chore(deps): update github/gh-aw action to v0.57.2

[release-workflows]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	minor	v0.43.18 → v0.57.2

---

Release Notes

github/gh-aw (github/gh-aw)

v0.57.2

Compare Source

🌟 Release Highlights

This patch release improves agent self-awareness and polishes report readability in built-in reporting workflows.

✨ What's New

• Agent execution context detection — All engine execution steps (Copilot, Claude, Codex, Gemini) now inject three new environment variables: GITHUB_AW=true lets agents detect they're running inside a GitHub Agentic Workflow, GH_AW_PHASE identifies whether it's the main agent run or a detection (threat detection) run, and GH_AW_VERSION exposes the gh-aw compiler version. This enables agents to tag their output, adapt behavior, and integrate with observability tooling. 166 lock files have been recompiled to include these new variables. (#​20382)

🐛 Bug Fixes & Improvements

• Cleaner report formatting with progressive disclosure — The daily-secrets-analysis and copilot-pr-merged-report built-in workflows now use correct header levels (no top-level #/## headings) and wrap verbose sections (e.g., Top 10 Secrets table, Merged PRs table, code generation metrics) in collapsible <details> blocks. Executive summaries and key findings remain always visible, reducing noise for readers scanning long reports. (#​20376)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Normalize report formatting: fix headers and add progressive disclosure in secrets and copilot PR reports by @​Copilot in #​20376
• Add GITHUB_AW, GH_AW_PHASE, and GH_AW_VERSION env vars to agentic engine execution steps by @​Copilot in #​20382

Full Changelog: github/gh-aw@v0.57.1...v0.57.2

v0.57.1

Compare Source

🌟 Release Highlights

This release focuses on reliability and developer experience — fixing schema validation gaps, hardening the upgrade flow, improving failure diagnostics, and expanding cross-repo workflow capabilities.

✨ What's New

• Cross-repo workflow_call runtime imports — Workflows invoked via workflow_call from another repository now correctly check out the callee's .md files at runtime, eliminating ERR_SYSTEM: Runtime import file not found errors in cross-repo reuse scenarios. Includes a secrets: inherit support for reusable workflow call jobs. (#​20301)

• Auto-upgrade on gh aw upgrade — gh aw upgrade now automatically installs the latest extension version before compiling lock files, then relaunches the new binary transparently. Lock files no longer embed a stale version string after upgrading. (#​20300)

• Richer failure issue diagnostics — Agent failure issues now include a universal copy-pasteable debug prompt for any coding agent (Copilot, Claude, Gemini, etc.), plus a new top-level debug.md entry point. A new report-failure-as-issue: false frontmatter option lets you suppress failure issue creation per-workflow. Dedicated 📦 Patch Size Exceeded sections appear when max-patch-size limits are hit. (#​20266, #​20354)

• CLI flag consistency — Four commands gained missing flags to align with the rest of the CLI: gh aw run --json, gh aw audit --repo, gh aw new --engine, and gh aw list --dir. (#​20272)

• Non-agent job concurrency defaults — Non-agent job concurrency groups now default cancel-in-progress: false, preventing accidental cancellation of setup or cleanup jobs during rapid pushes. (#​20224)

🐛 Bug Fixes & Improvements

• max-patch-size schema fix — The tools.repo-memory JSON schema was missing the max-patch-size property, causing schema validation to reject valid frontmatter before compilation could process it. (#​20309)

• pull_request_target as PR context — create_pull_request_review_comment and target: "triggering" now correctly recognize pull_request_target events as valid PR context, fixing Not in pull request context errors. (#​20268)

• gh aw audit no longer crashes on non-zip artifacts — Docker build artifacts and other non-zip formats are now skipped gracefully instead of aborting the entire audit report. (#​20294)

• Improved Docker validation error messages — Docker-related validation failures now surface actionable guidance instead of opaque internal errors. (#​20350)

📚 Documentation

• Staged mode reference page — A dedicated reference/staged-mode page covers enabling staged mode globally or per output type, the 🎭 preview format, per-type support table, and the recommended staged → review → enable adoption pattern. (#​20269)

