v0.64.3

🌟 Release Highlights

This release delivers significant security hardening, a major improvement to cache-memory integrity guarantees, and a wave of community-driven bug fixes across safe-outputs, the DIFC proxy, and workflow tooling.

✨ What's New

Integrity-Aware Cache-Memory with Git-Backed Branching

Cache-memory now enforces integrity isolation at the storage level using git branches — merged, approved, unapproved, and none. Each run reads only from its integrity tier and above, preventing lower-integrity agents from poisoning data consumed by higher-integrity runs. Cache keys now include the integrity level and a compile-time policy hash, so any change to your allow-only guard policy automatically invalidates stale cache entries.

⚠️ Migration note: existing caches will get a cache miss on first run after upgrading — intentional, since legacy data has no integrity provenance.

patch-format: bundle for Safe-Outputs Code-Push Flows

Code-push flows now support patch-format: bundle, which uses git bundle instead of git am/git format-patch. Bundle transport preserves the full commit graph including merge commits, authorship, and per-commit messages — resolving long-standing issues with merge-resolution-only content being silently dropped.

safe-outputs:
  create-pull-request:
    patch-format: bundle   # "am" (default) | "bundle"

🔒 Security Fixes

• Secret env var exclusion from agent container — AWF's --exclude-env flag now strips all secret-bearing environment variables (tokens, API keys, MCP secrets) from the agent container's visible environment, mitigating prompt-injection exfiltration vectors in pull_request_target workflows. Uses AWF v0.25.3+. (#23360)

• Argument injection fix in package validators — Package/image names in gh aw compile --validate-packages are now validated before being passed to npm view, pip index versions, uv pip show, and docker, preventing flag-injection attacks via maliciously crafted package names. (#23374)

🐛 Bug Fixes & Improvements

• Noop safe-output handling — Workflows no longer fail when the AI model returns a transient error after successfully capturing a noop safe-output. The conclusion job now correctly posts the noop message even when the agent job exits with code 1 in this scenario. (#23284)

• update-discussion label-only config — Configuring only allowed-labels on update-discussion no longer accidentally overwrites the discussion title or body with a JSON string. Field isolation is now enforced at both the tool schema level and at runtime. (#23279)

• DIFC proxy GHEC support — The DIFC proxy container now receives GITHUB_SERVER_URL, fixing integrity filtering for pre-agent gh CLI and actions/github-script steps on GitHub Enterprise Cloud tenants. (#23308)

• logs / audit fingerprint consistency — gh aw logs and gh aw audit now produce identical behavior_fingerprint values for the same workflow run. Previously, logs computed the fingerprint before populating run metrics from parsed log data. (#23420)

• AWF version corrected to v0.25.3 — The default firewall version was set to v0.26.0 (which was never released), causing "Install AWF binary" HTTP 404 errors. Corrected to v0.25.3, the actual release that shipped --exclude-env support. (#23396)

• update-discussion error diagnostics — GraphQL permission errors (e.g. missing discussions: write) now surface actionable messages with the exact error type, HTTP status, and remediation hint, instead of an opaque ERR_API: update discussion #N failed. (#23340)

---

🌍 Community Contributions — A huge thank you to the community members who reported issues resolved in this release!

@bryanchen-d

• Agent fails with "Failed to get response from the AI model; retried 5 times" after noop safe-output (direct issue)

@eaftan

• bug: missing-tool and missing-data have surprising create-issue behavior depending on implicit vs explicit enablement (direct issue)
• User feedback: Actions run page should link to .md file instead of .lock.yml (direct issue)

@look

• missing-tool: workflow completes successfully when MCP script tools fail (direct issue)

@strawgate

• safe-outputs: preserve merge/rebase commit history in code-push flow (direct issue)

⚠️ Attribution Candidates Need Review

The following community issue was closed during this release window but could not be automatically linked to a specific merged PR. Please verify whether it should be credited:

• @Henry-Shan for Add agentic workflow: Proactive Dependency Auto-Remediation for Dependabot PRs (#23268) — closed 2026-03-28 as NOT_PLANNED, no confirmed PR linkage found

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #18412 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #23257 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

---

What's Changed

• Remove URL fetch capability from editor.js playground by @Copilot in #23381
• ci: add integration-release-availability job to verify external dependencies by @Copilot in #23380
• fix: propagate assign-to-agent failure to step status and conclusion rendering by @Copilot in #23377
• fix: downgrade DefaultFirewallVersion and AWFExcludeEnvMinVersion from v0.26.0 to v0.25.3 by @Copilot in #23396
• [docs] docs: condense imports reference — consolidate merge-semantics table by @github-actions[bot] in #23414
• [ca] test: update wasm golden files for v0.25.3 downgrade by @github-actions[bot] in #23419
• [jsweep] Clean add_labels.cjs by @github-actions[bot] in #23417
• feat: reimplement tools.qmd as parameterized shared import, remove builtin presets by @Copilot in #23366
• Remove builtin tools.serena support; mark removed in schema by @Copilot in #23365
• fix: remove GHCR image checks from release availability CI (only verify GitHub release exists) by @Copilot in #23424
• fix: behavior_fingerprint inconsistency between logs and audit tools for the same run by @Copilot in #23420
• Add gh CLI install step for custom image runner in all workflows using gh by @Copilot in #23426
• [docs] Consolidate developer specifications into instructions file by @github-actions[bot] in #23429
• [community] Update community contributions in README by @github-actions[bot] in #23430
• Fix schema/code inconsistencies: remove engine.firewall dead code, error_patterns, and cleanup-script by @Copilot in #23423
• fix: handle uses:/path: map imports in fetchFrontmatterImportsRecursive by @Copilot in #23439
• docs: safe outputs spec v1.15.0 — cache memory integrity (git-backed branching) by @Copilot in #23443
• Remove emojis from agent failure messages by @Copilot in #23445
• feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys by @Copilot in #23425
• fix: format pkg/cli/remote_workflow_test.go with go fmt by @Copilot in #23450
• fix: correct serena-go.md import path to fix integration test failure by @Copilot in #23452
• refactor: consolidate semver utilities, merge single-function file, disambiguate MCP validator by @Copilot in #23448

Full Changelog: v0.65.0...v0.64.3

v0.64.2

🌟 Release Highlights

This release delivers a new cross-run security audit report command, an important YAML injection security fix, several resilience improvements for large repositories and PR creation workflows, and resolves three community-reported issues.

