v0.71.1

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several impactful bugs reported by the community, improving agent workflow efficiency, and hardening security boundaries for the Claude engine.

🐛 Bug Fixes & Improvements

• protected-files object form compilation fixed — Workflows using the documented {policy, exclude} object form for protected-files were incorrectly rejected at compile time with expected string or null, got object. The schema now correctly allows the object form alongside the string shorthand. (#28341)

• APM-restored skills no longer clobbered in pull_request runs — Skills installed by pre-agent-steps (e.g. from .github/skills/) were silently overwritten because the "Restore agent config folders" step executed after pre-agent-steps. The step ordering is now correct for pull_request triggers. (#28290)

• push_to_pull_request_branch patch size now uses incremental diff — On long-running branches, max_patch_size was measured against the full cumulative diff from the default branch rather than the net change since the last push. Each iteration now measures only the incremental git diff against the PR branch head, preventing spurious size-limit rejections. (#28198)

• design-decision-gate reliability — Raised max-turns from 15 → 20 and added git ls-remote:* to allowed tools. The workflow was exhausting all turns on copilot/* PRs before completing useful work. An explicit MCP fallback table ensures the agent switches to GitHub MCP tools when pre-fetched context files are unavailable. (#28353)

• jsweep workflow no longer runs to 60 turns — Added explicit exit criteria after PR creation. Previously the agent kept calling create_pull_request in a loop consuming 4.64M tokens/run. (#28322)

• audit/audit-diff MCP tools now return structured JSON consistently — These tools were setting IsError: true on failure and routing output to stderr, unlike logs and compile which always return structured JSON. Behaviour is now consistent. (#28291)

• Model update in github-remote-mcp-auth-test — Replaced the unavailable gpt-5.1-codex-mini model with gpt-5.4-mini, fixing 3+ days of consecutive workflow failures. (#28321)

• MCP Gateway v0.2.30 compatibility — The mempalace shared config now includes the required container field on stdio server entries, fixing daily-fact workflow failures after the gateway schema tightened. (#28288)

✨ What's New

• Hippo memory vector embeddings — New hippo-embed maintenance workflow generates vector embeddings for all Hippo memories (previously <1% were embedded, making semantic recall nearly non-functional). The daily-hippo-learn workflow now runs hippo embed on every cycle to keep the index current. (#28178)

• Claude bypassPermissions tool enforcement documented and hardened — When Claude Code runs in bypassPermissions mode (triggered by unrestricted bash access), --allowed-tools is silently ignored. The MCP gateway allowed: filter is now the documented sole effective tool boundary in this mode, with implementation notes added to prevent regressions. (#28174)

⚡ Performance

• docs-noob-tester token usage reduced ~70% — Server setup (npm install, Astro dev server startup, readiness polling, bridge IP detection) now runs in pre-agent-steps before the agent starts, saving ~700K–1M tokens/run. Timeout reduced from 45 → 30 minutes. (#28343)

📚 Documentation

• Docs table wrapping on tablet screens — Markdown tables on 641px–768px viewports were silently clipped without horizontal scroll. A new rehype plugin wraps tables in a scrollable container. (#28280)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@edgeq

• [Bug] protected-files object form fails compilation despite being documented (direct issue)

@mrjf

• push_to_pull_request_branch should compute patch size relative to PR branch head, not checkout base (direct issue)

@theletterf

• PR-context workflows still lose APM-restored skills after v0.71.0 (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.4M

---

What's Changed

• fix: sync Hard Turn Budget in design-decision-gate prompt to match max-turns: 15 by @Copilot in #28173
• fix(otel): emit agent sub-span for cancelled workflow runs by @Copilot in #28172
• feat: add hippo-embed workflow + recurring embed step to daily-hippo-learn by @Copilot in #28178
• Normalize report formatting guidelines across 5 reporting workflows by @Copilot in #28186
• docs: document Claude bypassPermissions/--allowed-tools security boundary by @Copilot in #28174
• build(deps): Bump fast-xml-parser from 5.5.9 to 5.7.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #28189
• [docs] docs: remove duplicated code block and redundant paragraph in concurrency reference by @github-actions[bot] in #28194
• fix: disallow --name flag when adding multiple workflows at once by @Copilot in #28195
• chore: bump CLI tool versions (Claude Code, Copilot, Codex, MCP Server, MCP Gateway) + fix comment memory rendering + fix Claude install by @Copilot in #28200
• Update docs sidebar and streamline references by @dsyme in #28223
• [architecture] Update architecture diagram - 2026-04-24 by @github-actions[bot] in #28227
• chore(deps): update golang.org/x/vuln v1.2.0 → v1.3.0 by @Copilot in #28232
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #28257
• rename: FormatReference → FormatPinnedActionReference, notifyResolutionFailure → recordPinResolutionFailure in pkg/actionpins by @Copilot in #28246
• [docs] dev.md v7.0 maintenance tone scan (2026-04-24) by @github-actions[bot] in #28244
• deps: bump github.com/charmbracelet/x/exp/golden to v0.0.0-20260422141420-a6cbdff8a7e2 by @Copilot in #28231
• Fix push_to_pull_request_branch patch size to use incremental net diff by @Copilot in #28198
• [jsweep] Clean create_labels.cjs and add comprehensive tests by @github-actions[bot] in #28210
• refactor: move outlier functions to their semantic homes by @Copilot in #28282
• docs: add build-time table scroll wrapper as no-JS fallback by @Copilot in #28280
• Add update_pull_request_branches maintenance operation with dedicated workflow job by @Copilot in #28108
• fix(codemod): preserve source pin when migrating tools.serena by @Copilot in #28286
• fix(spec-enforcer): add explicit noop branch when all tests are already up-to-date by @Copilot in #28289
• fix(mcp): audit/audit-diff return graceful JSON errors instead of IsError=true by @Copilot in #28291
• fix: migrate mempalace MCP server to HTTP transport for MCP Gateway v0.2.30 by @Copilot in #28288
• fix(skill-optimizer): pre-flight stash, higher limits, targeted eval tasks by @Copilot in #28292
• Suggest tools.github.mode: gh-proxy when api.github.com is firewall-blocked by @Copilot in #28293
• Add push trigger on repository default branch for .github/workflows/*.md to agentic maintenance workflow generator by @Copilot in #28295
• fix: move base-folder restore before pre-agent-steps so APM-restored skills survive PR context by @Copilot in #28290
• fix: resolve 4 CLI help text inconsistencies (secrets bootstrap, trial, logs, validate) by @Copilot in #28306
• build(deps): Bump postcss from 8.5.8 to 8.5.10 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #28312
• fix: add render_template.cjs and is_truthy.cjs to SAFE_OUTPUTS_FILES by @Copilot in #28331
• Fix copilot-pr-prompt-analysis: ad...

v0.71.0

🌟 Release Highlights

This release focuses on reliability improvements: fixing critical runtime issues for Copilot threat-detection workflows, enhancing observability for cancelled runs, and shoring up Claude engine compatibility.