• Debugging prompts in authoring guides — Self-contained and Copilot-specific debugging prompts have been added to the authoring guides and debug.md to help diagnose workflow failures faster. (#​20349)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @mnkiefer for [research] Overview of docs improver agents (#​19836)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• chore: clarify org permissions in docs by @​mnkiefer in #​20260
• Default cancel-in-progress: false for non-agent job concurrency groups by @​Copilot in #​20224
• [log] Add debug logging to artifact manager, update command, and MCP config utils by @​github-actions[bot] in #​20261
• [code-simplifier] refactor: combine PR expires tests into table-driven test by @​github-actions[bot] in #​20253
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-09 by @​github-actions[bot] in #​20254
• docs: add dedicated staged mode documentation page for safe outputs by @​Copilot in #​20269
• fix(safe-outputs): treat pull_request_target as valid PR context in create_pull_request_review_comment by @​Copilot in #​20268
• Improve failure issue actionability with generic debug prompt and report-failure-as-issue option by @​Copilot in #​20266
• Fix schema/validation mismatch: add "public" to repos enum in guard-policies by @​Copilot in #​20281
• fix: move permission computation to dedicated safe_outputs_permissions.go by @​Copilot in #​20270
• Add missing flags to run, audit, new, and list commands for CLI consistency by @​Copilot in #​20272
• fix(audit): gracefully skip non-zip artifacts instead of crashing by @​Copilot in #​20294
• fix(step-names): standardize "Install dev dependencies" → "Install development dependencies" and "Install uv" → "Setup uv" by @​Copilot in #​20295
• refactor: split safe_outputs_generation.go (1549 lines) into focused modules by @​Copilot in #​20296
• [docs] Update documentation for features from 2026-03-10 by @​github-actions[bot] in #​20306
• fix: auto-upgrade gh-aw extension during gh aw upgrade to prevent stale version in lock files by @​Copilot in #​20300
• Fix: max-patch-size missing from tools.repo-memory JSON schema by @​Copilot in #​20309
• [fp-enhancer] Improve pkg/cli: replace bubble sort, use sliceutil.Map, migrate to slices package by @​github-actions[bot] in #​20323
• [docs] Update glossary - daily scan by @​github-actions[bot] in #​20328
• feat: fix runtime-import in cross-repo workflow_call by detecting callee repository at checkout by @​Copilot in #​20301
• Improve Docker validation error messages to be actionable by @​Copilot in #​20350
• docs: add self-contained and Copilot debugging prompts to authoring guides and debug.md by @​Copilot in #​20349
• fix(daily-code-metrics): increase max-patch-size to prevent push_repo_memory failures by @​Copilot in #​20353
• Add dedicated error messages for max patch size failures in agent failure issues by @​Copilot in #​20354

Full Changelog: github/gh-aw@v0.57.0...v0.57.1

v0.57.0

Compare Source

🌟 Release Highlights

This release delivers a meaningful rename that clarifies the product model, a new concurrency primitive for fan-out workflows, and a focused round of reliability fixes across safe-outputs and developer tooling.

⚠️ Breaking Changes

safe-inputs renamed to mcp-scripts

The safe-inputs frontmatter field has been renamed to mcp-scripts throughout the compiler, schema, documentation, and runtime to better reflect its purpose as a lightweight MCP Script host.

Migration: Run the built-in codemod to update your workflows automatically:

gh aw fix --write safe-inputs-to-mcp-scripts

All documentation, environment variables, log messages, and shared workflows have been updated accordingly. (#​20115)

---

✨ What's New

concurrency.job-discriminator for fan-out workflows

A new job-discriminator field in the concurrency frontmatter block prevents concurrent fan-out runs from cancelling each other. When set, the expression is appended to compiler-generated job-level concurrency groups (agent, output jobs), making each dispatch unique.

# Allow concurrent runs dispatched with different inputs
concurrency:
  job-discriminator: $\{\{ inputs.finding_id }}

# Use run_id for scheduled workflows with no distinguishing input
concurrency:
  job-discriminator: $\{\{ github.run_id }}

This is especially useful for workflows invoked in batch — such as per-repository analysis jobs — where the default static concurrency group would cancel all-but-two concurrent runs. (#​20190)

---

🐛 Bug Fixes & Improvements

Safe-Outputs reliability:

• created_issue_* outputs now emitted correctly — created_issue_number and created_issue_url were silently dropped after a successful create-issue action due to the handler manager never calling the emitter. Workflows gating on these outputs will now work as expected. (#​20130)
• pull_request_target events now recognized as PR context — Safe-output operations using target: "triggering" (e.g., update-pull-request) were silently skipped or failed when triggered via pull_request_target. (#​20198)
• Cross-repo safe-outputs now pass GITHUB_TOKEN to git CLI — Custom token sources are now wired into the GITHUB_TOKEN environment variable for create-pull-request and push-to-pull-request-branch steps involving cross-repo checkouts. (#​19890)