✨ What's New

gh aw audit report — Cross-Run Security Audit Reports

A new gh aw audit report subcommand aggregates firewall behavior across multiple workflow runs, producing an executive summary, domain inventory, and per-run breakdown — ideal for security reviews and compliance checks.

gh aw audit report --workflow "agent-task" --last 10       # Markdown (default)
gh aw audit report --last 5 --json                         # JSON for dashboards
gh aw audit report --format pretty --repo owner/repo       # Console output

Supports --workflow, --last, --format (markdown/pretty/json), and --repo flags.

🐛 Bug Fixes & Improvements

• Security: YAML env injection prevention — All env: emission sites in the compiler now use %q-escaped YAML scalars, preventing newlines or quote characters in frontmatter values (e.g. bot names) from injecting sibling env variables into .lock.yml files. A bots schema pattern now rejects structurally dangerous characters at parse time.

• Fix ENOBUFS crash in push_repo_memory on large repos — Repos with 10K+ files (e.g. Azure/azure-sdk-for-js) no longer crash during memory operations. Replaced git rm -r -f (which overflowed the pipe buffer) with git read-tree --empty + fs.rmSync, and removed the unnecessary git sparse-checkout disable call.

• Fix gh aw upgrade when no GitHub Releases exist — gh aw upgrade now falls back to git tag scanning when the Releases API returns an empty list (e.g. for github/gh-aw-actions/setup). Both resolution paths filter out prerelease versions to ensure stable upgrades.

• Fix gh aw init MCP configuration for VS Code — The generated .vscode/mcp.json no longer includes an unsupported cwd field that caused spawn gh ENOENT errors in Copilot CLI.

• Pin setup-cli action to commit SHA — generateInstallCLISteps now resolves the setup-cli action through the ActionSHAResolver (consistent with all other generated actions), replacing mutable tag references with pinned SHAs.

• PR creation resilience: conflict fallback — When git am --3way fails due to merge conflicts, PR creation now falls back to the original base commit so GitHub can surface the conflicts for manual resolution, rather than failing outright.

• Fix signed-commit push for CI trigger token — When GH_AW_CI_TRIGGER_TOKEN is set and pushSignedCommits creates a branch via GraphQL, the follow-up empty commit push no longer fails with a non-fast-forward error.

• microsoft/apm-action bumped to v1.4.1 — Fixes token handling for cross-org private repository installs where v1.4.0 shadowed the caller-provided GITHUB_TOKEN.

• ci-doctor: paginate check-runs API — CI Doctor now uses --paginate to collect all check runs, fixing silent truncation at 30 items on PRs with large CI suites.

• Improved branch sync error messaging — Branch sync failures now surface the underlying error message at warning level for easier debugging.

• Detection model aligned with agent default — GetDefaultDetectionModel now returns claude-sonnet-4.6, matching the main agent default.

---

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@deyaaeldeen

• push_repo_memory fails with ENOBUFS on large repos after disabling sparse checkout (direct issue)

@grahame-white

• Agentic Plan: Improve gh aw upgrade warning for github/gh-aw-actions/setup when no GitHub Releases exist (direct issue)
• BUG: 'setup-cli' action referenced by mutable tag instead of commit SHA in maintenance workflow (direct issue)

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• #23088 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

---

What's Changed

• Deduplicate tool-usage aggregation logic in audit report pipeline by @Copilot in #23120
• ci-doctor: paginate check-runs API call to handle >30 jobs by @Copilot in #23128
• docs: upgrade gh aw init tip to full section in creating-workflows by @Copilot in #23131
• fix(docs-noob-tester): add Node.js 22 runtime to prevent Astro 6 version check failures by @Copilot in #23133
• fix: recompile lock files after adding docs-server-lifecycle.md shared workflow by @Copilot in #23142
• fix: prevent ENOBUFS in push_repo_memory on large repos by @Copilot in #23069
• Remove unsupported cwd from generated .vscode/mcp.json by @Copilot in #23144
• Fall back to original base commit when git am --3way fails due to merge conflicts by @Copilot in #23132
• fix: fetch remote branch before pushing CI trigger empty commit to avoid non-fast-forward rejection by @Copilot in #23152
• fix: SHA-pin setup-cli action references in maintenance workflow generation by @Copilot in #23146
• Fix: fallback to git tags when GitHub Releases API returns empty for gh aw upgrade by @Copilot in #23147
• bump microsoft/apm-action to v1.4.1, add DefaultAPMActionVersion constant, rebuild wasm, recompile by @Copilot in #23150
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #23164
• fix: align GetDefaultDetectionModel with main agent default (claude-sonnet-4.6) by @Copilot in #23160
• fix: escape YAML env values to prevent structure injection (all remaining sites) by @Copilot in #23168
• [ubuntu-image] research: update Ubuntu runner image analysis for 2026-03-26 by @github-actions[bot] in #23177

Full Changelog: v0.64.1...v0.64.2

v0.64.1

🌟 Release Highlights

This release delivers a major expansion of the gh aw audit observability surface, a batch of important security hardening fixes, and two community-reported issues resolved — including a long-standing GHES host configuration bug.

✨ What's New

• gh aw audit diff — Compare firewall behavior, MCP tool invocations, token usage, and run duration across two workflow runs to detect regressions and behavioral drift (gh aw audit diff <run1> <run2> [--format markdown|json]). #22996, #23118

• Expanded gh aw audit report — Five new audit sections give you a single pane of glass: Engine Configuration, Prompt Analysis, Session & Agent Performance, Safe Output Summary, and MCP Server Health. Now also surfaces MCP Gateway guard policy enforcement blocks (integrity, repo-scope, access-denied) per tool and server. #22932, #22962

• Safe Outputs replay via maintenance workflow — When a safe_outputs job fails or is skipped, you can now replay it manually: trigger the Agentic Maintenance workflow with operation: safe_outputs and a run URL or ID. #22973

• Stable heredoc delimiters — Lock files no longer diff on every recompile for unchanged workflows. Heredoc delimiters are now derived from a frontmatter hash (HMAC-SHA256), making them both stable and injection-resistant. #23030

• Agentic fraction & action minutes — New agentic_fraction (0.0–1.0) and action_minutes fields in the Agentic Observability Kit surface cost-of-goods-sold (COGS) visibility and identify workflows where data-gathering turns could be moved to deterministic shell steps. #23074

• Post-job cleanup — actions/setup now automatically removes /tmp/gh-aw/ after every job via a runs.post lifecycle hook, reducing artifact surface on shared runners. #22938

