v0.76.1

🌟 Release Highlights

This release brings a new replay command for timeline log visualization, inline skill support, improved safe-outputs reliability, and Codex model updates.

✨ What's New

• replay command — Render and stream unified timeline logs directly in your terminal for faster post-run analysis (#34835)
• Inline skill extraction/runtime — Define and run skills inline within workflows, mirroring the inline sub-agent syntax for a more consistent authoring experience (#34874)
• Codex default model updated to gpt-5.4 — Workflows using Codex now use the latest model by default; lockfiles have been regenerated (#34804)
• tracker-id frontmatter documented — The tracker-id field is now fully documented in the reference, making it easier to correlate workflow runs with external tracking systems (#34799)

🐛 Bug Fixes & Improvements

• safe-outputs push_to_pull_request_branch — Documented as append-only and now auto-linearizes merge commits before a signed push, preventing push failures on branches with merge history (#34834)
• Codex threat-detection — Response-event logs from Codex are now correctly parsed in threat-detection result processing (#34850)
• Step name alignment stabilized — Direct manifest reads are now permitted and agent guidance tightened to prevent step name drift (#34873)
• Reduced duplicate frontmatter scanning — ParseWorkflow no longer scans frontmatter twice, improving compilation performance (#34819)
• Build & test reliability — Integration-tagged builds and CGO fuzz jobs now correctly share test helpers, eliminating spurious CI failures (#34841, #34816)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 838.6K

---

What's Changed

• Enforce //go:build !integration on untagged unit test files by @Copilot in #34798
• doc: document tracker-id frontmatter field in main reference by @Copilot in #34799
• Set Codex default fallback model to gpt-5.4 and regenerate lockfiles by @Copilot in #34804
• Fix CGO fuzz job compile failure by exposing shared test helpers to integration-tagged builds by @Copilot in #34816
• Fix failing unit test: align Metrics Trends row labels with test expectations by @Copilot in #34833
• Reduce duplicate frontmatter scanning in ParseWorkflow by @Copilot in #34819
• Fix integration-tag test build by making initTestGitRepo helper available to all test variants by @Copilot in #34841
• [compiler-threat-spec] chore(spec): daily threat spec optimizer 2026-05-26 — bump to v1.0.12 by @github-actions[bot] in #34845
• [community] Update community contributions in README by @github-actions[bot] in #34846
• Route Antigravity AWF target through Gemini provider key by @Copilot in #34839
• Handle Codex response-event logs in threat-detection result parsing by @Copilot in #34850
• fix(safe-outputs): document push_to_pull_request_branch as append-only; auto-linearize merge commits before signed push by @Copilot in #34834
• feat: add replay command for rendering unified timeline logs by @Copilot in #34835
• [code-simplifier] Reuse gatewayTimestampToTime in agentEntryToTimelineEvent by @github-actions[bot] in #34864
• Stabilize Step Name Alignment by permitting direct manifest reads and tightening agent guidance by @Copilot in #34873
• [jsweep] Clean add_comment.cjs by @github-actions[bot] in #34866
• Add inline skill extraction/runtime support mirroring inline sub-agents by @Copilot in #34874

Full Changelog: v0.76.0...v0.76.1

v0.76.0

🌟 Release Highlights

This release brings a major new engine (Antigravity), significant improvements to token forecasting, supply chain protection, and expanded observability — alongside a wave of quality and performance improvements.

✨ What's New

• Antigravity Engine — A new first-class AI engine joins gh-aw. The Antigravity engine is available as a workflow option, with Gemini now deprecated in its favor. (#34693)

• First-class engine.permission-mode — Claude's permission mode is now decoupled from bash wildcard access. You can explicitly set engine.permission-mode in your workflow frontmatter for fine-grained control over agent permissions. (#34525)

• Unified Event Timeline — The MCP Gateway, AWF firewall, and agent logs now share a unified event timeline, making it much easier to trace what happened across all components during a workflow run. (#34782)

• Shared PMG Pre-step (Supply Chain Protection) — A new Package Manager Guard (PMG) pre-step is available as a shared component to protect workflows from supply chain attacks during package installs. (#34672)

• GHE Support for Add-Wizard — The add-wizard shorthand now falls back to the github.com org when used on GitHub Enterprise Server, with improved cross-host error guidance. (#34526)

• Interruption-Aware Forecast — The forecast command now ignores skipped runs, handles interruptions correctly, and focuses output on effective-token predictions for more actionable cost estimates. (#34740, #34750)

🐛 Bug Fixes & Improvements

• GHE Fix: Extension Upgrade — Pinned GH_HOST=github.com for extension upgrades in GitHub Enterprise environments to prevent authentication failures. (#34752)

• Codex Default-Deny Fetch — Restored Codex's default-deny fetch behavior during workflow compilation, closing a potential overfetch path. (#34726)

• Secret Redaction Update — Updated ghs_ secret redaction to cover long-form GitHub App installation tokens. (#34737)

• Build Cycle Fix — Broke a logger↔timeutil import cycle that was causing CGO/fuzz workflow failures. (#34584)

• Codex Default Model — Updated the Codex default model to gpt-5.3-codex. (#34518)

• AWF Firewall & MCP Gateway Bumps — Updated default AWF to v0.25.55 and MCP Gateway to v0.3.19. (#34763)

⚡ Performance

• Reduced ExtractWorkflowNameFromFile overhead by removing a redundant deferred close path. (#34777)
• Optimized incremental bundle transport for stale PR branch sync workflows. (#34753)
• Reduced PR Description Updater token overhead in sub-agent orchestration. (#34723)

📚 Documentation

• Added outcome span attributes and an outcomes reference page, contributed by @mnkiefer. (#34627)
• Updated glossary, architecture diagram, and documentation for 2026-05-25 features.

