuzzy scheduler

The FUZZY:* schedule patterns now guarantee that scattered cron minutes land in [5, 54], avoiding GitHub Actions peak-contention windows (midnight UTC and Β±5 minutes around every hour). Existing workflows are automatically updated on next recompile.

Schedule syntax reference β†’

πŸ”’ Security Fixes

  • github-env HIGH vulnerability eliminated β€” All 193 compiled workflows now write framework-controlled variables (GH_AW_SAFE_OUTPUTS, GH_AW_AGENT_OUTPUT, GH_HOST) to $GITHUB_OUTPUT instead of $GITHUB_ENV, resolving a zizmor HIGH finding. (#22528)
  • SHA pinning extended to on.steps β€” Custom steps injected into pre-activation jobs via on.steps are now run through the same SHA-pinning pipeline as steps: and post-steps:, closing a supply chain gap where unpinned action references could pass through verbatim into lock files. (#22529)
  • AWF Firewall upgraded to v0.25.0 β€” All workflow lock files recompiled against the latest firewall image. (#22508)
  • MCP Gateway upgraded to v0.2.2 β€” Improved robustness when extracting issue and PR numbers from search results where structured data fields are absent or malformed. (#22538)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@Dan-Co

@dsyme

@lpcox

@samuelkahessay

For complete details, see CHANGELOG.

Note

πŸ”’ Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

  • #18569 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #22335 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter: 