Tooling fixes:

• gh aw health now finds workflow runs — The path field was accidentally dropped from the gh run list query, causing the .lock.yml filter to discard every run and always report "No workflow runs found". (#​20221)
• Firewall analysis no longer inflates blocked counts — Internal Squid error entries (client ::1:, domain -) were being counted as blocked requests. (#​20137)
• Campaign discovery no longer crashes — The campaign workflow step now inlines discovery logic instead of referencing /opt/gh-aw/actions/campaign_discovery.cjs, which is not a built-in module. (#​20109)
• repo-memory no longer fails on repos without a Wiki — The __GH_AW_WIKI_NOTE__ placeholder in repo_memory_prompt.md is now correctly substituted when wiki: true is not set. (#​20236)
• create-pull-request integer expires values now converted correctly — Integer values (e.g., expires: 14) representing days were previously stored as-is instead of being converted to hours. (#​20231)
• Agent failure issues now use cleaner titles — Pre-agent stage denomination removed; failure issues always use the format [aw] (workflow-name) failed. (#​20146)

Engine parity:

• Codex runs now display a rich session preview in the "Parse agent logs" step, matching the output format of Copilot, Claude, and Gemini engines. (#​20199)

No-op runs:

• The auto-created no-op runs issue template now includes a helpful tip explaining how to disable reporting via safe-outputs. (#​20229)

---

📚 Documentation

• Cost management reference guide updated with gh aw logs monitoring section and corrected skip-if-match / skip-if-no-match YAML examples. (#​20128)
• Getting-started MCP guide streamlined by 21% — duplicate content and verbose tables removed. (#​20136)
• Project Operations page updated with improved authentication guidance and visual examples. (#​20165)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [log] Add debug logging to MCP inspection, workflow resolution, and repo memory by @​github-actions[bot] in #​20119
• fix: inline campaign discovery logic in campaign workflow step by @​Copilot in #​20109
• [WIP] Improve cost management reference documentation by @​Copilot in #​20128
• fix(safe-outputs): emit created_issue_* outputs from handler manager by @​Copilot in #​20130
• [instructions] Sync github-agentic-workflows.md with v0.40.1 — document safe-outputs step action outputs by @​github-actions[bot] in #​20134
• [docs] docs: unbloat getting-started-mcp guide by @​github-actions[bot] in #​20136
• Rename safe-inputs to mcp-scripts by @​Copilot in #​20115
• fix: expose GITHUB_TOKEN env var for cross-repo git CLI operations in safe outputs by @​Copilot in #​19890
• Fix firewall analysis inflating blocked count with internal Squid error entries by @​Copilot in #​20137
• [WIP] Fix agent failure issue creation by removing pre-agent denomination by @​Copilot in #​20146
• [jsweep] Clean assign_to_agent.cjs by @​github-actions[bot] in #​20155
• [docs] Update documentation for features from 2026-03-09 by @​github-actions[bot] in #​20159
• chore: update project ops page by @​mnkiefer in #​20165
• [docs] Update glossary - weekly full scan by @​github-actions[bot] in #​20191
• [architecture] Update architecture diagram - 2026-03-09 by @​github-actions[bot] in #​20175
• [specs] Update layout specification - 2026-03-09 by @​github-actions[bot] in #​20170
• fix(safe-outputs): include pull_request_target in PR context detection by @​Copilot in #​20198
• Fix broken anchor links in project-ops docs causing CI build failure by @​Copilot in #​20173
• Show Codex session preview in parse agent log step like other engines by @​Copilot in #​20199
• Add concurrency.job-discriminator to prevent fan-out cancellations in job-level concurrency groups by @​Copilot in #​20190
• Add GFM tip to no-op runs issue template explaining how to disable reporting by @​Copilot in #​20229
• fix: use preprocessExpiresField for create-pull-request integer expires conversion by @​samueltauil in #​20231
• fix: gh aw health always returns "No workflow runs found" by @​Copilot in #​20221
• Fix __GH_AW_WIKI_NOTE__ placeholder not substituted when wiki is disabled by @​Copilot in #​20236

New Contributors

• @​samueltauil made their first contribution in #​20231

Full Changelog: github/gh-aw@v0.56.2...v0.57.0

v0.56.2

Compare Source

🌟 Release Highlights

This release focuses on reliability improvements across protected-file handling, setup CLI pinning, and cross-repo workflows — along with an upgrade to GitHub MCP server v0.32.0 and a new strict allowlist feature for protected-file protection.