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 709K

---

What's Changed

• Handle Gemini chunked threat-detection verdict parsing by @Copilot in #34509
• Reviewing Codex configuration against documentation by @codex in #34480
• [linter-miner] feat(linters): add fprintlnsprintf linter by @github-actions[bot] in #34498
• codex: set default model to gpt-5.3-codex by @Copilot in #34518
• Normalize report-style output guidance in non-compliant workflows by @Copilot in #34512
• refactor(workflow): migrate resolve_test.go to testify assertions by @Copilot in #34511
• Improve PR Sous Chef engine-failure context for AWF startup crashes by @Copilot in #34524
• [doc-healer] Expand rejection detection to include non-DDUw bot-authored PRs by @Copilot in #34542
• Add github.com org fallback for add-wizard shorthand on GHE and improve cross-host error guidance by @Copilot in #34526
• Decouple Claude permission mode from bash wildcard and add first-class engine.permission-mode by @Copilot in #34525
• Refactor PR code quality reviewer to use grumpy sub-agent and strict A2A triage by @Copilot in #34555
• [community] Update community contributions in README by @github-actions[bot] in #34558
• [compiler-threat-spec] spec: fix CTR-018 implementation mapping filename and bump to v1.0.11 by @github-actions[bot] in #34559
• [blog] Weekly blog post – 2026-05-25 by @github-actions[bot] in #34566
• [log] Add debug logging to utility packages by @github-actions[bot] in #34571
• Smoke Copilot: enforce add_comment budget in prompt before output phase by @Copilot in #34611
• docs: Add outcome span attributes and outcomes reference by @mnkiefer in #34627
• Break logger↔timeutil import cycle causing CGO/fuzz workflow failures by @Copilot in #34584
• Update model alias and multiplier inventories for 2026-05-25 by @Copilot in #34585
• fix: defensive type assertion for project ID in RunProjectNew by @Copilot in #34583
• [jsweep] Clean action_setup_otlp.cjs by @github-actions[bot] in #34578
• [docs] Update documentation for features from 2026-05-25 by @github-actions[bot] in #34640
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #34633
• [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @github-actions[bot] in #34630
• [architecture] Update architecture diagram - 2026-05-25 by @github-actions[bot] in #34623
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #34589
• [specs] Update layout specification - 2026-05-25 by @github-actions[bot] in #34606
• Bump gh-aw-firewall to v0.25.54 and align embedded AWF schema by @Copilot in #34568
• Surface experiment metadata fields in picker step summary by @Copilot in #34665
• Bind docs dev server to IPv4 for workflow readiness checks by @Copilot in #34670
• Add span-level gh-aw.cli.version for setup/conclusion OTLP spans by @Copilot in #34666
• [blog] Agent of the Day – 2026-05-25 by @github-actions[bot] in #34676
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #34674
• feat: add shared PMG (Package Manager Guard) pre-step for supply chain protection by @Copilot in #34672
• Fix docs workflow failure by correcting blog metadata and broken spec links by @Copilot in #34702
• Add antigravity engine, deprecate Gemini by @Copilot in #34693
• SPDD: close spec drift gaps across Effective Tokens, Forecast, Frontmatter Hash, Fuzzy Schedule, and MCP Scripts by @Copilot in #34719
• Render AWF model alias resolution events in firewall step summary by @Copilot in #34700
• Restore Codex default-deny fetch behavior for workflow compilation by @Copilot in #34726
• Reduce PR Description Updater token overhead in sub-agent orchestration by @Copilot in #34723
• Add smoke-antigravity workflow by cloning smoke-gemini onto antigravity engine by @Copilot in #34729
• Update ghs_ secret redaction for long-form installation tokens by @Copilot in #34737
• CI: make DIFC proxy gh CLI check tolerant to GitHub API rate limits by @Copilot in #34736
• [linter-miner] feat(linters): add uncheckedtypeassertion linter (run #18) by @github-actions[bot] in #34738
• Make forecast interruption-aware, ignore skipped runs, and clean up empty CI output by @Copilot in #34740
• Refocus forecast output on effective-token predictions by removing yield and episode metrics by @Copilot in https://github.com/gith...

v0.75.4

🌟 Release Highlights

This release brings significant improvements to the Codex engine harness, OTel tracing for child SDKs, compiler guardrails, and overall tooling reliability — alongside a migration to Go 1.26.

✨ What's New

• Codex Harness Hardened — Secret diagnostics, missing-key fast-fail, and --json streaming mode are now built into the Codex harness. dev.md has been switched to the Codex engine for improved developer experience (#34459).
• OTel Child SDK Correlation — OTEL_RESOURCE_ATTRIBUTES are now injected into gh-aw workflows so child processes using the OpenTelemetry SDK automatically inherit trace context, enabling end-to-end distributed tracing. Learn more (#34450).
• opusplan Model Alias — The opusplan alias is now a built-in route in Claude model routing, making it easier to invoke structured planning via the Claude engine (#34263).
• list_repository_collaborators in Repos Toolset — The GitHub MCP repos toolset now includes list_repository_collaborators, giving workflows richer repository access (#34447).
• Effective Token Footer: Resolved Model Names — The effective-token footer now shows the actual resolved model name (not a user alias) and prefixes values with deterministic 5-char model IDs for consistent identification (#34300, #34291).
• Codex Secret Isolation Aligned with Claude — Codex AWF secret isolation now matches the Claude engine's approach, improving consistency and security posture (#34446).
• Go 1.26 — The project has migrated to Go 1.26 (#34318).