✨ What's New

• Setup Node.js now included in threat-detection jobs (#28160): The detection job for the Copilot engine now correctly emits a Setup Node.js step before invoking copilot_driver.cjs, eliminating the node: command not found error that affected threat-detection workflows.

• OTLP tracing for cancelled runs (#28172): Cancelled workflow runs now emit a proper gh-aw.agent.agent sub-span in OpenTelemetry traces, giving you full duration visibility even when a run is manually cancelled before agent_output.json is written.

• Claude engine: bypassPermissions → acceptEdits (#28047): Replaces the deprecated bypassPermissions flag with acceptEdits and corrects missing MCP server tool entries in --allowed-tools, keeping Claude-powered workflows fully functional with the latest SDK.

🐛 Bug Fixes & Improvements

• Design-decision-gate turn budget corrected (#28173): The in-prompt "Hard Turn Budget" comment now matches the max-turns: 15 frontmatter value, preventing agents from self-terminating prematurely.
• Auto-triage model pin updated (#28152): Replaced the unsupported gpt-4.1-mini model pin in auto-triage-issues.md so the workflow runs without errors.
• CLI help text consistency (#28139): Addressed five inconsistencies in CLI help text for a more polished experience.
• Documentation UI fix (#28146): Resolved a 1px header navigation gap at the iPad 768px breakpoint.

🔧 Internal

• Migrated 24 workflows from daily-audit-discussion + reporting to the unified daily-audit-base template (#28151).
• Refactored the 387-line validateWorkflowData function into 4 focused validators (#28145).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@romainh-betclic

• Threat-detection job omits Setup Node.js but launches copilot_driver.cjs via node → 'node: command not found' (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 818.1K

---

What's Changed

• chore: disable threat-detection for release.md and recompile by @Copilot in #28138
• fix: address 5 CLI help text consistency issues by @Copilot in #28139
• fix: update TestMCPGatewayVersionFromFrontmatter to resolve pinned container image by @Copilot in #28144
• [copilot-token-optimizer] Architecture Guardian: reduce 47-turn analysis via bash pre-step consolidation by @Copilot in #28141
• Fix 1px header nav gap at iPad 768px breakpoint by @Copilot in #28146
• fix(claude): replace bypassPermissions with acceptEdits and fix missing MCP server tools in --allowed-tools by @Copilot in #28047
• Migrate 24 workflows from daily-audit-discussion + reporting to daily-audit-base by @Copilot in #28151
• fix: replace unsupported gpt-4.1-mini model pin in auto-triage-issues workflow by @Copilot in #28152
• [log] add debug logging to 5 pkg files by @github-actions[bot] in #28169
• refactor: decompose 387-line validateWorkflowData into 4 focused validators by @Copilot in #28145
• [ubuntu-image] research: update Ubuntu runner image analysis to 20260413.86.1 by @github-actions[bot] in #28171
• fix(workflow): emit Setup Node.js in detection job for Copilot engine by @Copilot in #28160

Full Changelog: v0.70.0...v0.71.0

v0.70.0

🌟 Release Highlights

This release delivers a wave of community-driven bug fixes alongside significant new features: multi-repo workflow support, advanced credential supply patterns, comment-memory improvements, security hardening, and a new merge-pull-request safe output.

✨ What's New

• on.needs for credential supply jobs — Workflows can now declare on.needs to express dependencies on custom pre_activation/activation jobs, enabling GitHub App credentials to be sourced from upstream job outputs. This unblocks advanced credential-supply patterns that were previously impossible.

• Multi-repo (side-repo) push_to_pull_request_branch — push_to_pull_request_branch now correctly handles multi-repo checkout patterns by scoping all git operations to the target repository's working directory.

• merge-pull-request safe output — Workflows can now merge pull requests directly as a safe output operation.

• Sticky comments — The add_comment safe output now supports sticky (upsert) comments that update in place across runs.

• Configurable fallback labels for create_pull_request — When a PR cannot be created due to branch protection, the fallback issue can now be tagged with custom labels, making it easier to triage and route those issues.

• Container image digest pinning — All built-in container images are now pinned by digest in compiled lock files, ensuring reproducible and tamper-resistant workflow executions.

• add_comment routes to PR review threads — On pull_request_review_comment triggers, add_comment now replies directly in the review thread rather than posting at PR level.

• gh-proxy mode — The GitHub CLI proxy feature is now configured via tools.github.mode: gh-proxy, providing a cleaner and more discoverable API.

• BYOK Copilot defaults — Established sensible defaults for Bring-Your-Own-Key Copilot configurations; the deprecated byok-copilot flag is now flagged for removal.

• MCP-as-CLI progress messages — MCP tools can now emit progress messages on stderr for better real-time visibility during long-running operations.

• Multiple agent assignments per issue — Agents can now be assigned to the same issue multiple times, enabling multi-repo workflows where a single issue drives work across several repositories.

🐛 Bug Fixes & Improvements

• Fixed action pin regression — gh aw compile once again pins all actions to their commit SHA hashes (regression introduced in v0.68.3).
• Fixed push_to_pull_request_branch commit link — The tracking comment now correctly links to the actual pushed commit SHA instead of the pre-push HEAD.
• Fixed macOS case-colliding artifact extraction — gh run download no longer aborts when an artifact contains case-colliding filenames (e.g., MEMORY.md and memory.md) on macOS.
• Fixed allowed-base-branches compile validation — gh aw compile no longer incorrectly reports safe-outputs.create-pull-request.allowed-base-branches as an unknown field.
• Fixed update-project GitHub App permissions — The update-project safe output now includes the required issues: read permission when using a GitHub App token.
• Fixed list_commits filtering on feature branches — Own commits are no longer incorrectly filtered out when listing commits on a feature branch.
• Fixed firewall cleanup permissions — The generated cleanup step now includes the correct chmod for the firewall/audit log directory.
• Fixed PR-context base-branch restore — The base-branch restore step no longer overwrites APM-restored .github/skills before the Copilot agent starts.
• Fixed add_comment disclosure template lookup in comment-memory safe outputs.
• XPIA security hardening — Multiple fixes to close steganographic channels in sanitization paths; disable-xpia-prompt is now rejected at compile time in strict mode.