🔒 Security Fixes

• Heredoc delimiter injection → RCE — Randomized heredoc delimiters prevent attackers from embedding the delimiter in workflow markdown to inject shell commands into generated lock files. #23004
• Shell injection via agent file path — Closed a shellEscapeArg pre-quoted bypass that allowed crafted agent filenames (a";id;"b.md) to execute arbitrary shell commands. #23023
• Path traversal hardening — Added MustBeWithin boundary checks to three code paths that joined user-influenced paths without validating the result stays within the base directory. #23044
• Argument injection prevention — Compiler now rejects package/image names starting with - before invoking npm, pip, uv, or Docker, preventing flag injection via frontmatter MCP configs. #23045
• XSS attribute stripping — on* event handlers and style attributes are now stripped from allowlisted HTML tags in sanitized content, closing a bypass via <details ontoggle="...">. #22988
• Allocation overflow fix — Fixed a potential runtime panic in buildDomainItems where len(allowed)+len(blocked) could overflow int on pathological inputs (CodeQL #558). #23059
• Web Worker origin guard — Added origin validation to the wasm compiler worker's onmessage handler to prevent cross-origin message injection (CodeQL #546). #23063
• Extracted log directory permissions — Replaced os.ModePerm (0777) with 0750 in extractZipFile to prevent world-readable log directories on systems with a permissive umask. #23036
• Security dependency updates — picomatch patched for CVE-2026-33671 and CVE-2026-33672; smol-toml patched for GHSA-v3rj-xjv7-4jmq. #22990

🐛 Bug Fixes & Improvements

• GHES host propagation fixed — GH_HOST is now written to GITHUB_ENV instead of GITHUB_OUTPUT, making it available to all generated steps (checkout, safe-outputs, etc.) — not just user-typed steps. #22974
• Cross-label concurrency — Concurrency groups for label-triggered workflows now include $\{\{ github.event.label.name }}, preventing simultaneous label additions from cancelling each other's runs. #23021
• Rate limit resilience — gh aw update and gh aw health no longer fail fatally on transient GitHub API rate limit errors; both emit a warning and continue cleanly. #23032
• Noop-after-failure — When the AI model server returns a transient error after the agent has already called noop, spurious failure issues are no longer filed. #23050
• Claude audit tool duration — MaxDuration for Claude engine bash tools now correctly shows N/A instead of stamping the total job time onto every tool call. #23049
• Threat detection robustness — THREAT_DETECTION_RESULT payloads with literal newlines in reason strings are now correctly parsed without truncation. #22982
• AWF firewall updated to v0.25.1. #23022

📚 Documentation

• New Token Reference page — all tokens and secrets in one place, including precedence chains, fallback logic, and App vs PAT guidance. #22916
• New Research → Plan → Assign → Merge design pattern page. #23031
• Added Replaying Safe Outputs guide to the safe-outputs reference. #22995
• skip-if-check-failing and label-command triggers are now documented in the instructions file. #23086

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@deyaaeldeen

• Compiled lock files hardcode GH_HOST=github.com and ghes-host-config output is unused (direct issue)
• Concurrency group should include label name to prevent cross-label cancellation (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add download.jetbrains.com to kotlin ecosystem domain allowlist by @Copilot in #22942
• Add maven-central.storage-download.googleapis.com to java ecosystem domains by @Copilot in #22943
• feat: expand gh aw audit with engine config, prompt, session, safe-output, and MCP server health sections by @Copilot in #22932
• Davidslater/fix detection compiler by @davidslater in #22969
• fix: write GH_HOST to GITHUB_ENV instead of GITHUB_OUTPUT by @lpcox in #22974
• [docs] Update documentation for features merged 2026-03-25 by @github-actions[bot] in #22972
• [log] Add debug logging to 5 previously unlogged files by @github-actions[bot] in #22983
• feat: add apply_safe_outputs workflow-dispatch job to agentic-maintenance by @Copilot in #22973
• feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set and enable Bash * in detection job by @Copilot in #22948
• feat: add post cleanup script to actions/setup to erase /tmp/gh-aw/ by @Copilot in #22938
• build(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #22990
• fix: strip on* event handlers and style attributes from allowlisted HTML tags in convertXmlTags() by @Copilot in #22988
• feat: surface MCP Gateway guard policy events in gh aw audit by @Copilot in #22962
• docs: add Replaying Safe Outputs section to safe-outputs reference by @Copilot in #22995
• fix: robustly parse THREAT_DETECTION_RESULT with literal newlines in reasons (#issue) by @Copilot in #22982
• Fix heredoc delimiter injection enabling code-review bypass → RCE by @Copilot in #23004
• feat: gh aw audit diff — compare firewall behavior across runs by @Copilot in #22996
• Include label name in concurrency group to prevent cross-label cancellation by @Copilot in #23021
• docs: add consolidated token reference page by @lpcox in #22916
• docs: add ResearchPlanAssignOps pattern by @co...

v0.64.0

🌟 Release Highlights

This release brings important reliability and correctness fixes across safe-outputs, the Java ecosystem allowlist, and premium request tracking — along with a new protection against bot-triggered self-cancellation, improved documentation, and the latest tooling stack.

✨ What's New

• Bot-actor concurrency isolation: Workflows combining safe-outputs.github-app with issue_comment-capable triggers now automatically get bot-isolated concurrency keys, preventing App-authored safe-output comments from cancelling the originating run mid-flight. Custom concurrency: blocks get a compiler warning explaining the risk.
• Auto fault-investigation analysis: When a workflow job fails, the runtime can now automatically trigger a fault investigation analysis to surface root causes — no manual setup required.
• Expires support for create-pull-request safe output: Pull requests created by safe-outputs can now be configured with an expiry so stale runs are automatically described and auto-closed.
• GitHub App token minting for GitHub MCP server: Workflows using the GitHub MCP server toolset can now mint GitHub App tokens, enabling richer authenticated API access.
• remove-labels safe output type: A new remove-labels safe output type lets workflows programmatically remove labels from issues and PRs. See the safe-outputs reference.
• Two-file agentic workflow structure: The compiler now validates dispatch-workflow references and supports separating prompt files (.github/agentics/<id>.md) from compiled frontmatter (.github/workflows/<id>.md). See the workflow structure reference.
• Aggregate compilation errors: gh aw compile now reports all validation errors together instead of stopping at the first one. Use --fail-fast to restore the legacy behaviour.