🐛 Bug Fixes & Improvements

• IsCompatible Semver Fix — IsCompatible now correctly returns false for invalid semver inputs instead of panicking or giving wrong results (#34312).
• Copilot Harness: GITHUB_OUTPUT ENOENT — Fixed a crash when GITHUB_OUTPUT is inaccessible inside the AWF sandbox (#34266).
• awf-reflect 503 Warmup Hardening — Startup is now resilient against transient 503 errors from the API proxy's /v1/models endpoint (#34265).
• 18 Panic-in-Library-Code Violations Resolved — A new panicinlibrarycode linter was added to CI and 18 pre-existing violations were resolved, making library code safer to import (#34268, #34374, #34389).
• Compiler /tmp/ Path Warning — The compiler now warns when a workflow prompt directly references /tmp/ or /tmp/gh-aw/, helping authors avoid hard-coded ephemeral paths (#34239).
• Compilation Performance — CompileSimpleWorkflow skips manifest baseline resolution when the safe-update feature is off, reducing overhead for common workflows (#34252).

📚 Documentation

• FAQ Condensed (~21% reduction) — The FAQ has been streamlined and verbose answers condensed for easier scanning (#34488).
• Debugging Guide Unbloated (48% reduction) — The debugging guide is significantly leaner with focused, actionable content (#34261).

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 849.9K

---

What's Changed

• Propagate AWF runtime version to all setup-emitted OTel spans by @Copilot in #34221
• Normalize agent workflow temp paths to /tmp/gh-aw/agent by @Copilot in #34225
• Inline Copilot error detection into copilot_harness and remove detect-copilot-errors step generation by @Copilot in #34230
• Optimize mattpocock-skills-reviewer by offloading PR triage to an inline small-model sub-agent by @Copilot in #34229
• compiler: warn when prompt references /tmp/ or /tmp/gh-aw/ directly by @Copilot in #34239
• safeoutputs: make Strategy 3 choose nearest remote merge-base in generate_git_patch by @Copilot in #34222
• Replace mutable pkg/cli test seams with per-flow dependency injection by @Copilot in #34224
• Pin Agent Persona Explorer to explicit Copilot model to avoid Anthropic beta-header failures by @Copilot in #34244
• SPDD spec alignment: add enforcement flows, failure safeguards, and sync protocols by @Copilot in #34247
• deps: update golang.org/x/crypto v0.51.0 → v0.52.0 by @Copilot in #34251
• Clarify stable vs prerelease upgrade messaging by @Copilot in #34245
• Raise daily-code-metrics max-patch-size from 50 KB to 128 KB by @Copilot in #34253
• [docs] docs: unbloat debugging.md (48% line reduction) by @github-actions[bot] in #34261
• Add opusplan builtin alias to Claude model routing by @Copilot in #34263
• Reduce CompileSimpleWorkflow overhead by skipping manifest baseline resolution when safe-update is off by @Copilot in #34252
• [linter-miner] feat: add panic-in-library-code linter by @github-actions[bot] in #34268
• Harden awf-reflect startup against api-proxy warmup 503s on /v1/models by @Copilot in #34265
• fix(copilot-harness): handle ENOENT when GITHUB_OUTPUT is inaccessible inside AWF sandbox by @Copilot in #34266
• Improve test quality in pkg/repoutil/spec_test.go by @Copilot in #34287
• Prefix effective-token footer values with deterministic 5-char model IDs by @Copilot in #34291
• fix: pin chaos-pr-bundle-fuzzer to claude-sonnet-4.6 to avoid deprecated 1M context beta header by @Copilot in #34295
• fix: use actual resolved model name in effective tokens footer, not user-provided alias by @Copilot in #34300
• Set executable bit on jqschema.sh to unblock Copilot PR data fetch by @Copilot in #34301
• deps(go): bump charmbracelet golden to 798e623 pseudo-version by @Copilot in #34304
• bump: Claude Code 2.1.150, Copilot CLI 1.0.51, GitHub MCP Server v1.0.5 by @Copilot in #34307
• fix: IsCompatible returns false for invalid semver inputs by @Copilot in #34312
• fix: lint Go, update node:lts-alpine SHA, recompile lock files by @Copilot in #34316
• Refactor pkg/parser long production functions into focused helper units by @Copilot in #34297
• feat: add Avenger hourly CI fixer workflow by @Copilot in #34322
• move to go 1.26 by @pelikhan in #34318
• Disable npm release-age cooldown for Claude, Codex, and Gemini engine installs by @Copilot in #34338
• chore: bump AWF firewall to v0.25.53 by @Copilot in #34321
• [log] Add debug logging to fuzzy match, bot aliases, manifest updates, and templatables by @github-actions[bot] in #34364
• Enforce panicinlibrarycode in CI and tune it for accepted repo patterns by @Copilot in #34374
• Replace magic time.Sleep literals in pkg/cli with named duration constants by @Copilot in #34373
• [docs] Update dictation skill instructions by @github-actions[bot] in #34387
• [spec-enforcer] Enforce specifications for jsonutil, linters, logger by @github-actions[bot] in #34416
• [docs] Update documentation for features from 2026-05-24 by @github-actions[bot] in #34413
• [spec-extractor] Update package specification for stringutil by @github-actions[bot] in #34409
• [instructions] Sync safe-outputs.md with v0.74.8 — document allow-body by @github-actions[bot] in #34405
• [community] Update community contributions in README by @github-actions[bot] in #34354
• Bump pinned Copilot/Codex/GitHub MCP versions and regenerate workflow artifacts by @Copilot in #34390
• refactor: reduce function-length violations across pkg/workflow, pkg/cli, pkg/parser, pkg/actionpins, pkg/linters by @Copilot in #34388
• Refine footer effective-token suffix formatting and short model alias rendering by @Copilot in #34428
• Refactor ResolveActionPin into focused helpers to reduce large-function lint debt by @Copilot in #34339
• Defer file closes in pkg/cli workflow readers and logs cache writer by @Copilot in #34372
• fix(linters): resolve 18 panic-in-library-code violations by @Copilot in #34389
• Add list_repository_collaborators to repos toolset mapping by @Copilot in #34447
• Align Codex AWF secret isolation with Claude engine by @Copilot in #34446
• gpclean: add tool_verbosity A/B experiment by @Copilot in #34448
• Align package specs with spec-librarian audit findings for linters, syncutil, and ...