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

What's Changed

  • [q] feat: add Docker mounting limitations to builtin agent prompt (#22074) by @github-actions[bot] in #22076
  • [jsweep] Clean add_reaction_and_edit_comment.cjs by @github-actions[bot] in #22075
  • [docs] docs: document IANA timezone field for schedule cron entries by @github-actions[bot] in #22082
  • fix: add github.event_name to JS allowed expressions list by @Copilot in #22084
  • Extract shared HTTP MCP server lifecycle into mcp_http_server_runner.cjs by @Copilot in #22078
  • Extract agent timeout message to markdown template by @Copilot in #22088
  • perf: replace O(nΒ²) string concatenation with strings.Builder in expression_parser by @Copilot in #22095
  • docs: add .github/aw/memory.md β€” canonical guide for persistent memory strategies by @Copilot in #22094
  • Add .github/aw/charts.md prompt for Python data visualization workflows by @Copilot in #22093
  • docs: explain intentional lipgloss v1 import in huh_theme.go by @Copilot in #22100
  • Replace hardcoded hex colors in progress.go with adaptive style constants by @Copilot in #22099
  • Add network.allowed reference docs and link from agentic-workflows agent by @Copilot in #22102
  • Drain HTTP response bodies on non-OK paths to enable TCP connection reuse by @Copilot in #22101
  • Adjust outputs written to issues for previous rename of artifact from agent-artifacts to agent by @dsyme in #22127
  • Preserve angle brackets in code blocks and inline code spans during sanitization by @Copilot in #22005
  • Pre-compile heredoc regexp patterns at package level by @Copilot in #22104
  • Rename policyStatuses and getActivationOutputsCodemod for discoverability by @Copilot in #22105
  • Fix: Turns always 0 and ToolCalls always null in run summaries by @Copilot in #22106
  • [actions] Update GitHub Actions versions - 2026-03-21 by @Copilot in #22120
  • feat: dynamic function budget for daily-function-namer (replace fixed 3-file limit) by @Copilot in #22151
  • Fix plugin install TODOs for Claude and Codex: mark both as unsupported by @Copilot in #22153
  • Improve integrity filter footer rendering by @Copilot in #22152
  • Add vulnerability-alerts GitHub App permission for dependabot toolset by @Copilot in #22144
  • fix(smoke-update-cross-repo-pr): remove redundant label constraint causing 100% failure rate by @Copilot in #22157
  • [safe-output-integrator] Add missing safe-output Go compiler tests for assign_to_user, unassign_from_user, missing_tool, missing_data by @github-actions[bot] in #22163
  • docs(charts): suggest importing python-dataviz from githubnext/agentics by @Copilot in #22160
  • Add ready_for_review trigger to CI and grumpy-reviewer; switch grumpy-reviewer to codex by @Copilot in #22155
  • Harden release community attribution with multi-tier GitHub-native linkage and daily updater by @Copilot in #22140
  • Add explicit supportsMaxContinuations: false to Claude, Codex, and Gemini engines by @Copilot in #22158
  • discussion-task-miner: run every 6h, extract 5 items, strengthen duplicate prevention by @Copilot in #22165
  • fix: preserve safe-outputs action inputs/descriptions during update by @Copilot in #22162
  • fix: resolve 40% performance regression in BenchmarkCompileComplexWorkflow by @Copilot in #22159
  • Remove plugins: support in favor of dependencies: + Microsoft/APM by @Copilot in #22156
  • fix: escape handlebars pattern in rendering verifier prompt (#22168) by @lpcox in #22176
  • [dead-code] chore: remove dead functions β€” 2 functions removed by @github-actions[bot] in #22175
  • fix: update integrity filter blocked message and bold summary headers by @Copilot in #22173
  • feat(community): track external contributor issues as contributions, store in wiki by @Copilot in #22179
  • fix: {{#if ...}} in runtime-imported markdown incorrectly becomes an unresolvable placeholder by @Copilot in #22170
  • [q] q: set min-integrity to none, cookie guard, and spam detection by @Copilot in #22181
  • [code-simplifier] refactor: use shared isTruthy from is_truthy.cjs in render_template by @github-actions[bot] in #22184
  • fix: nested jq reduce prevents null accumulator when closingIssuesReferences is empty by @Copilot in #22185
  • [community] Update community contributions in README by @github-actions[bot] in #22188
  • Update community contributions format: details section, grouped by author, list items by @Copilot in #22191
  • [log] Add debug logging to CLI and workflow package functions by @github-actions[bot] in #22192
  • Add renderTemplateFromFile helper to consolidate file-based template rendering by @Copilot in #22186
  • Remove experimental flag from mcp-scripts by @Copilot in #22195
  • Use compact GitHub references (#N) in community contributions section by @Copilot in #22197
  • Debug: Daily Community Attribution Updater failure β€” jq null accumulator in closing refs index by @Copilot in #22200
  • [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #22208
  • [docs] Consolidate 4 new spec files into developer instructions (dev.md v4.0) by @github-actions[bot] in #22210
  • [docs] docs: unbloat assign-to-copilot reference page by @github-actions[bot] in #22211
  • Add host.docker.internal networking guidance to playwright prompt by @Copilot in #22227
  • [docs] Update documentation for features from 2026-03-22 by @github-actions[bot] in #22229
  • [docs] Update dictation skill glossary by @github-actions[bot] in #22239
  • [actions] Update GitHub Actions versions - 2026-03-22 by @github-actions[bot] in #22257
  • fix: path traversal sanitization for scriptFilename in safe_output_handler_manager by @Copilot in #22280
  • [q] fix(difc): use <b> for bold in details/summary and show #unknown entries with tool name (#22264) by @github-actions[bot] in #22291
  • fix: exclude .git directory from push_repo_memory size check by @Copilot in #22285
  • Add per-handler staged mode to all safe output types by @Copilot in #22284
  • docs: promote Integrity Filtering as primary, restructure GitHub Tools reference pages by @dsyme in #22296
  • feat(integrity-analysis): add per-user analysis of filtered events by @Copilot in #22298
  • feat: progressive disclosure for protected file messages using <details> by @Copilot in #22300
  • [dead-code] chore: remove dead functions β€” 2 functions removed by @github-actions[bot] in #22301
  • [code-simplifier] refactor: simplify conditional server rows and redundant pattern splitting by @github-actions[bot] in #22306
  • chore: bump MCP Gateway v0.1.20β†’v0.1.22, APM v0.8.2β†’v0.8.3 by @Copilot in #22299