🐛 Bug Fixes & Improvements

• Fixed fractional PRU tracking: Models like gemini-3-flash-preview that consume 0.33 PRU per request were incorrectly reported as 1. The log parser now handles decimal premium request units correctly.
• Fixed upload-asset safe output for private repos: The upload-asset safe output type now works correctly with private repositories.
• Fixed staged: true in individual safe outputs: The staged flag in per-message safe output configuration was being ignored; it now applies correctly.
• Fixed safe-outputs expression-size limit: Workflows where the safe-outputs tools.json references $\{\{ }} expressions no longer hit the GitHub Actions expression-size limit.
• Java ecosystem: Maven Central mirror domains added: maven-central.storage-download.googleapis.com and repository.apache.org are now in the Java allowlist, resolving Maven 3.9+ dependency resolution failures in sandboxed workflows.
• Fixed /opt setup error: An Error mkdir setting up /opt failure that affected some runner configurations has been resolved.
• Fixed GitHub IP allow list incompatibility: Workflows in organizations using GitHub IP allow lists no longer fail at setup.
• Fixed gh-aw binary availability: The gh-aw binary is now reliably present in the runner working directory for all workflow types, including the portfolio-analyst workflow.
• GitHub CLI authentication in Action runs: GitHub CLI access inside workflow runs is now correctly authenticated.
• Retry logic for Copilot CLI installer: The Copilot CLI installation step now retries on transient download failures, reducing flaky CI setup.
• Mirrored runner environment variables: Essential GitHub Actions runner environment variables (Java, Android, browsers, package managers, tool paths) are now mirrored into the AWF agent container.
• Security: shell injection fix: Single quotes and backslashes in JSON embedded in shell environment variables are now escaped correctly (go/unsafe-quoting).

📚 Documentation

• gh aw logs / gh aw audit as workflow steps: Added prominent warnings clarifying that actions: read permission and setup-cli must come before any gh aw step. See the CLI reference.
• Engine model field clarification: The model field example in the engines reference now correctly conveys that it is an override, not the engine default.
• remove-labels safe output type: Full reference documentation, examples, and table-of-contents entry added.

🔧 Infrastructure

• AWF firewall updated to v0.11.2 with the agent container switched to act
• Tool versions updated: Claude Code 2.1.19 · Copilot CLI 0.0.394 · Codex 0.91.0 · Playwright MCP 0.0.58 / Browser v1.58.0 · MCP Gateway v0.0.78
• Safe-outputs MCP server migrated from stdio to HTTP transport for improved reliability
• Step summaries generated for each processed safe-output message
• Pinned actions/checkout to v6.0.2 and actions/download-artifact to v7.0.0

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@chrizbo

• upload-asset safe output doesn't work for private repos (direct issue)

@DogeAmazed

• GitHub CLI unauthenticated on Action runs (direct issue)

@dsyme

• Automatically do fault investigation analysis if a fault happens (direct issue)

@heaversm

• gh-aw binary not present in runner working directory for portfolio-analyst (direct issue)

@jaroslawgajewski

• Usage of models that consumes 0.33% of premium requests is counted as 1 premium request (direct issue)

@mhavelock

• Steps using gh aw must always follow extension install (document/clarify in templates and docs) (direct issue)

@mnkiefer

• Option staged: true does not work within individual safe outputs (direct issue)

@Pierrci

• Incompatibility with GitHub IP allow lists (direct issue)

@plengauer

• Error mkdir setting up /opt (direct issue)

@samuelkahessay

• Warn when GitHub App-authored safe-outputs can self-cancel comment-triggered workflows via shared concurrency (direct issue)
• docs(engines): model field example/comment mismatch (direct issue)

@stacktick

• share context (direct issue)

@strawgate

• Safe outputs tools.json block triggers expression-size limit when target uses ${{ }} (direct issue)

---

For complete details, see CHANGELOG.

Generated by GitHub Agentic Workflow

---

What's Changed

• [slides] Fix default toolsets comment in slides by @github-actions[bot] in #22722
• Auto-close stale smoke-test issues when a newer run succeeds by @Copilot in #22724
• fix: nested reduce in release.md to prevent null accumulator when no PRs have closing issue references by @Copilot in #22726
• feat: group-by-day for create-issue to prevent same-day duplicate reports by @Copilot in #22725
• Add object form of imports with aw and apm-packages subfields; deprecate dependencies by @Copilot in #22727
• [WIP] Fix failing GitHub Actions workflow lint-go by @Copilot in #22734
• chore: update MCP gateway version to v0.2.5 by @Copilot in #22737
• fix: include policy-manifest.json and audit directory in firewall-audit-logs artifact by @Copilot in #22733
• Move APM packaging into own job with minimal permissions by @Copilot in #22738
• [actions] Update GitHub Actions versions - 2026-03-24 by @github-actions[bot] in #22758
• [log] add debug logging to 5 workflow package files by @github-actions[bot] in #22768
• fix: extend dangerous URL scheme check to include data: protocol by @Copilot in #22766
• fix(security): eliminate unsafe shell quoting of Gemini JSON config (CodeQL #554) by @Copilot in #22765
• fix(security): unsafe YAML quoting for GH_AW_LABEL_NAMES env var (CodeQL go/unsafe-quoting) by @Copilot in #22764
• fix: prevent code injection via github.action_path in setup-cli action by @Copilot in #22767
• Remove unused variable in generate-schema-docs.js (CodeQL alert #497) by @Copilot in #22771
• fix: remove unused id variable in compiler-loader.js (CodeQL #547) by @Copilot in #22770
• Remove unused variable in changeset test (CodeQL alert #496) by @Copilot in #22772
• fix: remove capacity pre-allocation in mergeFetchRefs to avoid overflow (CodeQL #555) by @Copilot in https://githu...