v0.75.3

What's Changed

• [log] Add debug logging to utility and workflow files by @github-actions[bot] in #34165
• [rendering-scripts] Extract token counts from new Copilot CLI footer by @github-actions[bot] in #34192
• [instructions] Sync instruction files with release v0.74.8 by @github-actions[bot] in #34196
• [docs] Update documentation for features from 2026-05-23 by @github-actions[bot] in #34202
• [spec-enforcer] Enforce specifications for errorutil, fileutil, gitutil by @github-actions[bot] in #34206
• Pin explicit Copilot model in Constraint Solving POTD workflow to avoid utility-model rate-limit failures by @Copilot in #34208
• Set Copilot BYOK fallback model to Sonnet 4.5 and regenerate lockfiles by @Copilot in #34215
• Handle engine HTTP 429 failures as first-class agent failure context by @Copilot in #34214
• Align package specs with current APIs and dependency classifications by @Copilot in #34217
• Fix daily-syntax-error-quality producing no safe outputs by @Copilot in #34212

Full Changelog: v0.75.2...v0.75.3

v0.75.2

What's Changed

• fix: reject create_pull_request/push_to_pull_request_branch when branch equals base_branch after detection by @Copilot in #34138
• Use Copilot BYOK platform default model instead of hard-coded Claude fallback by @Copilot in #34149
• fix: exclude merged upstream commits from diffSize in push_to_pull_request_branch incremental mode by @Copilot in #34139
• Refactor workflow helper hotspots from semantic clustering audit by @Copilot in #34144
• [community] Update community contributions in README by @github-actions[bot] in #34155

Full Changelog: v0.75.1...v0.75.2

v0.75.1

What's Changed

• [compiler-threat-spec] spec: add CTR-019 Cache-Memory Integrity Enforcement by @github-actions[bot] in #33908
• Reject @filepath local file references in safe-output MCP tool calls by @Copilot in #33919
• Fix Go and JS lint drift in OTLP observability files by @Copilot in #33922
• feat: DataFlow PR & Discussion Dataset Builder workflow by @Copilot in #33925
• [jsweep] Clean action_input_utils.cjs by @github-actions[bot] in #33933
• Add Pi inference request diagnostics to provider logging by @Copilot in #33886
• Add githubnext/agentic-ops by @mnkiefer in #33931
• [docs] Update documentation for features from 2026-05-22 by @github-actions[bot] in #33984
• [spec-enforcer] test: enforce specifications for console, constants, envutil by @github-actions[bot] in #33997
• Add create-check-run safe output type for multi-agent PR analysis by @Copilot in #33852
• Migrate remaining pkg/* logging callsites off log.* linter pattern to pkg/logger by @Copilot in #33946
• Fix Step Name Alignment manifest path to avoid workspace access denials by @Copilot in #33944
• Refactor dispatch/call workflow duplication with shared input, tool, and resolver helpers by @Copilot in #33947
• Add request_review protected-files mode for create_pull_request by @Copilot in #33954
• Add success check-run publishing to reviewer workflows by @Copilot in #34025
• feat: expand copilot as a bot alias to all GitHub Copilot bot identities by @Copilot in #34026
• [docs] Consolidate developer specifications into instructions file (v9.14) by @github-actions[bot] in #34023
• [ab-advisor] Add sub_agent_strategy A/B experiment to smoke-temporary-id workflow by @Copilot in #34020
• Clarify status/list pattern semantics and add CLI help example validation by @Copilot in #34018
• Update blog workflow links to githubnext/agentics to fix broken add-wizard installs by @Copilot in #34005
• Format {files} placeholders as inline code in JS template rendering by @Copilot in #34011
• Add A/B experiment wiring for smoke-pi sub-agent decomposition by @Copilot in #34027
• Add maintenance compile PR mode and configurable GitHub token secret by @Copilot in #34002
• fix: update deprecated CopilotBYOKDefaultModel to claude-sonnet-4-5-20250929 by @Copilot in #34019
• chore: Update OTel observability spec by @mnkiefer in #34043
• Support object-form runs-on in custom jobs schema by @Copilot in #34007
• Switch Developer Documentation Consolidator cadence from daily to weekly by @Copilot in #34031
• Add tone-style A/B experiment to Typist workflow by @Copilot in #34033
• Make add/add-wizard and update manifest-aware for aw.yml package installs by @Copilot in #34008
• Surface OTel token usage from agent-stdio.log when proxy usage logs are missing by @Copilot in #34036
• Improve daily-experiment-report readability with progressive disclosure, quick stats, and visual status cues by @Copilot in #34035
• Add SEC-004 exemption for generate_safe_outputs_tools.cjs false positive by @Copilot in #34038
• feat: add .sentrux/rules.toml with architectural quality gates by @Copilot in #34062
• Remove shared/apm.md; point to microsoft/apm canonical source by @Copilot in #34068
• Optimize ab-testing-advisor prompt with inline sub-agents by @Copilot in #34063
• fix: hypothesis always "(not specified)" in daily experiment report by @Copilot in #34037
• feat(failure-handler): add cascade detection when ≥10 [aw] failures fire within 60 min by @Copilot in #34060
• [docs] docs: unbloat correction-ops.md by @github-actions[bot] in #34074
• Remove deprecated model state; retain full multiplier history by @Copilot in #34079
• fix: infer MCP tool-call status from level/error when status field is absent by @Copilot in #34061
• Bump qs from 6.14.1 to 6.15.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #34082
• fix(check_membership): skip roles check for allowlisted bots to eliminate spurious permission warning by @Copilot in #34064
• fix: set GH_AW_WORKFLOW_SOURCE_URL for local workflows in failure issues by @Copilot in #34090
• Render sandbox.firewall models.json in AWF step summaries by @Copilot in #34088
• Bump default MCP Gateway image to gh-aw-mcpg v0.3.18 by @Copilot in #34081
• [linter-miner] Add manual-mutex-unlock linter to detect non-deferred mutex unlocks by @github-actions[bot] in #34091
• fix: skip unlock job when activation was skipped by @Copilot in #34124
• Increase audit workflow repo-memory patch budget to prevent push_repo_memory failures by @Copilot in #34120
• safe-outputs: resolve base branch from origin/HEAD and harden full patch base selection by @Copilot in #34066
• Consolidate workflow FieldLocation onto console ErrorPosition by @Copilot in #34123
• Guard OTLP attribute merge against allocation-size overflow by @Copilot in #34117
• Fix Codex smoke workflow by preserving OPENAI_API_KEY in AWF container env by @Copilot in #34129
• Create REQUEST_CHANGES review for create_pull_request threat-warning mode by @Copilot in #34133
• Bump gh-aw-firewall to v0.25.52 and sync embedded AWF schema by @Copilot in #34114
• Add @app/copilot-swe-agent as a copilot bot alias by @Copilot in #34136