  • Rename tools.github.repos to tools.github.allowed-repos by @Copilot in #22311
  • Deep-clean .github/aw/*.md: remove invalid patterns and deprecated references by @Copilot in #22313
  • docs(sandbox): remove Custom AWF Configuration and Custom MCP Gateway Configuration sections by @Copilot in #22310
  • chore: upgrade gh-aw-mcpg to v0.1.25 by @Copilot in #22321
  • Fix build-wasm: update MCPG golden test files to v0.1.25 by @Copilot in #22327
  • feat: add dispatch_repository safe-output type for repository_dispatch events (experimental) by @Copilot in #22315
  • fix: apply repos β†’ allowed-repos codemod to agentic workflows by @Copilot in #22331
  • fix: remove sandbox.mcp.container from strict-mode WASM golden fixture by @Copilot in #22333
  • chore: bump gh-aw-mcpg default version to v0.1.26 by @Copilot in #22334
  • fix: pull merged workflow files after GitHub confirms workflow is ready by @dsyme in #22335
  • [docs] docs: reduce bloat in gh-aw-as-mcp-server reference by @github-actions[bot] in #22339
  • [docs] docs: update dev.md v4.1 β€” reposβ†’allowed-repos, add MCP access control spec link by @github-actions[bot] in #22338
  • [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #22337
  • Post failure comment on target issue/PR when agent assignment fails by @Copilot in #22347
  • fix: update smoke-copilot golden file for gh-aw-mcpg v0.1.26 by @Copilot in #22355
  • fix(agent-persona-explorer): direct recommendations to .github/aw/*.md, not AGENTS.md by @Copilot in #22358
  • fix: remove required inputs from smoke-* workflows, always provide defaults by @Copilot in #22361
  • perf: eliminate hot-path regexp compilations and redundant YAML parses by @Copilot in #22359
  • [jsweep] Clean add_labels.cjs by @github-actions[bot] in #22366
  • Add blocked-users and approval-labels to tools.github guard policy by @Copilot in #22360
  • [docs] Update documentation for 2026-03-23 by @github-actions[bot] in #22372
  • fix: use <strong> instead of ** bold in <summary> elements by @Copilot in #22377
  • fix: propagate assign_copilot_to_created_issues failure to agent failure issue/comment by @Copilot in #22371
  • Add runtime check to disallow pull_request_target event on public repositories by @Copilot in #22378
  • [blog] Weekly blog post – 2026-03-23 by @github-actions[bot] in #22382
  • chore: bump gh-aw-mcpg to v0.2.0 by @Copilot in #22388
  • [docs] Update glossary - weekly full scan by @github-actions[bot] in #22408
  • [specs] Update layout specification - 2026-03-23 by @github-actions[bot] in #22393
  • [actions] Update GitHub Actions versions - 2026-03-23 by @github-actions[bot] in #22402
  • Make build-wasm a dependency of agent-finish by @Copilot in #22422
  • feat: render all rpc-messages.jsonl message types in gateway preview step summary by @Copilot in #22427
  • Fix build-wasm CI: update golden files for gh-aw-mcpg v0.2.0 by @Copilot in #22421
  • [community] Update community contributions in README by @github-actions[bot] in #22440
  • feat(compile): add --actions-repo flag to override external actions repository by @Copilot in #22437
  • Update APM (Agent Package Manager) to v0.8.4 by @Copilot in #22444
  • [slides] Update default GitHub MCP toolsets comment by @github-actions[bot] in #22461
  • Fix missing model and version in activation run details and safe-output footers by @Copilot in #22405
  • perf: fix double regex pass in UnquoteYAMLKey causing ~2x compile slowdown by @Copilot in #22459
  • [safeoutputs] Clarify update_issue target-dependent behavior in tool description by @Copilot in #22457
  • Fix FeatureGrid 3/4-col overflow on narrow viewports + WCAG 2.4.1 skip link by @Copilot in #22463
  • chore: update github.com/securego/gosec/v2 from v2.24.7 to v2.25.0 by @Copilot in #22465
  • fix(cli): resolve 5 CLI consistency issues from automated inspection by @Copilot in #22458
  • fix: normalize report formatting for archie workflow by @Copilot in #22475
  • chore: upgrade gh-aw-mcpg to v0.2.1 by @Copilot in #22471
  • [ca] test: update wasm golden files for gh-aw-mcpg v0.2.1 upgrade by @github-actions[bot] in #22486
  • perf: fix BenchmarkCompileMemoryUsage regression (+81.9%) β€” faster YAML parser + benchmark warm-up by @Copilot in #22464
  • Optimize fuzzy scheduler to avoid hour-boundary peaks by @Copilot in #22480
  • ci-doctor: add label_command trigger for PR check diagnosis by @Copilot in #22483
  • perf(parser): fix ParseWorkflow regression β€” eliminate redundant file read and YAML parse by @Copilot in #22472
  • [code-simplifier] refactor: standardize benchmark warm-up comments and add missing warm-up (#22464 follow-up) by @github-actions[bot] in #22488
  • [dead-code] chore: remove dead functions β€” 1 function removed by @github-actions[bot] in #22485
  • Fix GH_AW_STOP_TIME YAML type error causing schema validation failures by @Copilot in #22490
  • fix: align step names with glossary terminology by @Copilot in #22493
  • [docs] docs: condense LabelOps patterns sections by @github-actions[bot] in #22496
  • refactor: extract shared PR code review base configuration by @Copilot in #22492
  • Add changeset for awf v0.24.0 bump by @Copilot in #22495
  • bump gh-aw-firewall to v0.25.0 by @Copilot in #22508
  • fix: reduce skipped workflow fan-out on comment and PR events by @Copilot in #22505
  • Extract agentic workflow logs pre-fetch into shared component by @Copilot in #22516
  • Add token budget guardrails to top-cost workflows by @Copilot in #22517
  • chore: no-op β€” agentic-workflows MCP guidance is already built in by @Copilot in #22502
  • fix: update golden test files to AWF firewall version 0.25.0 by @Copilot in #22531
  • perf: eliminate redundant YAML parsing in import field extraction by @Copilot in #22491
  • refactor: resolve semantic function clustering issues in pkg/workflow by @Copilot in #22474
  • [jsweep] Clean check_skip_if_helpers.cjs by @github-actions[bot] in #22535
  • [dead-code] chore: remove dead functions β€” 2 functions removed by @github-actions[bot] in #22534
  • fix: apply SHA pinning to on.steps in pre-activation job by @Copilot in #22529
  • Add aw_context caller metadata to workflow dispatches by @Copilot in #22479
  • Fix github-env HIGH vulnerability in ci-doctor and dev-hawk workflows by @Copilot in #22528
  • Upgrade gh-aw-mcpg to v0.2.2 by @Copilot in #22538
  • Add builtin qmd documentation search tool (experimental) by @Copilot in #22183

Full Changelog: v0.62.5...v0.63.0

Check out latest releases or
releases around github/gh-aw v0.63.0

Don't miss a new gh-aw release

NewReleases is sending notifications on new releases.

Get notifications