v0.63.1

What's Changed

• Update fuzzy schedule algorithm with weighted preferred windows and peak avoidance by @Copilot in #22547
• Upload firewall audit logs as dedicated GitHub Actions artifacts by @Copilot in #22551
• Add skip-if-check-failing pre-activation gate by @Copilot in #22537
• fix: create remote branch via REST before using createCommitOnBranch for new branches by @Copilot in #22568
• fix: use GraphQL mutation to mark pull requests as ready for review by @Copilot in #22572
• Compiler: inject DIFC proxy for pre-agent gh CLI custom steps by @Copilot in #22563
• fix: safe-outputs prompt says "exactly one" even when config allows multiple calls by @Copilot in #22576
• fix: add missing SARIF upload step for create-code-scanning-alert safe output by @Copilot in #22574
• [docs] docs: unbloat editing-workflows guide (22% reduction) by @github-actions[bot] in #22583
• Add aw_context parsing from aw_info.json to logs and audit JSON output by @Copilot in #22577
• fix: surface engine failure reason in conclusion job when agent_output.json is missing by @Copilot in #22575
• Fix go/unsafe-quoting (CWE-78/89/94) in expression deprecation warning by @Copilot in #22582
• Improve compiler error messages for YAML syntax errors and permission scope validation by @Copilot in #22581
• Update MCP Gateway (gh-aw-mcpg) v0.2.2 → v0.2.3 by @Copilot in #22591
• [jsweep] Clean check_skip_if_match.cjs by @github-actions[bot] in #22596
• skip-if-check-failing: ignore checks from current workflow run by @Copilot in #22598
• Fix Upload Safe Output Items capitalization and DIFC filtered summary formatting by @Copilot in #22602
• Add proxy.golang.org and sum.golang.org to jsweep network allowlist by @Copilot in #22603
• Update content-moderation.yml by @pelikhan in #22611
• docs: document --action-tag and --actions-repo compile flags for testing against alternate actions repos by @Copilot in #22607
• Convert qmd-docs.md and qmd.md to use tools.qmd with GPU runner; remove standalone indexer by @Copilot in #22605
• Fix untrusted_checkout_exec poutine finding in smoke-workflow-call workflows by @Copilot in #22608
• Rephrase aw_context input description by @Copilot in #22614
• ci-doctor: remove workflow_run, stop-after, and if by @Copilot in #22615
• [docs] docs: remove duplicate MCP config from web-search guide by @github-actions[bot] in #22617
• fix(create-discussion): prevent double-posting when GraphQL mutation partially succeeds by @Copilot in #22601
• [code-simplifier] refactor: extract writePromptBashStep helper to deduplicate poutine-suppressed steps (#22608) by @github-actions[bot] in #22618
• fix: add labels as a valid update field for update_discussion by @Copilot in #22613
• Remove sandbox.mcp.container from smoke workflows by @Copilot in #22616
• fix: exclude .git from push_repo_memory size calculation by @Copilot in #22610
• feat: wrap qmd documentation index step summary in details/summary HTML section by @Copilot in #22623
• [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @github-actions[bot] in #22649
• [ca] fix: update wasm golden files for aw_context description change by @github-actions[bot] in #22624
• [docs] Update glossary - daily scan by @github-actions[bot] in #22644
• [docs] Update Astro dependencies - 2026-03-24 by @github-actions[bot] in #22650
• [community] Update community contributions in README by @github-actions[bot] in #22646
• [docs] Consolidate developer specs into dev.md v4.2 by @github-actions[bot] in #22653
• build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.1 in /actions/setup/js by @dependabot[bot] in #22643
• [fp-enhancer] Improve pkg/cli: replace imperative loops with sliceutil.Map/Filter by @github-actions[bot] in #22632
• Add diagnostic logging to qmd_index.cjs for empty index debugging by @Copilot in #22665
• fix(safe-outputs): add 🎭 emoji to staged mode preview in PR review handlers (USE-003) by @Copilot in #22621
• fix: add standardized error codes (USE-001) to four safe-output handlers by @Copilot in #22620
• fix(sec-004): sanitize body field in assign_to_agent.cjs by @Copilot in #22619
• Improve glossary-maintainer: allow any bash command and leverage qmd search by @Copilot in #22660
• refactor: rename codemod_permissions functions for discoverability by @Copilot in #22658
• [docs] docs: reduce bloat in safe-outputs reference by @github-actions[bot] in #22672
• fix: align qmd_index test assertion with ERR_CONFIG error message prefix by @Copilot in #22671
• fix: better diagnostics and messaging in the update command by @Copilot in #22669
• docs: fix homepage title duplication and disable glow animation on mobile for all themes by @Copilot in #22675
• fix: correct repository org in smoke cross-repo PR workflows (github → githubnext) by @Copilot in #22677
• refactor: remove ForInspector wrapper indirection and add dual-path config parity test by @Copilot in #22676
• feat: add on-demand workflow_dispatch trigger to auto-triage-issues for label backfill by @Copilot in #22688
• fix: surface full error message in agent failure issue comments by @Copilot in #22689
• chore: bump MCP Gateway v0.2.3→v0.2.4, APM v0.8.4→v0.8.5 by @Copilot in #22693
• qmd: replace paths array with pattern string and add ignore for excluded patterns by @Copilot in #22683
• Remove dual path safe output config generation by @Copilot in #22687
• Never suggest tools.github mode: remote in agent prompts by @Copilot in #22709
• fix: update wasm golden files for mcpg v0.2.4 by @Copilot in #22710
• Fix: vulnerability-alerts incorrectly emitted as job-level workflow permission in compiled lock file by @Copilot in #22708
• fix: resolve CLI help text consistency issues across 7 commands by @Copilot in #22714
• Fix filterJobLevelPermissions dropping explicit empty permissions block by @Copilot in #22720
• feat: update DIFC proxying to also proxy actions/github-script by @Copilot in #22712

Full Changelog: v0.63.0...v0.63.1

v0.63.0

🌟 Release Highlights

This release delivers a major new experimental tool for semantic documentation search, two high-priority security fixes applied across all compiled workflows, a firewall and MCP gateway upgrade, and a smarter fuzzy scheduler that reduces queue contention on GitHub Actions.

✨ What's New

qmd documentation search tool (experimental)

Agentic workflows can now perform vector-similarity search over local documentation, GitHub code search results, and issue lists — without requiring contents: read in the agent job. The new built-in qmd tool (powered by tobi/qmd) runs a dedicated indexing job that builds and caches an embedding index, then serves it to the agent via an HTTP MCP server. GPU-accelerated indexing is supported on custom runners.

tools:
  qmd:
    checkouts:
      - name: docs
        paths: [docs/**/*.md]
    searches:
      - name: issues
        type: issues
        max: 500
        github-token: $\{\{ secrets.GITHUB_TOKEN }}

Learn more →

Smarter fuzzy scheduler

The FUZZY:* schedule patterns now guarantee that scattered cron minutes land in [5, 54], avoiding GitHub Actions peak-contention windows (midnight UTC and ±5 minutes around every hour). Existing workflows are automatically updated on next recompile.