Full Changelog: v0.75.0...v0.75.1

v0.75.0

🌟 Release Highlights

This release brings significant improvements to the gh aw upgrade command, checkout configuration flexibility, safe-output temporary ID support, and Codex engine compatibility, along with major optimizations and quality-of-life enhancements across the workflow system.

✨ What's New

Enhanced Upgrade Command

• gh aw upgrade now properly updates source .md workflow files in addition to actions-lock.json, ensuring consistency between source and compiled artifacts (#33850)

Flexible Checkout Configuration

• Checkout settings (like fetch-depth) now apply to all workflow jobs including safe_outputs, not just the agent job (#33746)

Safe-Output Temporary ID Support

• create_pull_request safe-output tool now correctly registers temporary_id values, enabling cross-reference patterns like #aw_pr1 in workflow outputs (#33853)

Codex Engine Improvements

• Fixed Codex OpenAI proxy authentication by including OPENAI_API_KEY in the AWF sandbox environment (#33833)
• Corrected --model flag placement in Codex lock compiler to appear after the exec subcommand (#33841)

User-Defined OTLP Attributes

• Workflows can now define custom OpenTelemetry attributes with template expansion per workflow phase, improving observability and debugging (#33846)

Cache-Memory Trending Pattern

• Extracted cache-memory trending analysis into a reusable shared component for cross-workflow consistency (#33830)

Enhanced GitHub MCP Wrappers

• Added per_page pagination support to list_workflows and list_labels MCP wrapper tools (#33819)

Action Packaging Support

• Workflows can now package action workflow files (.yml) directly in aw.yml archives (#33660)

⚡ Performance

PR Code Quality Reviewer Optimization

• Reduced token consumption by approximately 290,000 tokens per run through progressive disclosure and smarter context management (#33827)

Regexp Pattern Optimization

• Moved 16 regexp patterns to package-level variables for compilation efficiency (#33694)

Token Accounting Precision

• Corrected ET/ΔET token accounting for cached-input overlap in token_usage.jsonl (#33676)
• Refined token usage attributes for agent job conclusion spans (#33800)

🐛 Bug Fixes & Improvements

Compiler & Runtime

• Fixed provider-info endpoint to use active gateway port instead of hardcoded port 10000 (#33861)
• Compiler now remembers Docker daemon state and skips retries when daemon is unavailable (#33814)
• compile command now properly honors Ctrl+C interruption signals (#33810)
• Prevented SIGPIPE failures in pre-fetch diff step on large PRs (#33779)

Error Handling

• Normalized context cancellation checks to use errors.Is across CLI paths (#33831)
• Consolidated npm-not-available error surface across WASM and non-WASM builds (#33829)

Workflow Features

• Auto-start docs server and gate agent execution on server readiness (#33896)
• Require detection success before running update_cache_memory (#33885)
• Added default 3-day runtime install cooldown with per-runtime opt-out (#33775)

Issue Management

• Issue-monster now prioritizes community-labeled issues first (#33826)
• Doc-healer stops retrying rejected docs-only fix directions from closed unmerged PRs (#33900)

Quality & Testing

• Improved pkg/workflow/compiler_test.go with clearer assertions and missing edge-case coverage (#33897)
• Fixed TypeScript error in effective_tokens.cjs where parseInt received string | undefined (#33756)

Model & Reliability

• Critical GPT-5.1-codex-mini multiplier fix and new model aliases in model-inventory (#33699)
• Aligned forecast Monte Carlo reliability threshold with spec-defined minimum sample size (#33805)

Code Quality

• Replaced bare fmt.Println/Printf with explicit os.Stdout writes across CLI; added CI guard (#33818)
• Extracted create_pull_request helper module and added tests (#33687)
• Improved code clarity in effective_tokens.cjs (#33688)