📚 Documentation

• Self-healing documentation fixes: tools.github.mode gh-proxy documented.
• Protected files defaults updated: .githooks/, .husky/, and DESIGN.md are now protected by default.
• Developer docs consolidation and glossary improvements.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@ahmadabdalla

• list_commits on a feature branch: my own commits get filtered out (direct issue)

@bbonafed

• on.github-app credentials cannot be sourced from a custom job's outputs (jobs.{pre_activation,activation}.pre-steps splicing/needs bugs + missing on.needs API) (direct issue)

@camposbrunocampos

• Assign to agent seems to be limited for 1 assignment per issue, I would like to extend it to multiple assignments so agent can work on multiple repos. (direct issue)

@h3y6e

• update-project safe output missing issues: read when using github-app (direct issue)

@JasonYeMSFT

• 0.68.3 gh aw compile no longer pin actions to commit hash (direct issue)

@jtracey93

• Question: How do I run an agentic workflow for issue triage on issues created prior to the agentic workflow existing? (direct issue)

@microsasa

• Feature request: merge-pull-request safe-output (direct issue)
• Feature request: pin container images by digest in compiled lock files (direct issue)

@shiran-gutsy

• Support configurable labels for create_pull_request fallback issues (direct issue)

@strawgate

• Support sticky comments (direct issue)

@theletterf

• PR-context base-branch restore overwrites APM-restored .github/skills before Copilot starts (direct issue)

@tsm-harmoney

• gh aw compile reports allowed-base-branches as unknown for safe-outputs.create-pull-reques (direct issue)

@yskopets

• bug: push-to-pull-request-branch tracking comment links to wrong commit SHA (direct issue)
• gh run download fails on macOS when artifact contains both MEMORY.md and memory.md (direct issue)
• push_to_pull_request_branch does not support multi-repo (side-repo) checkout pattern (direct issue)
• add_comment: reply to pull_request_review_comment in the review thread, not at PR level (direct issue)

@zkoppert

• Generated cleanup step missing chmod for firewall/audit directory (direct issue)

⚠️ Attribution Candidates Need Review

The following community issues were closed during this release window but could not be automatically linked to a specific merged PR. Please verify whether they should be credited:

• @viktoriyabogdanova for [aw-failures] Workflow timing out at 40min — MCP get_file_contents 37–71s per call, LLM turns 4–10min — closed 2026-04-22, no confirmed PR linkage found (closed as NOT_PLANNED)
• @samuelkahessay for Feature request: force-rerun semantic for workflow_dispatch against the same bound issue — closed 2026-04-23, no confirmed PR linkage found (closed as NOT_PLANNED)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.1M

---

What's Changed

• Fix smoke-ci safe_outputs failure on schedule-triggered runs by @Copilot in #27705
• [safe-output-integrator] Add missing safe-output test workflows and compiler tests by @github-actions[bot] in #27709
• Standardize USE-001 error codes in comment_memory and merge_pull_request safe-output handlers by @Copilot in #27701
• Enforce SEC-005 allowlist validation for cross-repo comment-memory setup by @Copilot in #27702
• Codex: inject openai-proxy provider in generated config when API proxy is enabled by @Copilot in #27711
• Refactor cli-proxy feature into tools.github.mode (gh-proxy) with codemod migration by @Copilot in #27707
• Update OpenCode/Crush universal LLM consumer backend handling by @Copilot in #27708
• Fix nosprintfhostport lint in codex_engine_test by @Copilot in #27734
• Bump default MCP gateway to v0.2.30 and AWF firewall to v0.25.28 by @Copilot in #27722
• Ignore link_sub_issue failure when already linked to same parent by @Copilot in #27735
• Emit OTEL error signals for cancelled conclusions and success-with-errors runs by @Copilot in #27739
• ci: include runner-guard in cgo security-scan matrix by @Copilot in #27745
• [docs] docs: unbloat footers.md — remove redundant sections by @github-actions[bot] in ...

v0.69.3

What's Changed

• fix(cli): remove duplicate checkmark in upgrade extension output by @Copilot in #27669
• fix: force extension upgrade for pinned gh-aw installs by @Copilot in #27679
• Add vulnerability-alerts as GITHUB_TOKEN permission scope by @salmanmkc in #27668
• Fix Integration “Workflow Misc Part 2” failures by removing deprecated network.firewall test fixtures by @Copilot in #27676
• [log] Add debug logging to safe-outputs config parsers and maintenance conditions by @github-actions[bot] in #27690
• Add supersede-older-reviews for PR reviews and shift guidance to COMMENT-first defaults by @Copilot in #27662
• [actions] Update GitHub Actions versions - 2026-04-21 by @github-actions[bot] in #27680
• Add smoke-ci coverage for cache/repo memory and update safe outputs by @Copilot in #27683
• Use hash-based stale lock validation guidance in Workflow Health Manager by @Copilot in #27696

Full Changelog: v0.69.2...v0.69.3

v0.69.2

🌟 Release Highlights

This release delivers a major new memory primitive for agentic workflows, tightens URL sanitization for agent inputs, and removes the long-deprecated network.firewall frontmatter key — with a one-command migration path.

⚠️ Breaking Changes

network.firewall frontmatter key removed — this field was previously deprecated; it is now rejected by the compiler. Migrate automatically using the built-in codemod:

gh aw fix --write

The codemod rewrites network.firewall: true → sandbox.agent: awf, network.firewall: false → sandbox.agent: false, and preserves version overrides. See #27626 for details.

✨ What's New

• comment_memory safe output (#27479) — Agents can now persist structured memory directly in a managed issue or PR comment. Memory files are materialized under /tmp/gh-aw/comment-memory/ before the agent runs, edited in-place by the agent, and automatically synced back to GitHub at the end of the workflow. This enables stateful agents that accumulate context across multiple runs without external storage.