Schedule syntax reference →

🔒 Security Fixes

• github-env HIGH vulnerability eliminated — All 193 compiled workflows now write framework-controlled variables (GH_AW_SAFE_OUTPUTS, GH_AW_AGENT_OUTPUT, GH_HOST) to $GITHUB_OUTPUT instead of $GITHUB_ENV, resolving a zizmor HIGH finding. (#22528)
• SHA pinning extended to on.steps — Custom steps injected into pre-activation jobs via on.steps are now run through the same SHA-pinning pipeline as steps: and post-steps:, closing a supply chain gap where unpinned action references could pass through verbatim into lock files. (#22529)
• AWF Firewall upgraded to v0.25.0 — All workflow lock files recompiled against the latest firewall image. (#22508)
• MCP Gateway upgraded to v0.2.2 — Improved robustness when extracting issue and PR numbers from search results where structured data fields are absent or malformed. (#22538)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@Dan-Co

• gh-aw: GitHub App token narrowing omits Dependabot alerts permission for GitHub MCP (403 on list_dependabot_alerts) (direct issue)

@dsyme

• Feedback: default footers a bit large (direct issue)

@lpcox

• push_repo_memory: total memory size check accumulates git diff history instead of measuring current files (direct issue)

@samuelkahessay

• Release community attribution silently misses valid fixes when resolution flows through follow-up issues or PR body omits source-issue reference (direct issue)

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #18569 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #22335 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

---

What's Changed

• [q] feat: add Docker mounting limitations to builtin agent prompt (#22074) by @github-actions[bot] in #22076
• [jsweep] Clean add_reaction_and_edit_comment.cjs by @github-actions[bot] in #22075
• [docs] docs: document IANA timezone field for schedule cron entries by @github-actions[bot] in #22082
• fix: add github.event_name to JS allowed expressions list by @Copilot in #22084
• Extract shared HTTP MCP server lifecycle into mcp_http_server_runner.cjs by @Copilot in #22078
• Extract agent timeout message to markdown template by @Copilot in #22088
• perf: replace O(n²) string concatenation with strings.Builder in expression_parser by @Copilot in #22095
• docs: add .github/aw/memory.md — canonical guide for persistent memory strategies by @Copilot in #22094
• Add .github/aw/charts.md prompt for Python data visualization workflows by @Copilot in #22093
• docs: explain intentional lipgloss v1 import in huh_theme.go by @Copilot in #22100
• Replace hardcoded hex colors in progress.go with adaptive style constants by @Copilot in #22099
• Add network.allowed reference docs and link from agentic-workflows agent by @Copilot in #22102
• Drain HTTP response bodies on non-OK paths to enable TCP connection reuse by @Copilot in #22101
• Adjust outputs written to issues for previous rename of artifact from agent-artifacts to agent by @dsyme in #22127
• Preserve angle brackets in code blocks and inline code spans during sanitization by @Copilot in #22005
• Pre-compile heredoc regexp patterns at package level by @Copilot in #22104
• Rename policyStatuses and getActivationOutputsCodemod for discoverability by @Copilot in #22105
• Fix: Turns always 0 and ToolCalls always null in run summaries by @Copilot in #22106
• [actions] Update GitHub Actions versions - 2026-03-21 by @Copilot in #22120
• feat: dynamic function budget for daily-function-namer (replace fixed 3-file limit) by @Copilot in #22151
• Fix plugin install TODOs for Claude and Codex: mark both as unsupported by @Copilot in #22153
• Improve integrity filter footer rendering by @Copilot in #22152
• Add vulnerability-alerts GitHub App permission for dependabot toolset by @Copilot in #22144
• fix(smoke-update-cross-repo-pr): remove redundant label constraint causing 100% failure rate by @Copilot in #22157
• [safe-output-integrator] Add missing safe-output Go compiler tests for assign_to_user, unassign_from_user, missing_tool, missing_data by @github-actions[bot] in #22163
• docs(charts): suggest importing python-dataviz from githubnext/agentics by @Copilot in #22160
• Add ready_for_review trigger to CI and grumpy-reviewer; switch grumpy-reviewer to codex by @Copilot in #22155
• Harden release community attribution with multi-tier GitHub-native linkage and daily updater by @Copilot in #22140
• Add explicit supportsMaxContinuations: false to Claude, Codex, and Gemini engines by @Copilot in #22158
• discussion-task-miner: run every 6h, extract 5 items, strengthen duplicate prevention by @Copilot in #22165
• fix: preserve safe-outputs action inputs/descriptions during update by @Copilot in #22162
• fix: resolve 40% performance regression in BenchmarkCompileComplexWorkflow by @Copilot in #22159
• Remove plugins: support in favor of dependencies: + Microsoft/APM by @Copilot in #22156
• fix: escape handlebars pattern in rendering verifier prompt (#22168) by @lpcox in #22176
• [dead-code] chore: remove dead functions — 2 functions removed by @github-actions[bot] in #22175
• fix: update integrity filter blocked message and bold summary headers by @Copilot in #22173
• feat(community): track external contributor issues as contributions, store in wiki by @Copilot in #22179
• fix: {{#if ...}} in runtime-imported markdown incorrectly becomes an unresolvable placeholder by @Copilot in #22170
• [q] q: set min-integrity to none, cookie guard, and spam detection by @Copilot in #22181
• [code-simplifier] refactor: use shared isTruthy from is_truthy.cjs in render_template by @github...

v0.62.5

🌟 Release Highlights

This release focuses on security hardening, reliability fixes across safe-outputs and activation, and a significant documentation expansion — with a couple of quality-of-life feature additions along the way.

⚠️ Security

Two important security improvements ship in this release:

• Supply chain protection: The Trivy vulnerability scanner action has been removed following the discovery of a supply chain compromise (#22007, #22065). Vulnerability scanning has been replaced with an alternative approach.
• Public repo integrity hardening: GitHub App authentication no longer exempts public repositories from the automatic minimum-integrity guard policy (#21969). This closes a gap where same-repo untrusted content could bypass integrity checks on public repos.

✨ What's New

• Timezone support for scheduled workflows: on.schedule cron entries now accept an optional timezone field, letting you express schedules in local time rather than UTC (#22018).
• Boolean expression optimizer: Condition node trees are now optimized at compile time, producing cleaner and more efficient if: expressions in compiled workflows (#22025).
• Wildcard target-repo in safe-output handlers: Safe-output handlers now accept target-repo: "*" to match any repository, making reusable handler definitions much more flexible (#21877).

🐛 Bug Fixes & Improvements

• Bot comment activation fixed: slash_command workflows now correctly activate on bot comments that append metadata after a newline separator — a common pattern with GitHub Apps (#22013).
• Signed commits on new branches: create-pull-request no longer fails when a "Require signed commits" branch ruleset is active and the target branch doesn't yet exist on the remote (#22012).
• Agent output artifact path: Fixed a nested-path issue where GH_AW_AGENT_OUTPUT artifacts were not found because the file resided outside the /tmp/gh-aw/ artifact root (#21968).
• GHE: agentics URL resolution: githubnext/agentics now correctly resolves to github.com when a GitHub Enterprise Server host is configured, preventing failed action lookups on GHE (#22014).
• gh aw new safe-output validation: Safe-output names entered via gh aw new are now validated against the JSON schema, preventing invalid configurations from being written (#21981).
• Smoke-codex stability: Eliminated a race condition causing intermittent safe_outputs failures on scheduled smoke runs and spurious wrong-PR comments (#22039).
• Code-push skip no longer triggers fail-fast: When a code-push step is intentionally skipped, the workflow now continues rather than halting with a failure (#21976).
• MCP Gateway updated to v0.1.20 (#21946).