📚 Documentation

• Consolidated developer specifications into instructions file v9.13 (#33773)
• Updated documentation for features from 2026-05-21 (#33745)
• Synced safe-outputs.md with release v0.74.8 schema (#33730)

🔧 Maintenance

Dependency Updates

• Bumped gh-aw-firewall to v0.25.51 and gh-aw-mcpg to v0.3.17 (#33880)
• Bumped gh-aw-mcpg to v0.3.16 and gh-aw-firewall to v0.25.50 (#33664)
• Updated model alias inventory and ET multiplier registry for 2026-05-21 (#33661)

Cleanup

• Removed deprecated infer field (#33808)
• Removed synthetic pull_request_reviewer event support (#33770)
• Removed Lint Gate job (#33813)
• Demoted strict-mode ecosystem domain guidance from warning to info (#33776)

Code Organization

• Deduplicated workflow expression regex usage across extraction and validation paths (#33716)
• Moved Copilot /reflect fetch into agent prompt in daily-model-inventory workflow (#33674)

Linters & Validation

• Added file-close-not-deferred linter via linter-miner (#33834)
• Updated outcome reporting & OTLP data quality validator (#33706)
• Hardened aw-portfolio-yield finalization and added Sentry OTel fallback (#33739)

A/B Testing

• A/B experiment: sub_agent_strategy for agent-persona-explorer (#33753)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@chrizbo

• Codex OpenAI proxy fails because OPENAI_API_KEY is excluded from AWF sandbox (direct issue)

@corygehr

• create_pull_request safe-output never registers temporary_id — #aw_prN references silently break (direct issue)

@jitran

• Bug: Checkout settings only apply to the agents job of the AW run (direct issue)

@sg650

• gh aw upgrade adds new action version to actions-lock.json but doesn't update the source .md file (direct issue)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 556.1K

---

What's Changed

• feat: support packaging action workflow files (.yml) in aw.yml by @Copilot in #33660
• Update model alias inventory and ET multiplier registry for 2026-05-21 by @Copilot in #33661
• fix(logs): resolve workflow display name when --repo is set and local lock files exist by @Copilot in #33656
• Move Copilot /reflect fetch into agent prompt in daily-model-inventory workflow by @Copilot in #33674
• Correct ET/ΔET token accounting for cached-input overlap in token_usage.jsonl by @Copilot in #33676
• fix(model-inventory): 2026-05-21 — critical gpt-5.1-codex-mini multiplier fix + new aliases by @Copilot in #33699
• [code-simplifier] Improve code clarity in effective_tokens.cjs by @github-actions[bot] in #33688
• fix: add required_field_removals to toolsMeta JSDoc type by @Copilot in #33707
• perf: move regexp patterns to package-level variables (16 violations) by @Copilot in #33694
• chore: update outcome reporting & otlp data quality validator by @mnkiefer in #33706
• [docs] Update documentation for features from 2026-05-21 by @github-actions[bot] in #33745
• [instructions] Sync safe-outputs.md with release v0.74.8 schema by @github-actions[bot] in #33730
• [ab-advisor] A/B experiment: sub_agent_strategy for agent-persona-explorer by @Copilot in #33753
• Harden aw-portfolio-yield finalization and add Sentry OTel fallback by @Copilot in #33739
• Fix TypeScript error: parseInt receiving string | undefined in effective_tokens.cjs by @Copilot in #33756
• Demote strict-mode ecosystem domain guidance from warning to info by @Copilot in #33776
• [docs] Consolidate developer specifications into instructions file (v9.13) by @github-actions[bot] in #33773
• Add default 3-day runtime install cooldown with per-runtime opt-out by @Copilot in #33775
• refactor(create_pull_request): extract helpers module and add tests by @Copilot in #33687
• Remove synthetic pull_request_reviewer event support by @Copilot in #33770
• chore: bump default gh-aw-mcpg to v0.3.16 and gh-aw-firewall to v0.25.50 by @Copilot in #33664
• fix: refine token usage attributes for agent job conclusion spans by @mnkiefer in #33800
• Deduplicate workflow expression regex usage across extraction and validation paths by @Copilot in #33716
• Align forecast Monte Carlo reliability threshold with spec-defined minimum sample size by @Copilot in #33805
• Prevent SIGPIPE failures in Matt Pocock pre-fetch diff step on large PRs by @Copilot in #33779
• Remove Lint Gate job by @Copilot in #33813
• Remove deprecated infer field by @Copilot in ...

v0.74.9

🌟 Release Highlights

This release brings powerful new safe-output controls, enhanced token usage visibility, and important bug fixes including two community-reported issues.

✨ What's New

Safe Output Controls

• Branch protection for PRs - Enforce allowed-branches when creating pull requests to prevent accidental changes to protected branches (#33610)
• Patch size limits - Configure max-patch-size and max-patch-files to control PR complexity and prevent overwhelming reviews (#33650)
• Label and title filters - Add required-labels and required-title-prefix filters to all safe-output operations for better workflow control (#33350)
• Suppress closing comments - Use body-allowed: false with close-discussion and close-issue to prevent duplicate comments (#33639)

Token Usage Visibility

• Per-tool token deltas - Agent logs now show effective token usage per MCP tool call, making it easier to identify expensive operations (#33629)
• Turn-by-turn breakdowns - Step summaries display token usage with ΔET (delta effective tokens) and compounded totals for each turn (#33628)

Quality & Validation

• OTLP data quality validator - New workflow performs end-to-end telemetry integrity checks to ensure observability data is complete and accurate (#33623)
• Runtime triage rules - PR triage agent now reads customer triage rules from .github/triage.md at runtime for flexible, repository-specific triage logic (#33657)
• Regex compilation linter - New regexp-compile-in-function linter catches expensive regex compilation in hot paths (#33608)