• sandbox.agent.version support (#27626) — Pin the AWF sandbox version your workflow uses via sandbox.agent.version in frontmatter. Useful for staged rollouts and reproducibility testing.

🐛 Bug Fixes & Improvements

• URL sanitization fix (#27639) — The compute_text activation step was stripping all non-GitHub URLs from issue/PR/discussion bodies before the agent could read them, even when those domains were explicitly listed in network.allowed or safe-outputs.allowed-domains. URLs from workflow-configured allow-lists are now preserved in agent input, consistent with output-side sanitization behavior.

• MCP context overflow guard (#27657) — list_code_scanning_alerts calls in bundled workflows now enforce state: open and severity: critical,high filters to prevent 145K+ character payloads from overflowing agent context windows.

• AI Moderator Codex auth fix (#27656) — Corrected auth token precedence and allowed the required Codex domain for the AI Moderator workflow.

• Workflow Tools & MCP fixes (#27645) — Resolved integration failures triggered by the network.firewall deprecation in tooling and MCP-enabled workflows.

• comment-memory permission hardening (#27642) — Fixed permission regressions introduced by the comment-memory feature and migrated config to the tools block.

• Removed noisy MCP startup notices (#27617) — MCP server startup log lines no longer emit GitHub Actions notice annotations.

📚 Documentation

• Gemini quick-start & engine chooser (#27658) — Gemini is now included in quick-start prerequisites (including GEMINI_API_KEY setup), and a new "Which engine should I choose?" section in reference/engines helps users pick the right engine for their use case.

• CLI help alignment (#27622) — CLI reference docs for run, compile, logs, remove, fix, and validate are now synchronized with actual command output.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• compute_text step strips all non-GitHub URLs from issue/PR/discussion bodies before the agent sees them (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.3M

---

What's Changed

• Fix Workflow Features integration test fixture to align with current network schema by @Copilot in #27643
• Pass workflow allowed domains into activation compute_text sanitization by @Copilot in #27639
• Update smoke-ci to use comment-memory and write a haiku by @Copilot in #27640
• Harden safe_outputs permission tests by scoping assertions to job section by @Copilot in #27644
• Fix Workflow Tools & MCP integration failures after network.firewall deprecation by @Copilot in #27645
• docs: add Gemini quick-start coverage and engine selection guidance by @Copilot in #27658
• Guard list_code_scanning_alerts workflow usage to prevent MCP context overflow by @Copilot in #27657
• Fix comment-memory permission regressions, migrate config to tools, and exercise PR safe outputs in smoke-ci by @Copilot in #27642

Full Changelog: v0.69.1...v0.69.2

v0.69.1

🌟 Release Highlights

This release delivers significant improvements to workflow security, SHA pinning reliability, and safe-outputs extensibility — making agentic workflows more robust, auditable, and flexible out of the box.

✨ What's New

sandbox.agent.version — Pin the AWF version per workflow
You can now specify an exact AWF version override directly in your workflow frontmatter with sandbox.agent.version. This gives you fine-grained control over which agent version executes your workflow, and the compiler automatically migrates deprecated network.firewall settings to the modern sandbox.agent API. Learn more

safe-outputs.needs — Custom credential-supply job dependencies
Workflows that mint GitHub App tokens or fetch custom credentials in a separate job can now declare that job as an upstream dependency of safe_outputs using the new safe-outputs.needs field. This unblocks needs.<custom_job>.outputs.* references in safe-outputs handlers and eliminates actionlint failures caused by undeclared job dependencies. Learn more

safe-outputs:
  needs: [secrets_fetcher]
  github-app:
    app-id: $\{\{ needs.secrets_fetcher.outputs.app_id }}
    private-key: $\{\{ needs.secrets_fetcher.outputs.app_private_key }}

Hardened gh aw add SHA pinning — no more silent fallbacks
gh aw add now fails loudly when ref→SHA resolution fails instead of silently falling back to an unpinned @ref. Transient failures (rate limits, timeouts) are retried with exponential backoff before erroring. Pinned action-ref enforcement is now the default at compile/validate time, with a new --allow-action-refs flag to downgrade to warnings. Lock files also gain a resolution_failures section in the manifest for auditing unresolved pins.

🐛 Bug Fixes & Improvements

• Codex MCP gateway — Fixed startup failures caused by config.toml self-copy when CODEX_HOME pointed to the same directory as the MCP config source.
• create_issue concurrency — Eliminated a race condition where concurrent safe-output handler calls could both pass the max-issue-count check; slot reservation is now synchronized before the first await.

📚 Documentation

• CLI reference (docs/src/content/docs/setup/cli.md) corrected to accurately reflect --repeat semantics and complete option lists for compile, logs, remove, fix, and validate commands.
• Docs site improvements: high-contrast accessibility support, explicit logo dimensions for layout stability, and lazy-loading hints for video embeds.

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• Allow extending safe_outputs.needs from frontmatter for custom credential-supply jobs (direct issue)

@verkyyi

• gh aw add: silent fallback to @ref when SHA resolution fails produces asymmetric .md/.lock.yml that fails ERR_CONFIG at runtime (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.8M