📚 Documentation

A substantial documentation push accompanies this release:

• New: Integrity reference guide — covers trust levels, filtering behavior, and policy configuration (#22044).
• New: GHE Cloud data residency debugging guide — step-by-step troubleshooting for GitHub Enterprise Cloud data residency connectivity issues (#21993).
• Expanded checkout: frontmatter reference — the checkout section now documents all supported options with examples (#22041).
• GitHub MCP access control spec v1.1.0 — updated to document blocked-users and approval-labels fields (#22023).
• Streamlined agentic-authoring guide — reduced size and improved focus for faster onboarding (#22054).

---

For complete details, see the CHANGELOG.

Generated by Release

---

What's Changed

• Update MCP Gateway v0.1.19 → v0.1.20 by @Copilot in #21946
• fix: allow wildcard target-repo: "*" in safe-output handlers by @Copilot in #21877
• fix: remove GitHub App auth exemption from automatic public-repo min-integrity guard policy by @Copilot in #21969
• chore: update golang.org/x/mod v0.33.0 → v0.34.0 by @Copilot in #21970
• fix(codex): align execute step name to "Execute Codex CLI" by @Copilot in #21972
• fix: skipped code-push should not trigger fail-fast; retry PR review on unresolvable line by @Copilot in #21976
• fix: resolve CLI consistency issues in help text and documentation by @Copilot in #21971
• docs: add GHE Cloud data residency debugging guide by @lpcox in #21993
• fix: validate safe-output names in gh aw new against JSON schema; fix create-project oneOf by @Copilot in #21981
• deps: update golang.org/x/crypto v0.48.0 → v0.49.0 by @Copilot in #21980
• chore: bump trivy-action from 0.33.1 to 0.35.0 by @lpcox in #22003
• Harden Issue Monster against integrity-filtered issue reads by @Copilot in #21999
• fix(campaign): prevent duplicate Security Alert Burndown Epic issues by @Copilot in #21998
• Fix GH_AW_AGENT_OUTPUT nested path by enforcing /tmp/gh-aw/ artifact root by @Copilot in #21968
• security: remove Trivy action due to supply chain compromise by @Copilot in #22007
• [code-simplifier] refactor: simplify guard policy setOutput, footer logic, and comment clarity by @github-actions[bot] in #22016
• Add token budget and context-pruning guardrails to Daily CLI Performance Agent by @Copilot in #21997
• fix: pushSignedCommits fails on new branches with "Require signed commits" ruleset by @Copilot in #22012
• Improve sliceutil test coverage from ~29% to ~100% of exported functions by @Copilot in #22015
• fix: strip redundant resource identifier from integrity filtering note (#21988) by @Copilot in #22019
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-20 by @github-actions[bot] in #22020
• docs: update GitHub MCP access control specification v1.1.0 — add blocked-users and approval-labels fields by @Copilot in #22023
• feat: add timezone field support to on.schedule cron entries by @Copilot in #22018
• fix: ensure githubnext/agentics resolves to github.com when GHE is configured by @Copilot in #22014
• Fix slash_command activation for bot comments with newline-separated metadata by @Copilot in #22013
• [log] Add debug logging to 5 workflow/cli files by @github-actions[bot] in #22026
• docs: add VEX integration guidance to dependabot prompt by @Copilot in #22027
• docs(central-repo-ops): replace actions/checkout step with checkout: frontmatter field in worker example by @Copilot in #22038
• refactor: move misplaced functions to semantically correct files by @Copilot in #22034
• fix(smoke-codex): eliminate safe_outputs instability on schedule runs and wrong-PR comments by @Copilot in #22039
• docs: expand checkout: section in frontmatter reference by @Copilot in #22041
• chore(deps): bump h3 from 1.15.8 to 1.15.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #22043
• [docs] docs: unbloat agentic-authoring guide by @github-actions[bot] in #22054
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #22051
• docs: add integrity.md reference documentation by @Copilot in #22044
• feat: add boolean expression optimizer for ConditionNode trees by @Copilot in #22025
• fix: cache action inputs in actions-lock.json for deterministic smoke-codex compilation by @Copilot in #22048
• chore: remove trivy by @Copilot in #22065
• Remove session management from safe outputs MCP HTTP server by @Copilot in #22056

Full Changelog: v0.62.4...v0.62.5

v0.62.4

🌟 Release Highlights

A focused patch release bringing improved authentication flexibility for discussion safe outputs and a reliability fix for scheduled smoke runs.

✨ What's New

• github-token support in update-discussion safe output — The update-discussion safe output handler now accepts a custom github-token, giving workflows greater control over which identity is used when updating GitHub Discussions. This is consistent with the authentication model used by other safe output handlers.

🐛 Bug Fixes & Improvements

• Smoke-Gemini scheduled runs stabilized — Scheduled Gemini smoke runs were failing due to an unconditional add_comment call. The fix applies the comment step conditionally and recompiles affected lock files, restoring reliable scheduled validation.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Support github-token in update-discussion safe output by @Copilot in #21924
• fix: smoke-gemini scheduled runs fail due to unconditional add_comment + recompile stale lock files by @Copilot in #21920
• [ubuntu-image] research: update Ubuntu runner image analysis to 20260309.50.1 by @github-actions[bot] in #21928
• [architecture] Update architecture diagram scratchpad - 2026-03-20 by @github-actions[bot] in #21932
• [docs] Update glossary - daily scan by @github-actions[bot] in #21948
• chore: bump golang.org/x/term v0.40.0 → v0.41.0 by @Copilot in #21945
• chore(deps): bump protobuf to v1.36.11, grpc already at v1.79.3 by @Copilot in #21914

Full Changelog: v0.62.3...v0.62.4

v0.62.3

🌟 Release Highlights

This release focuses on extensibility and reliability — bringing custom GitHub Actions into the safe-outputs toolkit, hardening the MCP Gateway, and shaving ~20 seconds off every workflow run.

✨ What's New

• Custom Actions as Safe Output Tools (#21752)
  Expose any GitHub Action as an MCP tool via the new safe-outputs.actions block. The compiler resolves action.yml at compile time to derive the tool schema and inject it into the agent — no custom wiring required. Learn more

• trustedBots support in MCP Gateway (#21865)
  Workflows can now pass an allowlist of additional GitHub bot identities to the MCP Gateway via the new trustedBots field, enabling safe cross-bot collaboration in guarded environments.