🐛 Bug Fixes & Improvements

Bug Fixes

• Fixed workflow_install_note.md ENOENT crash when PRs touch workflow files (#33654)
• Prevented placeholder-only bodies in create_discussion safe-output (#33595)
• Fixed /review command to properly dispatch all pull_request_reviewer workflows (#33562)
• Set proper token budgets and narrowed file-glob patterns in meta-orchestrators to prevent resource exhaustion (#33625)

Improvements

• Contribution-check now offloads report formatting to small-model sub-agents for faster processing (#33655)
• Softened empty MCP RPC telemetry handling in gateway log parsing to reduce noise (#33647)
• Normalized report formatting guidelines across 7 agentic workflows for consistency (#33596)
• Strengthened MCP add integration tests with testify assertions and table-driven coverage (#33626)
• Hardened Agentic Maintenance compile-workflows by removing Docker-only image validation (#33573)

📚 Documentation

• Consolidated error documentation into tables for easier scanning (#33599)
• Enforced consistent short-description punctuation rules across the full CLI command tree (#33627)
• Completed x-deprecation-message coverage for all deprecated schema fields (#33645)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• Bug: workflow_install_note.md ENOENT in safe_outputs when PR touches workflow files (direct issue)
• Add body-allowed: false (or equivalent) to close-discussion and close-issue safe-outputs (direct issue)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 3.4M

---

What's Changed

• Harden Agentic Maintenance compile-workflows by removing Docker-only image validation by @Copilot in #33573
• Normalize report formatting guidelines across 7 agentic workflows by @Copilot in #33596
• [docs] docs: unbloat errors.md by consolidating into tables by @github-actions[bot] in #33599
• feat(safe-outputs): add required-labels/required-title-prefix filters to all operations; standardize merge-pull-request and add-reviewer field names by @Copilot in #33350
• Add OTLP data quality validator workflow for end-to-end telemetry integrity checks by @Copilot in #33623
• [linter-miner] feat(linters): add regexp-compile-in-function linter by @github-actions[bot] in #33608
• fix: dispatch all pull_request_reviewer workflows from /review by @Copilot in #33562
• fix: guard create_discussion against PLACEHOLDER-only bodies by @Copilot in #33595
• Close daily SPDD spec gaps across MCP Scripts, Effective Tokens, Forecast, Frontmatter Hash, and Fuzzy Schedule by @Copilot in #33591
• Strengthen MCP add integration tests with testify assertions, table-driven coverage, and success-path validation by @Copilot in #33626
• Support allowed-branches enforcement for create-pull-request safe output by @Copilot in #33610
• feat(token-usage): per-turn rows with ΔET and compounded ET in step summary by @Copilot in #33628
• Enforce short-description punctuation rules across the full CLI command tree by @Copilot in #33627
• feat: show effective-token delta per MCP tool call in agent log by @Copilot in #33629
• fix: set per-workflow token budgets and narrow file-glob patterns in meta-orchestrators by @Copilot in #33625
• Sync lock files with MinDiscussionBodyLength schema change; confirm formatting guidelines already present by @Copilot in #33646
• Soften empty MCP RPC telemetry handling in gateway log parsing by @Copilot in #33647
• feat: complete x-deprecation-message coverage for all deprecated schema fields by @Copilot in #33645
• feat: PR triage agent reads customer triage rules from .github/triage.md at runtime by @Copilot in #33657
• contribution-check: offload report formatting and comment routing to small-model sub-agents by @Copilot in #33655
• Add body-allowed: false to close-discussion and close-issue safe-outputs by @Copilot in #33639
• fix: resolve workflow_install_note.md ENOENT in safe_outputs job by @Copilot in #33654
• Support max-patch-size / max-patch-files under safe-outputs.create-pull-request by @Copilot in #33650

Full Changelog: v0.74.8...v0.74.9

v0.74.8

🌟 Release Highlights

This release strengthens reliability, developer experience, and observability with daily automated reviews, improved error messages, and enhanced telemetry instrumentation.

✨ What's New

🔍 Daily Reliability Review — A new scheduled workflow automatically detects and reports gh-aw reliability issues using Sentry observability data, querying for failures, timeouts, cancellations, and token truncations. The workflow creates prioritized findings with actionable recommendations, helping maintainers catch issues early. (#33493)

💡 Fuzzy "Did You Mean?" Suggestions — Validation errors now include helpful suggestions when you mistype engine names, events, permissions, or MCP types (e.g., invalid engine: copiliot → Did you mean: copilot?). The feature uses Levenshtein distance matching to catch common typos during compilation. (#33467)

📍 File/Line Context in Validation Errors — Validation errors now show file:line:col: positioning so IDE tooling can jump directly to the problematic field, eliminating manual searches through workflow files. (#33466)

💭 Reasoning Message Rendering — Reasoning content (Claude extended thinking blocks, Codex thinking sections, Copilot reasoning_text) now renders with a distinct ◯ open circle icon and italic styling, making agent thought processes visible and distinguishable from regular output. (#33464)

🐛 Bug Fixes & Improvements

Telemetry Instrumentation — Fixed four critical OTLP gaps: service.version fallback to GITHUB_SHA, gen_ai.response.finish_reasons always emitted, timeouts distinguished from failures, and gen_ai.usage.total_tokens now tracked. (#33528, #33510)

Network Access — Added patch-diff.githubusercontent.com to the GitHub domain ecosystem, allowing workflows using network.allowed: [github] to fetch PR diffs without blocking. (#33543)