---

What's Changed

• [actions] Update GitHub Actions versions - 2026-04-20 by @github-actions[bot] in #27428
• Disable threat-detection phase in copilot-token-optimizer by @Copilot in #27426
• Align safe-jobs env setup step naming with Safe Outputs terminology by @Copilot in #27420
• Harden gh aw add SHA pinning, enforce .md/.lock.yml frontmatter hash parity, require pinned action refs by default, and audit pin-resolution failures by @Copilot in #27419
• fix: add CODEX_HOME env var to MCP gateway step for Codex engine workflows by @lpcox in #27457
• SEC-004 conformance: sanitize close-issue comment body and add explicit handler exemptions by @Copilot in #27448
• Align CLI/workflow package specs with actual public surface by @Copilot in #27461
• Fix Codex smoke gateway auth by syncing converted config into writable CODEX_HOME by @Copilot in #27418
• [safe-output-integrator] Add missing merge-pull-request safe-output test workflow and compiler test by @github-actions[bot] in #27456
• Document OpenCode/Crush MCP, permission, and API-routing gotchas in troubleshooting guide by @Copilot in #27451
• Fail loudly when preserve-branch-name collides with existing remote branch by @Copilot in #27458
• Add experimental OpenCode engine support, smoke workflow, and reassign LLM gateway ports by @Copilot in #27466
• Design Decision Gate: raise ADR-path turn budget from 5 to 10 by @Copilot in #27477
• Add configurable agentic engine driver script support by @Copilot in #27453
• Error on unknown single-word ecosystem identifiers in network.allowed by @Copilot in #27475
• Support extending safe_outputs dependencies via safe-outputs.needs by @Copilot in #27476
• [workflow-style] Normalize report formatting guidance across reporting workflows by @Copilot in #27481
• [docs] docs: reduce bloat in common-issues.md by 22% by @github-actions[bot] in #27483
• Bump default AWF firewall to v0.25.26, merge main, and recompile lock outputs by @Copilot in #27478
• Remove imports.apm-packages from workflow schema and schema-driven docs by @Copilot in #27493
• [jsweep] Clean messages_staged.cjs by @github-actions[bot] in #27487
• Emit agent output metrics on OTLP conclusion spans for all outcomes by @Copilot in #27495
• Add cadence clarification prompt for scheduled workflow trigger selection by @Copilot in #27505
• Document bash allowlist decision rule for trusted vs untrusted workflow inputs by @Copilot in #27506
• Raise Design Decision Gate turn cap to prevent false-failure on successful ADR runs by @Copilot in #27514
• [docs] Update Astro dependencies - 2026-04-21 by @github-actions[bot] in #27543
• [docs] Update documentation for features from 2026-04-21 by @github-actions[bot] in #27542
• [instructions] Sync github-agentic-workflows.md with v0.68.3 by @github-actions[bot] in #27541
• [spec-enforcer] Enforce specifications for actionpins, agentdrain, cli by @github-actions[bot] in #27539
• [spec-extractor] Update package specifications for gitutil, logger, stringutil, timeutil by @github-actions[bot] in #27536
• [docs] Update glossary - daily scan 2026-04-21 by @github-actions[bot] in #27535
• [docs] Consolidate developer docs v6.7: document OTLP agent output metrics by @github-actions[bot] in #27549
• build(deps-dev): Bump typescript from 6.0.2 to 6.0.3 in /actions/setup/js by @dependabot[bot] in #27532
• build(deps-dev): Bump @types/node from 25.5.2 to 25.6.0 in /actions/setup/js by @dependabot[bot] in #27530
• [architecture] Update architecture diagram - 2026-04-21 by @github-actions[bot] in #27521
• build(deps-dev): Bump prettier from 3.8.2 to 3.8.3 in /actions/setup/js by @dependabot[bot] in #27528
• build(deps-dev): Bump @actions/github from 9.0.0 to 9.1.0 in /actions/setup/js by @dependabot[bot] in #27526
• build(deps-dev): Bump vite from 8.0.8 to 8.0.9 in /actions/setup/js by @dependabot[bot] in #27525
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #27567
• Docs: address multi-device accessibility/layout warnings (contrast, logo sizing, video loading) by @Copilot in #27583
• [code-simplifier] Simplify OTLP error extraction in send_otlp_span.cjs (#27495) by @github-actions[bot] in #27507
• Harden create_issue concurrency limits and remove dead copilot assignment queue code by @Copilot in #27533
• Prevent Codex MCP gateway startup failures from config.toml self-copy by @Copilot in #27582
• Refactor sanitizer APIs to separate artifact identifiers from code identifiers by @Copilot in #27584
• [fp-enhancer] Improve pkg/actionpins: extract pure helpers, eliminate duplicate init by @github-actions[bot] in #27523
• Fix lint-go and test failures in actionpins and cli specs by @Copilot in #27608
• Refactor log parser shared...

v0.69.0

🌟 Release Highlights

v0.69.0 delivers significant safe-output workflow improvements — team reviewers, dynamic branch configuration, and update-branch support — plus the new Crush AI engine and a wave of community-reported bug fixes improving MCP reliability, secret redaction, and token reporting.

✨ What's New

🤖 Crush Engine Replaces OpenCode
The OpenCode engine has been retired and replaced with Crush across all runtime paths. Update your workflows with engine: crush to use the new engine. Learn more

👥 Team Reviewer Support for Safe Outputs
create-pull-request and add-reviewer safe outputs now support team reviewers in addition to individual users — resolving a long-requested community feature. Learn more

🌿 Dynamic Base Branch for create_pull_request
Workflows can now specify a per-run base branch via policy-gated configuration. The patch generator also correctly honors the configured base_branch instead of defaulting to the triggering repo's default branch.

🔄 Update-Branch Support in update-pull-request
Safe-output update-pull-request now supports the update-branch operation, enabling workflows to keep pull requests up to date with their base branch automatically.

↩️ Redirect Support for Workflow Updates
Workflow update operations now support a --no-redirect flag and safe-update approval checks, giving you more control over automated workflow changes.

🔀 Fallback PR Flow for Diverged Branches
When push-to-pull-request-branch diverges, the workflow now automatically falls back to an alternative PR flow. Opt-out is available for workflows that prefer the previous strict behavior.

📦 latex Network Ecosystem Group
A new latex network ecosystem identifier is available for workflows that need to fetch LaTeX packages during agentic runs. Learn more

⬆️ gh aw upgrade Improvements

• New --pre-releases flag to opt into pre-release versions
• Fixed duplicate success symbol display
• Extended rename+retry workaround to Windows

🏷️ LOW_QUALITY Comment Minimization
Safe outputs now support LOW_QUALITY as a valid comment minimization reason, expanding control over comment visibility on noisy threads.

