github github/gh-aw v0.81.4
on GitHub

pre-release5 hours ago

๐ŸŒŸ Release Highlights

This release focuses on reliability, performance, and new operational capabilities โ€” fixing silent failures across the compiler and agent harnesses, reducing wasted credits on hot paths, and adding important new tooling.

โœจ What's New

  • --org flag for upgrade command (#41335) โ€” The upgrade command now supports --org and --repos flags, matching the org-wide mode already available in update. Bulk-preview or open upgrade PRs across an entire organization with a single command.

  • Daily YAML Lint Fixer workflow (#41574) โ€” A new agentic workflow automatically fixes yamllint violations in generated *.lock.yml files, keeping CI lint checks clean without manual intervention.

  • AWF Firewall startup failure detection (#41472) โ€” Firewall proxy startup failures (e.g., DNS not yet resolving at probe time) are now detected and surfaced in the agent failure issue โ€” making previously silent infra failures immediately actionable.

  • Spec-driven engine.env allowlist (#41465) โ€” The engine environment variable allowlist is now derived from GetSupportedEnvVarKeys rather than a fragile runtime heuristic, enabling strict: false to be safely removed from smoke workflows.

  • Copilot engine launched from ${GITHUB_WORKSPACE} (#41459) โ€” The Copilot engine now starts from the workspace root, enabling APM skill discovery for context-aware agent behaviour.

๐Ÿ› Bug Fixes & Improvements

  • Silent YAML parse errors fixed (#41577) โ€” Five yaml.Unmarshal call sites in workflow_builder.go were silently discarding errors, producing empty step lists on malformed YAML with no diagnostic. All errors now propagate correctly.

  • Copilot SDK hang bounded by idle watchdog (#41572) โ€” After an agent's final tool result, sendAndWait could hang indefinitely until the step timeout killed the runner. A post-completion idle watchdog now bounds this wait, preventing wasted runner minutes.

  • Codex harness no longer drains tokens on rate-limit reconnects (#41385) โ€” When Codex hit a TPM rate limit and exhausted reconnect retries, the harness kept retrying unnecessarily. It now recognises exhausted-reconnect exits and stops, preserving credits.

  • Claude harness stops retrying on max_runs_exceeded (#41361) โ€” Fresh-run fallbacks no longer burn the full quota when a session has already hit its 20-invocation limit.

  • Issue Monster false-positive 429 detection eliminated (#41471) โ€” Rate-limit false positives no longer trigger spurious failure handling.

  • assign_to_agent no longer posts error comments on PRs (#41475) โ€” Error comments are now only posted to issues, matching expected behaviour.

  • Daily schedule runs restored (#41362) โ€” Daily schedule runs broken since June 5 are now fixed.

  • workflow_call permissions use union of caller + worker (#41387) โ€” Imported workflow_call permissions in generated call jobs are now correctly annotated.

โšก Performance

  • YAML generation is faster (#41333) โ€” Duplicate run-script scans in the skip-validation fast path collapsed to a single pass, restoring compilation performance.

  • Design Decision Gate costs reduced (#41332) โ€” Now defaults to Sonnet instead of Opus and skips issue lookups on no-op paths, meaningfully reducing AI credit consumption per run.

๐Ÿ”’ Security

  • Safe-output detection hardened (#41547) โ€” Detection stays in warn mode on parser/agent failures, ensuring non-reviewable safe outputs are blocked rather than passed through silently.

  • Pi threat-detection model normalisation (#41545) โ€” Pi threat-detection models are now normalised before Copilot fallback, preventing misclassification due to model name variance.

๐Ÿ”ง Internal

  • Bumped gh-aw-firewall to v0.27.11 and regenerated pinned workflow artifacts (#41555)
  • Bumped Codex 0.142.1 and Copilot SDK 1.0.4 (#41430)
  • Extracted shared org-wide runner for update and upgrade commands (#41553)