✨ What's New

• allowed-files strict allowlist for protected-file PR safe outputs (#​20051) — You can now configure an explicit allowlist of files that are permitted in protected-file PRs. Any file outside the allowlist is blocked, giving teams tighter control over what agents can modify in sensitive branches.

🐛 Bug Fixes & Improvements

• Protected-file fallback-to-issue now works when workflows permission is absent (#​20106) — When an agent patch touches .github/workflows/ files and the GitHub App lacks workflows permission, gh-aw now correctly creates a fallback review issue rather than silently failing.
• Default branch no longer hardcoded to main (#​20099) — create_pull_request and related operations now query the repository's actual default branch, fixing failures in repos using master, develop, or any non-main default.
• add-wizard correctly syncs working tree after PR merge (#​20094) — Switching to the default branch after merging a wizard-created PR ensures workflow files are visible immediately, eliminating "workflow file not found" errors.
• setup-cli action now respects pinned version input (#​20081) — The action verifies the installed version matches the requested version after gh extension install, falling back to a manual binary download if there's a mismatch.
• Safe output handler gracefully handles custom safe output job types (#​20114) — Unknown job types no longer surface as unhandled errors; they are now logged and skipped cleanly.

⚡ Performance

• Compiled regex patterns moved to package-level variables (#​20073, #​20079) — regexp.MustCompile calls across pkg/cli, pkg/workflow, and the expression-validation hot path are now initialized once at startup rather than on every invocation, reducing allocation pressure in high-frequency compilation paths.

🔧 Dependencies & Infrastructure

• GitHub MCP server upgraded to v0.32.0 (#​20100) — Picks up the latest GitHub MCP tooling improvements and bug fixes.

📚 Documentation

• New Cost Management reference page (#​20078) — Added guidance on understanding and controlling the compute costs associated with running agentic workflows.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @dsyme for Change to protected file not correctly using a fallback issue (#​20103)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add missing scanner.Buffer() calls to prevent silent truncation in gateway_logs.go by @​Copilot in #​20074
• chore: hoist regexp.MustCompile calls to package-level vars across pkg/cli and pkg/workflow by @​Copilot in #​20073
• perf: hoist regexp.MustCompile calls to package-level vars in validateExpressionForDangerousProps by @​Copilot in #​20079
• IMP-003: Move generateCustomJobToolDefinition to safe_outputs_config_generation.go by @​Copilot in #​20080
• docs: add Cost Management reference page by @​Copilot in #​20078
• Fix setup-cli action ignoring pinned version input by @​Copilot in #​20081
• fix: query repo default branch instead of hardcoding 'main' (#​20098) by @​dsyme in #​20099
• [dead-code] chore: remove dead functions — 9 functions removed by @​github-actions[bot] in #​20101
• fix: switch to default branch before pulling after add-wizard PR merge by @​Copilot in #​20094
• fix: create protected-file review issue when push fails due to workflows permission by @​dsyme in #​20106
• Update MCP gateway GitHub guard terminology by @​Claude in #​20096
• Upgrade GitHub MCP server to v0.32.0, recompile workflows by @​Copilot in #​20100
• Add allowed-files strict allowlist for protected-file protection on PR safe outputs by @​Copilot in #​20051
• Fix safe output handler to gracefully ignore custom safe output job types by @​Copilot in #​20114
• [code-simplifier] refactor: simplify generateCustomJobToolDefinition and extractDispatchWorkflowNames by @​github-actions[bot] in #​20107

Full Changelog: github/gh-aw@v0.56.1...v0.56.2

v0.56.1

Compare Source

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several subtle but impactful bugs in sandbox execution, bot identity matching, workflow compilation, and safe-output handling, alongside expanded documentation.