• gh-aw-metadata v3 with agent & model tracking (#21899)
  Compiled lock files now embed the configured agent ID/model and detection agent ID/model in the gh-aw-metadata comment, making it easier to audit which model drove each workflow run.

• Raised update_issue / update_discussion safe output limits to 256 (#21902)
  The previous cap of 100 operations blocked high-throughput workflows. The maximum is now 256, giving busy automation more headroom.

⚡ Performance

• ~20 seconds faster per workflow run (#21873)
  Bumped DefaultFirewallVersion to v0.24.5, which eliminates a 10-second container shutdown delay for both the main agent and the threat detection container combined.

🐛 Bug Fixes & Improvements

• MCP Gateway no longer crashes when only min-integrity is set (#21893) — repos now defaults to "all" when the field is omitted, fixing a silent config-generation failure introduced by Gateway v0.1.19.

• Schema validation errors now show the correct line number (#21853) — Errors like timeout-minutes: -10 previously always reported file.md:1:1. They now point to the actual offending line and use a cleaner message prefix.

• Staged safe-output handlers no longer acquire write permissions (#21903) — Handlers that only emit step-summary previews were incorrectly merging write permissions; they now run with the minimal permissions they actually need.

• CLI help text consistency fixes (#21907) — Corrected misleading flag descriptions in add, trial, audit, and mcp inspect commands.

• Protected Files warning now appears in the correct position (#21841) — When create_pull_request falls back to an issue, the "Protected Files" section is now inserted before the footer rather than after it.

📚 Documentation

• /gh-aw (no trailing slash) now redirects correctly (#21906) — Previously returned a 404 with a doubled canonical URL.
• Documentation updated for the new --filtered-integrity logs flag and safe-outputs.actions configuration.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: insert Protected Files section before footer in fallback issues by @Copilot in #21841
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-19 by @github-actions[bot] in #21847
• [log] Add debug logging to workflow and CLI helper functions by @github-actions[bot] in #21851
• feat: daily DIFC integrity-filtered events analysis workflow + MCP logs filtered_integrity param by @Copilot in #21855
• fix: schema validation errors report correct line number and cleaner message prefix by @Copilot in #21853
• feat: Add schema-feature-coverage agentic workflow for 100% schema field coverage by @Copilot in #21856
• chore: bump DefaultFirewallVersion to v0.24.5 by @Copilot in #21873
• feat: mount custom GitHub Actions as safe output tools via safe-outputs.actions by @Copilot in #21752
• [instructions] Sync github-agentic-workflows.md with v0.40.1 — add safe-outputs scripts field by @github-actions[bot] in #21874
• [docs] docs: remove redundant content from templating.md by @github-actions[bot] in #21876
• Fix MCP Gateway failure: default repos to "all" when only min-integrity is set by @Copilot in #21893
• Add trustedBots field to MCP Gateway spec, schema, and frontmatter by @Copilot in #21865
• feat: update gh-aw-metadata payload to v3 with agent id/model and detection agent id/model by @Copilot in #21899
• [jsweep] Clean add_copilot_reviewer.cjs by @github-actions[bot] in #21898
• [docs] Update documentation for 2026-03-20 changes by @github-actions[bot] in #21904
• Bump absolute maximum for update_issue and update_discussion safe outputs to 256 by @Copilot in #21902
• refactor: extract shared renderStandardJSONMCPConfig helper across engine MCP modules by @Copilot in #21901
• fix(docs): redirect /gh-aw (no trailing slash) to /gh-aw/ by @Copilot in #21906
• refactor: semantic function clustering — move functions to better-aligned files by @Copilot in #21908
• fix: resolve 4 CLI consistency issues from automated inspection by @Copilot in #21907
• Recompile workflows to sync lock files by @Copilot in #21913
• Skip write permissions for staged safe output handlers by @Copilot in #21903
• fix(workflow): normalize report formatting in prompt-clustering-analysis by @Copilot in #21915
• fix: recompile stale lock files and restore Daily Workflow Updater by @Copilot in #21916

Full Changelog: v0.62.2...v0.62.3

v0.62.2

🌟 Release Highlights

This release focuses on reliability and resilience — fixing critical safe-outputs failures, improving signal handling on Linux/WSL, and introducing a new integrity filtering capability for log analysis.

⚠️ Breaking Changes

lockdown: true is replaced by min-integrity: approved

The lockdown: true field under tools.github has been superseded by the min-integrity guard policy. All 13 built-in agentic workflows have been updated automatically, but if you use lockdown: true in your own workflow frontmatter, you must migrate:

# Before (deprecated)
tools:
  github:
    lockdown: true

# After (required)
min-integrity: approved

✨ What's New

• --filtered-integrity flag for gh aw logs — New flag to filter and surface sessions that contain DIFC-filtered items in the gateway logs, making it easier to audit integrity-controlled workflow runs.

🐛 Bug Fixes & Improvements

• Safe-outputs artifact 409 conflict resolved — The safe_outputs job was uploading artifacts under the same name ("agent") as the agent job, causing consistent 409 Conflict failures with GitHub Actions v4. Now uses a dedicated artifact name to prevent collisions.
• Reliable Ctrl-C / signal handling on WSL — gh aw commands now properly handle SIGINT/SIGTERM via a top-level context with signal propagation, ensuring graceful shutdown across all commands on Linux and WSL.
• Self-upgrade no longer fails with ETXTBSY on Linux/WSL — gh aw upgrade now uses a try-first-rename strategy to work around the kernel's restriction on overwriting a running executable.
• Unconfigured app credentials no longer cause workflow failures — The activation-app.md and safe-output-app.md shared workflows had references to unconfigured vars.APP_ID and secrets.APP_PRIVATE_KEY that caused failures; these are now commented out by default.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @molson504x for Possible regression bug - safe-outputs fails on uploading artifacts (#21834)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Replace lockdown: true with min-integrity: approved in workflow frontmatter by @Copilot in #21831
• fix: proper end-to-end Ctrl-C / signal handling for all gh aw commands (WSL) by @Copilot in #21795
• fix: retry self-upgrade with binary rename on Linux/WSL to avoid ETXTBSY by @Copilot in #21793
• refactor: consolidate shared JS constants into constants.cjs by @Copilot in #21835
• docs: optimize slides.md for readability and presentation crispness by @Copilot in #21837
• Add --filtered-integrity flag to logs command by @Copilot in #21838
• Comment out unconfigured app credentials in activation-app.md and safe-output-app.md by @Copilot in #21836
• Fix safe-outputs artifact 409 conflict by using a dedicated artifact name by @Copilot in #21840

Full Changelog: v0.62.1...v0.62.2