Generated by ๐Ÿš€ Release ยท 44.1 AIC ยท โŠž 8.3K

What's Changed

  • [community] Update community contributions in README by @github-actions[bot] in #41359
  • Lower Design Decision Gate runtime cost with Sonnet default and conditional issue lookups by @pelikhan with @Copilot in #41332
  • Add GitHub lockdown guard-policy warning and sync security specs by @pelikhan with @Copilot in #41331
  • Reduce YAMLGeneration time by collapsing duplicate run-script scans by @pelikhan with @Copilot in #41333
  • fix(go-logger): restore daily schedule runs broken since June 5 by @pelikhan with @Copilot in #41362
  • feat: add --org to upgrade command by @pelikhan with @Copilot in #41335
  • Surface assign-to-agent auth/availability failures in agent failure issues/comments by @pelikhan with @Copilot in #41336
  • chore: set sandbox.agent.sudo: false on 30% of agentic workflows by @pelikhan with @Copilot in #41380
  • [ubuntu-image] research: update Ubuntu runner image analysis for 20260622.220.1 by @github-actions[bot] in #41373
  • [code-scanning-fix] Fix workflow-graphql-static-concat: extract GraphQL query to named constant by @github-actions[bot] in #41357
  • fix(manualmutexunlock): distinguish struct instances sharing a mutex field by @pelikhan with @Copilot in #41383
  • Add nolint parity to non-enforced context-family linters by @pelikhan with @Copilot in #41382
  • Fix stale frontmatter hash in design-decision-gate.lock.yml by @pelikhan with @Copilot in #41390
  • Enable Copilot assignment permissions in Issue Monster workflow by @pelikhan with @Copilot in #41389
  • [jsweep] Clean upload_assets.cjs by @github-actions[bot] in #41371
  • fix: improve agent assignment failure issue reports by @pelikhan with @Copilot in #41392
  • [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @github-actions[bot] in #41414
  • fix: stop codex harness retry loop draining tokens on exhausted rate-limit reconnects by @pelikhan with @Copilot in #41385
  • refactor: consolidate triplicate merge helpers and add sliceutil.SortedKeys by @pelikhan with @Copilot in #41388
  • fix: use union of caller + worker permissions for call-workflow jobs by @pelikhan with @Copilot in #41387
  • fix: revert sandbox.agent.sudo to true in glossary-maintainer workflow by @pelikhan with @Copilot in #41426
  • Handle known Windows ConPTY runner failure in daily CLI integration by @pelikhan with @Copilot in #41428
  • fix(firewall): skip non-Squid diagnostic lines in generate_usage_activity_summary by @pelikhan with @Copilot in #41429
  • chore: bump Codex 0.142.1, Copilot SDK 1.0.4 by @pelikhan with @Copilot in #41430
  • Send GraphQL-Features header for issue intent mutations when issue_intents runtime feature is enabled by @pelikhan with @Copilot in #41425
  • Issue Monster: eliminate false-positive 429 rate-limit detection by @pelikhan with @Copilot in #41471
  • Standardize CLI help section order and GHE note wording by @pelikhan with @Copilot in #41461
  • feat: spec-driven engine.env allowlist via GetSupportedEnvVarKeys; remove strict: false from smoke workflows by @pelikhan with @Copilot in #41465
  • Annotate imported workflow_call permissions in generated call jobs by @pelikhan with @Copilot in #41464
  • fix: prevent assign_to_agent from posting error comments on PRs by @pelikhan with @Copilot in #41475
  • Reduce sandbox.agent.sudo: false usage to policy target across agentic workflows by @pelikhan with @Copilot in #41463
  • Update existing MCP configs with required gh-aw server fields by @pelikhan with @Copilot in #41462
  • feat: detect AWF firewall startup failures and surface them in the agent failure issue by @pelikhan with @Copilot in #41472
  • Render runtime features only when configured; move output behind details disclosure by @pelikhan with @Copilot in #41358
  • Align safe-outputs bundle pre-check with post-apply file detection by @pelikhan with @Copilot in #41457
  • Fix Daily Cache Strategy Analyzer codex model variant to avoid model-not-found failures by @pelikhan with @Copilot in #41541
  • Simplify assign-to-agent flow to issue assignee REST APIs with canonical bot login resolution by @pelikhan with @Copilot in #41524
  • update org resilience by @pelikhan in #41513
  • Fix empty firewall allowlist in Codex external detection job (gh-aw-detection) by @pelikhan with @Copilot in #41525
  • Normalize Pi threat-detection models before Copilot fallback by @pelikhan with @Copilot in #41545
  • [caveman] Optimize instruction verbosity โ€” cli-commands, campaign (2026-06-25) by @github-actions[bot] in #41544
  • Keep detection in warn mode on parser/agent failures so non-reviewable safe outputs are blocked by @pelikhan with @Copilot in #41547
  • Fix docs homepage slide preview when the bundled PDF is an LFS pointer by @pelikhan with @Copilot in #41540
  • copilot engine: launch from ${GITHUB_WORKSPACE} to enable APM skill discovery by @pelikhan with @Copilot in #41459
  • Bump default gh-aw-firewall to v0.27.11 and regenerate pinned workflow artifacts by @lpcox with @Copilot in #41555
  • refactor: extract shared org-wide runner for update and upgrade commands by @pelikhan with @Copilot in #41553
  • feat: add daily-yamllint-fixer agentic workflow by @pelikhan with @Copilot in #41574
  • fix: resolve InvalidPDFException and add mobile nav toggle test by @pelikhan with @Copilot in #41575
  • console: swap supplementary-plane emoji for lightweight Unicode symbols by @pelikhan with @Copilot in #41578
  • fix(copilot-sdk): post-completion idle watchdog to bound SDK hang after final tool result by @pelikhan with @Copilot in #41572
  • fix: propagate yaml.Unmarshal errors in workflow_builder.go (5 silent sites) by @pelikhan with @Copilot in #41577

Full Changelog: v0.81.3...v0.81.4

Check out latest releases or
releases around github/gh-aw v0.81.4

Don't miss a new gh-aw release

NewReleases is sending notifications on new releases.

Get notifications