🐛 Bug Fixes & Improvements

• Bot identity canonicalization — on.bots allow-lists now correctly match GitHub App actors regardless of whether they appear as my-app or my-app[bot]. Previously, the exact-string mismatch silently blocked activations. (#​20059)

• AWF sandbox git identity — The first git commit inside an AWF sandbox no longer fails with "Author identity unknown." Host Git identity environment variables are now injected into sandbox execution steps, preserving the caller's author/committer info. (#​20056)

• dispatch-workflow compile-order independence — Workflows that dispatch other workflows in the same compile batch no longer require a specific compilation order. Targets that exist as .md files (without a pre-existing .lock.yml) are now accepted. (#​20057)

• safe-outputs: failures now fail the workflow — When a safe-output handler returns {success: false}, the step now calls core.setFailed() and exits non-zero. Previously, failures were only emitted as warnings and the workflow continued as successful. (#​20055)

• Gateway log truncation fix — Log lines exceeding 64 KB in gateway.jsonl (common with large AI tool call payloads) were silently truncated. Missing scanner.Buffer() calls have been added to prevent this. (#​20074)

• Firewall analysis blocked domain display — The firewall log viewer now correctly shows the destination IP:port for iptables-dropped traffic instead of displaying "-". (#​20016)

📚 Documentation

• Docker-based MCP server configuration — The MCP server reference now covers running gh-aw as an MCP server via Docker, for environments where the gh CLI is not installed locally. (#​20053)

• Workflow status message style guide — A new .github/aw/messages.md establishes consistent conventions for tone and emoji usage in safe-outputs status messages across all workflows. (#​20052)

• Updated feature documentation and permissions reference cleanup. (#​20020, #​20003)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @samuelkahessay for safe-outputs: handler failures never escalated to core.setFailed() (#​20035)
• @strawgate for Agent sandbox git identity missing: first commit fails, then agent self-configures (#​20033)
• @samuelkahessay for dispatch-workflow validation is compile-order dependent (#​20031)
• @samuelkahessay for on.bots matching is exact-string only and fails for (slug) vs (slug)[bot] (#​20030)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] docs: reduce bloat in permissions.md by @​github-actions[bot] in #​20003
• [docs] Update documentation for features from 2026-03-08 by @​github-actions[bot] in #​20020
• Fix firewall analysis showing "-" instead of actual blocked domains for iptables-dropped traffic by @​Copilot in #​20016
• fix: canonicalize bot identifiers so <slug> and <slug>[bot] match in on.bots by @​Copilot in #​20059
• docs: add Docker-based MCP server configuration by @​Copilot in #​20053
• safe-outputs: escalate handler failures to core.setFailed() by @​Copilot in #​20055
• Fix dispatch-workflow validation: accept .md-only targets in same compile batch by @​Copilot in #​20057
• Add workflow status message style guide by @​Copilot in #​20052
• Fix: Inject git identity env vars into AWF sandbox execution steps by @​Copilot in #​20056

Full Changelog: github/gh-aw@v0.56.0...v0.56.1

v0.56.0

Compare Source

🌟 Release Highlights

This release brings meaningful quality-of-life improvements to workflow automation: smarter add-wizard scheduling, better protection for critical files, and a proactive fix for repo-memory size failures — plus a notable security hardening for git authentication.

✨ What's New

• Schedule frequency picker in add-wizard — When adding a scheduled workflow, gh aw add-wizard now prompts you to choose a frequency (hourly, 3-hourly, daily, weekly, monthly, or custom cron). No more being locked to whatever schedule the upstream workflow shipped with. (#​19709)

• Protected-files enforcement in safe outputs — Workflows can now declare protected-files to prevent agents from inadvertently modifying critical files (e.g., AGENTS.md, .github/ configs, runtime manifests). When a push attempts to touch a protected file, safe outputs surfaces a clear remediation message instead of silently failing or overwriting. (#​19958)

• Early size validation for repo-memory — A new push_repo_memory MCP tool validates memory size before pushing, catching oversized payloads early and giving agents a chance to trim content rather than failing at upload time. (#​19977)

• Remote workflow dependencies fetched on gh aw add — When adding a workflow that uses dispatch-workflow dependencies or declares resources, gh aw add now automatically fetches and saves those assets locally. (#​19965)

🐛 Bug Fixes & Improvements

• Security: git credentials no longer written to disk — Git authentication tokens are now passed as environment variables to the fetch subprocess rather than written to .git/config. This closes a window where an attacker monitoring filesystem events (e.g., via inotify) could capture the token. (#​19963)

• Cleaner first-run experience for repo-memory — Suppressed 5 spurious GitHub Actions error annotations that appeared on the first run of push_repo_memory (where git fetch/git pull failing is expected because the memory branch doesn't exist yet). (#​19979)