🐛 Bug Fixes & Improvements

• Fixed MCP stdout corruption — gh aw mcp-server no longer writes diagnostic banners to stdout, preventing JSON-RPC stream poisoning (community report by @edburns)
• Fixed duplicate Token Usage section in agent summaries when MCP Gateway content was present (community report by @Daidanny008)
• Eliminated secret-redaction EACCES warnings — Redact secrets in logs no longer fails on MCP log files owned by another user (community report by @yskopets)
• Fixed pre-steps outputs unavailable to safe_outputs/conclusion/activation jobs that mint GitHub App tokens (community report by @bbonafed)
• Fixed markdown fence balancer corrupting sequential code blocks
• Fixed false-positive role assertion match in single-string test patterns (community report by @jeffhandley)
• Cap native action updates at the running CLI version to prevent over-upgrading
• Fixed missing state-reason field in close-issue JSON schema
• Added --allow-host-ports to AWF command for MCP gateway port 8080

🔒 Security

• SEC-005 allowlist validation now enforced for workflow_dispatch target repo overrides
• New gh aw fix codemods available for strict-mode secret leaks in step run and engine.env

📚 Documentation

• FAQ entry clarifying slash-command trigger noise and LabelOps mitigation
• CLI help text and engine documentation aligned with latest behavior

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• pre-steps outputs unavailable to safe_outputs/conclusion/activation jobs that mint GitHub App tokens (direct issue)

@Calidus

• Safe-output patch generator uses triggering repo's default branch instead of configured base_branch (direct issue)

@Daidanny008

• Extra Token-Usage Section Rendered in Agent Summary (direct issue)

@edburns

• 🐳 MCP Fail Whale: gh aw mcp-server writes diagnostic banners to stdout, poisoning the JSON-RPC stream (direct issue)

@IEvangelist

• Feature request: dynamic/per-run base branch for create_pull_request safe output (direct issue)

@jeffhandley

• Likely false-positive match on single-string role test assert (direct issue)

@jsoref

• Types of parameters 'options' and 'encoding' are incompatible. -- Type 'string' is not assignable to type 'WriteFileOptions | undefined'. (direct issue)

@seangibeault

• Safe outputs create-pull-request / add-reviewer don't support team reviewers (spec says they should) (direct issue)

@tinytelly

• triggering unwanted actions (direct issue)

@yskopets

• Refactor *.cjs scripts to support SideRepoOps pattern natively (direct issue)
• agent: "Redact secrets in logs" step emits 3 warnings — EACCES permission denied on MCP log files (direct issue)

⚠️ Attribution Candidates Need Review

The following community issues were closed during this period but could not be automatically linked to a specific merged PR. Please verify whether they should be credited:

• @Ray961123 for Question: Why do some GitHub Actions steps intermittently have no logs (data-log-url) after completion? — closed 2026-04-19, closed as NOT_PLANNED, no confirmed PR linkage found

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.6M

---

What's Changed

• test: tighten single-role GH_AW_REQUIRED_ROLES assertion (fixes #26799) by @Copilot in #26804
• Add daily Claude workflow for cross-repo gh-aw compilation compatibility checks by @Copilot in #26802
• Replace archived OpenCode engine with Crush across runtime, compiler, and workflow assets by @Copilot in #26819
• fix: prevent markdown fence balancer from corrupting sequential code blocks by @dsyme in #26785
• [architecture] Update architecture diagram - 2026-04-17 by @github-actions[bot] in #26831
• [jsweep] Clean resolve_mentions_from_payload.cjs by @github-actions[bot] in #26809
• [docs] Update glossary - daily scan by @github-actions[bot] in #26840
• [spec-extractor] Update package specifications for constants, cli (run 1) by @github-actions[bot] in #26841
• [spec-enforcer] Enforce specifications for timeutil, logger, constants by @github-actions[bot] in #26842
• [docs] Update documentation for features from 2026-04-17 by @github-actions[bot] in #26845
• [docs] docs: consolidation v6.3 — tone fixes and package structure update by @github-actions[bot] in #26851
• [docs] Self-healing documentation fix: update FAQ engine list - 2026-04-17 by @github-actions[bot] in #26872
• deps: bump bubbletea v2.0.5 → v2.0.6 for wide-char rendering fix by @Copilot in #26838
• fix: cap gh-aw native action updates at the running CLI version by @Copilot in #26827
• [aw-compat] Downgrade strict missing-permission failures for default GitHub toolsets to warnings by @Copilot in #26816
• Refactor MCP gateway converters to shared pipeline and thin engine adapters by @Copilot in #26858
• ci: compile gh-aw-marketplace workflows in CI by @Copilot in #26888
• Bump default CLI/tool versions (Claude, Copilot, Codex, GitHub MCP) and recompile lockfiles by @Copilot in #26810
• docs: clarify BYOK and MCP registry enforcement behavior by @Copilot in #26900
• Refactor activation job builder to eliminate function/file size architecture violations by @Copilot in #26879
• Reduce token overhead in Daily Compiler Quality workflow by @Copilot in #26907
• Add redirect support for updates with --no-redirect and safe-update approval checks by @Copilot in #26903
• [WIP] Fix failing GitHub Actions workflow lint-go by @Copilot in #26912
• Fix CI js typecheck errors in gateway config conversion scripts by @Copilot in #26913
• Add team reviewer support to create-pull-request an...

v0.68.7

🌟 Release Highlights

This release delivers targeted bug fixes and internal reliability improvements, including a community-reported fix for on.roles configuration handling and a Codex runtime stability fix.

🐛 Bug Fixes & Improvements

• on.roles Single-String Support (#26789) — The compiler now accepts a single role string (e.g., roles: write) in addition to an array. Previously, using a string instead of an array produced a misleading compiler error with no clear guidance.
• Codex AWF Chroot Fix (#26787) — Fixed Codex agent failures in chroot environments by relocating runtime state to writable /tmp. Codex workflows on restricted filesystems should now run reliably.
• Failure Investigator Improvements (#26795) — Reduced issue churn in the aw-failure-investigator workflow by prioritizing closure and reusing parent issue tracking across runs.
• Firewall Update (#26798) — Default firewall version bumped to v0.25.23 with regenerated compiled artifacts.

✨ What's New

• Cross-Repo Compilation Compatibility Checks (#26802) — A new daily Claude workflow automatically discovers repositories using gh-aw, runs compilation checks against the latest build, and surfaces compatibility issues before they affect users.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@jeffhandley

• Misleading compiler error when 'roles' is set to a string instead of an array (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.3M

---

What's Changed

• Reduce aw-failure-investigator issue churn by prioritizing closure and reusing parent tracking by @Copilot in #26795
• Allow on.roles single-string role values (not just all) by @Copilot in #26789
• Fix Codex AWF chroot failures by moving Codex runtime state to writable /tmp by @Copilot in #26787
• chore: bump default firewall version to v0.25.23 and regenerate compiled artifacts by @Copilot in #26798

Full Changelog: v0.68.6...v0.68.7

v0.68.6

🌟 Release Highlights

This release brings a major new AI engine, significant security hardening, and a wave of reliability fixes — many of them driven directly by community-reported issues.