Linter Improvements — Enhanced analyzer ergonomics with ctxbackground autofix, consistent test-file handling, and range-based diagnostics for better IDE integration. (#33541)

Code Quality — Resolved 12 lint violations including functions exceeding parameter limits (refactored to options structs), context.Background() calls in functions already receiving ctx, and os.Exit() calls in library packages. (#33452)

📚 Documentation

Developer Specifications — Consolidated developer documentation with 7 tone fixes across 4 spec files, removing marketing language and subjective phrasing. (#33566)

Reference Updates — Added Gemini 3.5 Flash model configuration, documented footer-install template behavior, and specified JSON workflow field mapping for Copilot automation API imports. (#33522)

Glossary Expansion — Daily glossary scan added terms for tools.github.allowed-repos, repository access restrictions, and other workflow configuration options. (#33519)

🔧 Internal

MCP Refactoring — Extracted duplicated MCP wrapper logic into renderDefaultJSONMCPConfig helper, eliminating 10-12 line code blocks across four JSON engines. (#33482)

Chaos Testing — Updated Chaos PR Bundle Fuzzer to allow modifications to tests/chaos/** in safe-output PR creation. (#33553)

Workflow Cleanup — Removed centralized pull_request_reviewer dispatching from agentic_commands.yml, simplifying workflow routing. (#33542)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 3.9M

---

What's Changed

• feat: render reasoning/thinking messages with ◯ icon and italic styling by @Copilot in #33464
• fix: resolve 12 lint violations — excess params, context.Background, os.Exit by @Copilot in #33452
• chore: update otlp.md with xml docs by @mnkiefer in #33468
• feat: add daily reliability review via sentry by @mnkiefer in #33493
• Strengthen shared Sentry prompts for grounded reliability triage by @Copilot in #33499
• fix(otlp): service.version fallback, timeout vs failure, finish_reasons, total_tokens by @Copilot in #33510
• Improve Daily Reliability Review readability with progressive disclosure by @Copilot in #33523
• [spec-enforcer] Enforce specifications for errorutil, syncutil, jsonutil by @github-actions[bot] in #33527
• [docs] Update documentation for features from 2026-05-20 by @github-actions[bot] in #33522
• [docs] Update glossary - daily scan by @github-actions[bot] in #33519
• feat: add file/line context to validation errors by @Copilot in #33466
• [plan] Migrate high-impact validation paths to NewValidationError with actionable YAML guidance by @Copilot in #33491
• refactor: extract renderDefaultJSONMCPConfig to eliminate duplicated MCP wrapper logic by @Copilot in #33482
• fix(otlp): always emit gen_ai.response.finish_reasons; use GITHUB_SHA as service.version fallback by @Copilot in #33528
• Add sub_agent_strategy A/B experiment to smoke-gemini workflow by @Copilot in #33540
• Allow patch-diff.githubusercontent.com in the GitHub domain ecosystem by @Copilot in #33543
• Remove centralized pull_request_reviewer dispatching from agentic_commands.yml by @Copilot in #33542
• Improve linter analyzer ergonomics: ctxbackground autofix, test-file parity, and range diagnostics by @Copilot in #33541
• Allow Chaos PR Bundle Fuzzer to modify tests/chaos/** in safe-output PR creation by @Copilot in #33553
• [docs] Consolidate developer specifications v9.12: 7 tone fixes across 4 files by @github-actions[bot] in #33566
• feat: fuzzy "Did you mean?" suggestions for engine, event, permission, and MCP type typos by @Copilot in #33467
• Update Daily OTel Advisor to use shared Sentry/Grafana OTEL MCP imports by @Copilot in #33570
• [blog] Agent of the Day – 2026-05-20 by @github-actions[bot] in #33568

Full Changelog: v0.74.7...v0.74.8

v0.74.7

🌟 Release Highlights

A focused maintenance release that strengthens workflow activation handling and improves code maintainability.

🐛 Bug Fixes & Improvements

Workflow Activation & Routing

• Fixed pull request review activation - Resolved hybrid routing conflicts where pull_request_review events were incorrectly processed, ensuring reviewer lifecycle events bypass slash-command gating for smoother automated reviews
• Improved reaction handling - The add_reaction safe-output now correctly processes pull_request_review activation events
• Stabilized secret replacement - Eliminated non-deterministic behavior in workflows using shared fallback expressions, making secret handling more reliable

Code Quality

• Simplified schedule parser - Refactored complex functions into focused helpers for better maintainability and readability
• Cleaned up semantic clustering - Deduplicated linter helpers, removed stub files, and improved naming consistency across the codebase

Developer Experience

• Enhanced safe-output guidance - Strengthened anti-probing documentation for add_comment and create_issue to prevent common workflow authoring mistakes

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 2.9M

---

What's Changed

• [community] Update community contributions in README by @github-actions[bot] in #33439
• Fix non-deterministic secret replacement in workflows with shared fallback expressions by @Copilot in #33441
• Bypass slash-command gating for pull_request reviewer lifecycle events by @Copilot in #33447
• [safeoutputs] Strengthen anti-probing guidance for add_comment and create_issue by @Copilot in #33433
• Handle pull_request_review activation reactions in add_reaction by @Copilot in #33449
• [log] Add namespace loggers to three workflow files by @github-actions[bot] in #33453
• Refactor schedule parser long functions into focused helpers by @Copilot in #33448
• [WIP] Fix failing GitHub Actions job JS Tests (shard 2/4) by @Copilot in #33455
• refactor: semantic function clustering — dedup linter helpers, drop stub files, rename outliers by @Copilot in #33434
• Remove pull_request_review from on.pull_request_reviewer hybrid routing by @Copilot in #33461

Full Changelog: v0.74.6...v0.74.7