• Clearer compile command help text — The gh aw compile short description now explicitly states it converts .md files to .lock.yml, removing a common source of confusion for new users. (#​19988)

📚 Documentation

• Streamlined permissions.md reference (~18% shorter) by consolidating duplicate sections, fixing a broken callout, and correcting heading hierarchy — all technical content preserved. (#​20003)

🌍 Community Contributions

A huge thank you to the community members who reported issues resolved in this release:

• @dsyme for repo-memory fails when memory exceeds allowed size (#​19976)
• @dsyme for gh aw add-wizard for scheduled workflow should offer choice of frequencies (#​19708)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: pass git auth via environment variables instead of writing to .git/config by @​Copilot in #​19963
• add-wizard: offer schedule frequency selection for scheduled workflows by @​Copilot in #​19709
• feat(add): fetch dispatch-workflow dependencies and resources when adding remote workflows by @​Copilot in #​19965
• [code-simplifier] refactor: extract shared sanitizeForFilename helper in generate_git_patch.cjs by @​github-actions[bot] in #​19980
• Add protected-files support to runtimes and enforce protected file protection in safe outputs by @​Copilot in #​19958
• fix: suppress spurious error annotations in push_repo_memory for expected git failures by @​Copilot in #​19979
• feat: Add push_repo_memory MCP tool for early size validation by @​Copilot in #​19977
• Improve compile command help text to clarify input/output formats by @​Copilot in #​19988

Full Changelog: github/gh-aw@v0.55.0...v0.56.0

v0.55.0

Compare Source

🌟 Release Highlights

This release sharpens the developer experience with smarter error messages, a more reliable audit command, and automatic strict-mode enforcement for public repositories.

✨ What's New

• Automatic strict mode for public repositories — Lockdown validation now enforces strict: true automatically for public repos, ensuring agentic workflows default to the safest configuration without requiring manual setup. (#​19948)

• "Did you mean?" suggestions for permission typos — When a permission level is mistyped (e.g., rite instead of write), the compiler now surfaces a nearest-match suggestion for nested enum violations, making YAML configuration errors much faster to diagnose. (#​19925)

🐛 Bug Fixes & Improvements

• gh aw audit now surfaces ##[error] annotations from flat log files — The audit command previously left the errors array empty for failed runs when GitHub Actions stored logs in the flat per-job format (workflow-logs/{N}_{job_name}.txt). Error annotations are now correctly extracted regardless of log file layout. (#​19923)

• CLI consistency fixes across 7 commands — A broken documentation URL in the project new command and several medium/low severity inconsistencies surfaced by automated inspection have been resolved. (#​19927)

📚 Documentation

• Environment variables reference updated — Documentation for GITHUB_STEP_SUMMARY support in agent step summaries has been added. (#​19928)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [jsweep] Clean assign_to_user.cjs by @​github-actions[bot] in #​19924
• fix(audit): surface ##[error] annotations from flat GitHub Actions log files by @​Copilot in #​19923
• fix: resolve 7 CLI consistency issues from automated inspection by @​Copilot in #​19927
• [docs] Update documentation for features from 2026-03-07 by @​github-actions[bot] in #​19928
• refactor: implement semantic function clustering improvements across pkg/ by @​Copilot in #​19926
• fix: "Did you mean?" suggestions for nested enum violations (e.g., permission level typos) by @​Copilot in #​19925
• [actions] Update GitHub Actions versions by @​github-actions[bot] in #​19938
• Enforce strict: true for public repositories in lockdown validation by @​Copilot in #​19948

Full Changelog: github/gh-aw@v0.54.0...v0.55.0

v0.54.0

Compare Source

🌟 Release Highlights

This release focuses on expanding workflow capabilities with Agent Package Manager support and broader temporary ID coverage, while hardening security and improving reliability for public repository workflows.

✨ What's New

• Agent Package Manager (APM) support — Workflows can now declare microsoft/apm dependencies directly in frontmatter. The compiler emits a SHA-pinned microsoft/apm-action step to install packages before agent execution, making it easier to manage agent dependencies declaratively.

• Temporary IDs for all project operations — #aw_* temporary IDs are now supported across all project-related safe outputs, enabling cross-references between operations within the same workflow run.

• Engines always use latest versions — Agentic engines (Copilot, Claude Code, Codex, Gemini) now bind to "latest" instead of pinned versions, ensuring workflows automatically benefit from the newest AI capabilities without manual version bumps. CLI versions in this release: Claude Code 2.1.70, Copilot CLI 0.0.422, Codex 0.111.0.