✨ What's New

• OpenCode engine support — A new engine: opencode option integrates OpenCode as a first-class AI coding agent in your agentic workflows, joining Copilot, Claude, and Codex.

• engine.bare mode — Set engine.bare: true on any workflow to skip loading AGENTS.md context. Ideal for non-code workflows (triage, reporting, ops) where the repository code context is irrelevant and you want a clean, fast agent start.

• Pre-agent steps — A new pre-agent-steps frontmatter field lets you run custom GitHub Actions steps before the AI agent starts. Use this for authentication, environment setup, or any prerequisite work. Learn more

• Idle custom agent wiring — Idle custom agents are now automatically matched and connected to their corresponding workflows, reducing manual configuration for long-running agent sessions.

• Detection caution alerts in all footers — When threat detection identifies issues in a workflow run, a mandatory caution alert is now included in every generated footer (issues, PR descriptions, comments, and more), ensuring reviewers are always informed.

• Cache-memory working-tree sanitization — Before an agent run begins, the working tree is now sanitized to remove planted executables and disallowed files from cached memory. This prevents a class of supply-chain-style attacks via stale cache. Learn more

🐛 Bug Fixes & Improvements

• MCP gateway Docker socket access — Fixed two related bugs: the Docker socket GID is now pre-computed (not evaluated inside a non-shell spawn() call), and the --group-add flag is correctly passed to the MCP gateway container — ensuring Docker-in-Docker tools work reliably inside the sandbox.

• BYOK Copilot model fallback — Fixed an issue where COPILOT_MODEL could be set to an empty string in compiled workflows when using Bring Your Own Key (BYOK) Copilot configurations, causing unexpected model selection.

• Gemini proxy handler — Fixed GEMINI_API_BASE_URL routing issues: the AWF proxy now correctly handles Gemini API requests, resolving API proxy enabled but no API keys found errors for both gemini-cli and the Gemini engine.

• Duplicate action SHA conflict — Fixed a compilation error where two different actions could resolve to the same commit SHA after a gh aw update, causing "two different actions share the exact same commit SHA" failures.

• PR head branch handling — Gracefully handles deleted PR head branches in push_to_pull_request_branch (checked both before fetch and after push failure).

• Scheduled Copilot run hardening — Scheduled Copilot runs are now resilient to transient exit-code-2 startup failures.

• PR reaction activation permissions — Fixed incorrect permission derivation for workflows triggered by pull request reactions.

• MCP gateway health check retry — The port 80 health check now retries on transient container startup delays instead of failing immediately.

• AWF firewall updated to v0.25.22 and MCP gateway updated to v0.2.22.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• Gemini engine fails with AWF proxy: GEMINI_API_BASE_URL points to proxy but proxy has no Gemini handler (direct issue)

@bmerkle

• problem after gh aw update: Two different actions share the exact same commit SHA (direct issue)

@bryanchen-d

• MCP Gateway: port 80 health check fails with no retry on transient container startup delay (direct issue)

@dkurepa

• Enabling workflow-wide Docker-in-Docker configuration breaks gh aw workflows (direct issue)

@doughgle

• Gemini CLI Failed: API proxy enabled but no API keys found in environment (direct issue)

@jaroslawgajewski

• bug: Copilot CLI 1.0.21 added a startup model validation step: when COPILOT_MODEL is set (direct issue)

@yskopets

• bug: GOROOT not propagated into agent container despite --env-all and spec §8.5 (direct issue)

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• ae832fb list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• cc2e417 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release · ● 1.5M

---

What's Changed

• Improve docs mobile table readability and homepage video accessibility metadata by @Copilot in #26660
• Add support for pre-agent-steps before agent execution by @Copilot in #26666
• Fix redact_secrets gateway-token tests after MCP config path refactor by @Copilot in #26681
• Add mandatory caution alert to all generated footers when detection finds issues by @Copilot in #26684
• Stabilize daily Copilot merged-PR report by switching to bounded pre-fetched filtering by @Copilot in #26680
• Align JavaScript MCP scripts log renderer with Copilot output style by @Copilot in #26692
• Add 6-hour [aw] failure investigation workflow by @Copilot in #26694
• Fix lint-go failure from testifylint violations in spec tests by @Copilot in #26686
• Fix CaptureStderr restoration timing in testutil to resolve CI unit test failure by @Copilot in #26687
• Fix audit tool type undercount for Copilot MCP-only runs by @Copilot in #26689
• Scope activation reactions like status-comment targets and compute activation permissions from both target sets by @Copilot in #26693
• docs: clarify MCP gateway API key is leaked by design by @Copilot in #26695
• Add features.awf-diagnostic-logs to enable AWF failure diagnostics artifact collection by @Copilot in #26699
• Allow configuring conclusion failure issue expiration via aw.json by @Copilot in #26688
• Reduce Workflow Skill Extractor token overhead by removing unused tools and pre-indexing workflows by @Copilot in #26682
• Harden MCP Gateway startup health check against transient port-binding delays by @Copilot in #26697
• Fix JS workflow typecheck failure in MCP scripts log parser by @Copilot in #26703
• Always enable Copilot integration ID and remove feature flag gating by @Copilot in #26698
• Increase mcp-cli usage to 80% of agentic workflows by @Copilot in #26715
• Fix DIFC proxy shell integration test to use step-scoped proxy environment by @Copilot in #26704
• Handle deleted PR head branches in push_to_pull_request_branch before fetch and after push failures by @Copilot in #26705
• Fix activation permissions for pull request reactions by @Copilot in #26720
• Harden scheduled Copilot runs against transient exit-code-2 startup failures by @Copilot in #26713
• [log] Add debug logging to 5 Go files by @github-actions[bot] in #26738
• [ubuntu-image] docs: update Ubuntu runner image analysis for 2026-04-16 by @github-actions[bot] in #26741
• Use sort.Strings in GetAllScriptFilenames and add focused ordering tests by @Copilot in #26731
• Use declaration-site blank identifiers in workflow validation paths by @Copilot in #26730
• Enable strict mode and sanitized PR title in refiner input-triggered workflow by @Copilot in #26744
• Fix setup-span staging attribution when aw_info is unavailable by @Copilot in #26742
• Enable engine.bare f...

v0.68.5

🌟 Release Highlights

This release delivers two new workflow customization features, a significant security hardening for cache-memory workflows, and resolves four community-reported issues around permissions, safe-outputs protection, and GitHub App token deprecation.

✨ What's New

• pre-agent-steps frontmatter field — Inject custom steps immediately before the agent engine runs. Supports imports and merge semantics, giving you fine-grained control over pre-execution setup without forking shared workflows. (#26666)

• MCP config relocated to .github/mcp.json — The MCP configuration file now lives at .github/mcp.json (previously .mcp.json at the repository root), aligning with standard GitHub configuration conventions. The init flow creates the new path automatically; existing .mcp.json files will need to be migrated. (#26665)

• shared/reporting-otlp.md import bundle — A new composite import combines shared/reporting.md and shared/observability-otlp.md into a single import, reducing boilerplate in telemetry-enabled reporting workflows. (#26655)

• cache-memory working-tree sanitization — Cached working trees are now sanitized before agent execution to neutralize planted executables and disallowed files, hardening workflows that persist state across runs. (#26587)

🐛 Bug Fixes & Improvements

• Environment-level secrets now work correctly — The environment: frontmatter field now properly propagates to the activation job, preventing false secret-validation failures for environment-scoped secrets. (#26650)

• Activation-job permissions are now narrowly scoped — Compiled workflows no longer request broader permissions (e.g. discussions:write, pull-requests:write) than the workflow actually requires; permissions are now derived from the actual trigger events. (#26535)

• GitHub App token input migrated to client-id — Resolves the app-id deprecation warning. Includes schema-level compatibility and an automatic codemod to migrate existing workflows. (#26551)

• safe-outputs protected file manifests aligned for Claude engine — The activation-job config and handler config now use consistent protected_files/protected_path_prefixes for Claude engine workflows, fixing a mismatch that could cause safe-output failures. (#26550)

• BYOK Copilot model fallback fixed — Prevents an empty COPILOT_MODEL variable in compiled BYOK workflows. (#26566)

• Auto-Triage pre-agent auth failure resolved — Fixes no-op failed runs caused by an authentication failure before the agent step. (#26572)

• CLI Version Checker false positives eliminated — The version checker no longer reports failures when safe outputs were already produced in a prior step. (#26570)

• Security: @mention injection in create_issue body neutralized — Sanitizes @mentions in issue bodies to close a cross-workflow prompt-injection gap. (#26589)

• Security: steganographic injection via markdown link titles neutralized (#26596)

• MCP Gateway updated to v0.2.21 (#26678)

📚 Documentation

• Improved mobile table readability across the docs site — table columns now expose data-label attributes for card-layout rendering on small screens. Homepage videos gained descriptive accessibility metadata. (#26660)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@AlexDeMichieli

• environment: frontmatter does not propagate to activation job — environment-level secrets fail validation (direct issue)

@corygehr

• app-id deprecation warning — migrate to client-id in GitHub App token generation (direct issue)

@deyaaeldeen

• Compiled lock file requests broader permissions than workflow needs (discussions:write, pull-requests:write) (direct issue)

@lupinthe14th

• safe-outputs: activation config and handler config have different protected_files/protected_path_prefixes for Claude engine workflows (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.7M

---

What's Changed

• Scope activation-job permissions to actual trigger events and add status-comment discussions/issues/pull-requests toggles by @Copilot in #26535
• Migrate GitHub App token input to client-id, add schema-level compatibility, and provide codemod migration by @Copilot in #26551
• safe-outputs: align activation protected manifests with handler config for engine-specific files by @Copilot in #26550
• Generate poutine untrusted_checkout_exec suppression for workflow_call save-base steps by @Copilot in #26552
• Fix Auto-Triage Issues pre-agent auth failure that caused no-op failed runs by @Copilot in #26572
• Refactor MCP validation into focused sub-validators by @Copilot in #26573
• Prevent false CLI Version Checker failures when safe outputs were already produced by @Copilot in #26570
• Refactor dispatch workflow validation by extracting file-resolution utilities by @Copilot in #26574
• fix: sanitize @mentions in create_issue body to close XPIA gap by @Copilot in #26589
• [docs] Consolidate developer specs - tone fixes v6.2 (2026-04-16) by @github-actions[bot] in #26612
• [instructions] Sync github-agentic-workflows.md with v0.68.3 by @github-actions[bot] in #26607
• [docs] Update documentation for features from 2026-04-16 by @github-actions[bot] in #26605
• [spec-enforcer] Enforce specifications for stats, styles, testutil by @github-actions[bot] in #26601
• [spec-extractor] Update package specifications for agentdrain, fileutil, gitutil, tty by @github-actions[bot] in #26600
• [fp-enhancer] refactor(actionpins): precompile SHA regex and extract findCompatiblePin helper by @github-actions[bot] in #26597
• [architecture] Update architecture diagram - 2026-04-16 by @github-actions[bot] in #26591
• Split template injection validator by responsibility by @Copilot in #26580
• Refactor workflow tool validation by separating GitHub-specific logic from core tools validation by @Copilot in #26579
• Refactor safe-outputs max validation into dedicated module to enforce validator file size limit by @Copilot in #26581
• fix(sanitize): neutralize markdown link title text to close steganographic injection channel by @Copilot in #26596
• Ensure activation secret validation is skipped when top-level environment is configured by @Copilot in #26650
• Fix BYOK Copilot model fallback to avoid empty COPILOT_MODEL in compiled workflows by @Copilot in #26566
• Refactor daily audit import stack into shared daily-audit-base component by @Copilot in #26654
• Rename GetActionPinWithData to ResolveActionPin in pkg/actionpins by @Copilot in #26657
• Refactor workflow imports: add shared/reporting-otlp.md bundle and migrate dual-import workflows by @Copilot in #26655
• cache-memory: add pre-agent working-tree sanitization to neutralize planted executables and disallowed files by @Copilot in #26587
• Configure Architecture Guardian thresholds via repository-level .architecture.yml by @Copilot in #26664
• chore: bump DefaultMCPGatewayVersion to v0.2.21 by @lpcox in #26678
• Move MCP config from .mcp.json to .github/mcp.json by @Copilot in #26665

Full Changelog: v0.68.4...v0.68.5