🐛 Bug Fixes & Improvements

• Fixed gh aw add auth failure for public repos — The downloadFileFromGitHubWithDepth function now falls back to git/raw-URL when REST client creation fails with an auth error, resolving failures when adding workflows from public repositories in agentic contexts.

• Security: Go module cache disabled in agentic setup — The actions/setup-go step now runs with cache: false in agentic workflows, closing a potential cache poisoning vector via prompt injection. This mirrors the existing mitigation already in place for Node.js.

📚 Documentation

• Streamlined the SideRepoOps patterns page for better readability.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Update CLI versions: Claude Code 2.1.70, Copilot CLI 0.0.422, Codex 0.111.0 by @​Copilot in #​19854
• Reclassify 5 minor changesets as major breaking changes by @​Copilot in #​19870
• fix: disable Go module cache in agentic setup actions to prevent cache poisoning by @​Copilot in #​19865
• [dead-code] chore: remove 10 dead functions from analyzer batch run by @​github-actions[bot] in #​19880
• [code-simplifier] refactor: use ExtraWithFields merge in Go go-mod-file setup path by @​github-actions[bot] in #​19884
• Fix gh aw add auth failure for public repos in agentic workflows by @​Copilot in #​19853
• [docs] docs: unbloat SideRepoOps page by @​github-actions[bot] in #​19906
• [docs] Consolidate developer specs: fix 2 tone issues (v3.8) by @​github-actions[bot] in #​19904
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @​github-actions[bot] in #​19902
• [log] Add debug logging to spinner, import processor, and utility packages by @​github-actions[bot] in #​19894
• Bind all agentic engines to "latest" instead of pinning versions by @​Copilot in #​19882
• chore(deps): bump express-rate-limit from 8.2.1 to 8.3.0 in /.github/workflows in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​19881
• Allow temporary IDs for all project operations by @​Copilot in #​19573
• Add microsoft/apm dependencies support to frontmatter by @​Copilot in #​19883

Full Changelog: github/gh-aw@v0.53.6...v0.54.0

v0.53.6

Compare Source

🌟 Release Highlights

This is a focused patch release that resolves a long-standing step summary truncation issue affecting all AI engines, alongside a documentation improvement and an internal test reliability fix.

🐛 Bug Fixes & Improvements

• Step summary output expanded to 2000 characters — Agent step summaries were silently truncated at 500 characters. This release increases the limit to 2000 characters and correctly forwards GITHUB_STEP_SUMMARY into the sandbox for all engines (Copilot, Codex, Claude, Gemini), ensuring agents can write meaningful summaries without silent data loss. (#​19821)

📚 Documentation

• Added a PDF download link to the slides documentation page, making it easier to share and reference presentation materials offline. (#​19842)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @danielmeppiel for Step summary truncates agent output at 500 chars with no visible warning (#​19810)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add PDF download link to slides doc page by @​Copilot in #​19842
• Fix label trigger integration test type assertions for names field by @​Copilot in #​19843
• Fix step summary truncation: forward GITHUB_STEP_SUMMARY into sandbox for all engines, increase text limit to 2000 chars by @​Copilot in #​19821

Full Changelog: github/gh-aw@v0.53.5...v0.53.6

v0.53.5

Compare Source

🌟 Release Highlights

This release focuses on reliability improvements for label-trigger workflows and GitHub App token handling, plus new capabilities for repo memory and the add_comment safe output tool.

✨ What's New

• GitHub Wiki backing for repo-memory — The repo-memory frontmatter now supports a wiki: true flag to use a repository's GitHub Wiki git backend as persistent memory storage, following GitHub Wiki markdown conventions. (#​19800)

• Temporary ID support in add_comment — The add_comment safe output tool now accepts temporary_id, enabling cross-referencing of not-yet-created comments within the same workflow run. (#​19737)

• /ace slash command workflow — A new built-in workflow responds to /ace in PR comments, generates ACE editor session URLs, and posts a reply linking teammates to a collaborative editing session. (#​19741)

🐛 Bug Fixes & Improvements

• Label trigger shorthand now correctly filters by label name — Workflows using on: pull_request labeled my-label were firing on any labeled event due to a Go type mismatch ([]string vs []any). The activation job's if: clause now correctly includes the github.event.label.name condition. (#​19824)

• Label trigger shorthand wires item_number for manual dispatch — The compile

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.