From c8a73706bf3135acc5359a8af8bd06dbf60efa0b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 13:21:43 +0000 Subject: [PATCH] docs: add weekly blog post for April 13, 2026 Covers releases v0.67.2 through v0.68.1 (April 6-10), notable merged PRs, and features auto-triage-issues as Agent of the Week. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../docs/blog/2026-04-13-weekly-update.md | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 docs/src/content/docs/blog/2026-04-13-weekly-update.md diff --git a/docs/src/content/docs/blog/2026-04-13-weekly-update.md b/docs/src/content/docs/blog/2026-04-13-weekly-update.md new file mode 100644 index 00000000000..527fb2c0122 --- /dev/null +++ b/docs/src/content/docs/blog/2026-04-13-weekly-update.md @@ -0,0 +1,69 @@ +--- +title: "Weekly Update – April 13, 2026" +description: "Five releases this week: engine.bare context control, a critical Copilot CLI hotfix, cross-job distributed tracing, and a wave of security hardening." +authors: + - copilot +date: 2026-04-13 +--- + +It was a busy week in [github/gh-aw](https://github.com/github/gh-aw) — five releases shipped between April 6 and April 10, addressing everything from a critical Copilot CLI reliability crisis to shiny new workflow composition features. Here's the full rundown. + +## Release Highlights + +### [v0.68.1](https://github.com/github/gh-aw/releases/tag/v0.68.1) — April 10 + +The headline of this patch is a **critical Copilot CLI reliability hotfix**. Workflows using the Copilot engine were hanging indefinitely or producing zero-byte output due to an incompatibility introduced in v1.0.22 of the Copilot CLI. [v0.68.1](https://github.com/github/gh-aw/releases/tag/v0.68.1) pins the CLI back to v1.0.21 — the last confirmed-working version — and gets everyone's workflows running again ([#25689](https://github.com/github/gh-aw/pull/25689)). + +Beyond the hotfix, this release also ships: + +- **`engine.bare` frontmatter field** ([#25661](https://github.com/github/gh-aw/pull/25661)): Set `bare: true` to suppress automatic context loading — `AGENTS.md` and user instructions for Copilot, `CLAUDE.md` memory files for Claude. Great when you want the AI to start from a clean slate. +- **Improved stale lock file diagnostics** ([#25571](https://github.com/github/gh-aw/pull/25571)): When the activation job detects a stale hash, it now emits step-by-step `[hash-debug]` log lines and opens an actionable issue guiding you to fix it. +- **`actions/github-script` upgraded to v9** ([#25553](https://github.com/github/gh-aw/pull/25553)): Scripts now get `getOctokit` as a built-in context parameter, removing the need for manual `@actions/github` imports in safe-output handlers. +- **Squash-merge fallback in `gh aw add`** ([#25609](https://github.com/github/gh-aw/pull/25609)): If a repo disallows merge commits, the setup PR now automatically falls back to squash merge instead of failing. +- **Security: `agent-stdio.log` permissions hardened** — Log files are now pre-created with `0600` permissions before `tee` writes, preventing world-readable exposure of MCP gateway bearer tokens. + +### [v0.68.0](https://github.com/github/gh-aw/releases/tag/v0.68.0) — April 10 + +This release brings [distributed tracing](https://github.com/github/gh-aw/releases/tag/v0.68.0) improvements and a cleaner comment API: + +- **OpenTelemetry cross-job trace hierarchy** ([#25540](https://github.com/github/gh-aw/pull/25540)): Parent span IDs now propagate through `aw_context` across jobs, giving you end-to-end distributed trace visibility for multi-job workflows in backends like Tempo, Honeycomb, and Datadog. +- **Simplified discussion comment API** ([#25532](https://github.com/github/gh-aw/pull/25532)): The deprecated `add-comment.discussion` boolean has been removed in favor of the clearer `discussions: true/false` syntax. Run `gh aw fix --write` to migrate existing workflows. +- **Security: heredoc content validation** ([#25510](https://github.com/github/gh-aw/pull/25510)): `ValidateHeredocContent` checks now cover five user-controlled heredoc insertion sites, closing a class of potential injection vectors. + +### [v0.67.4](https://github.com/github/gh-aw/releases/tag/v0.67.4) — April 9 + +This one led with **five new agentic workflow templates**: [approach-validator](https://github.com/github/gh-aw/pull/25354), [test-quality-sentinel](https://github.com/github/gh-aw/pull/25353), [refactoring-cadence](https://github.com/github/gh-aw/pull/25352), [architecture-guardian](https://github.com/github/gh-aw/pull/25334), and [design-decision-gate](https://github.com/github/gh-aw/pull/25323). These expand the built-in library for code quality, ADR enforcement, and architectural governance. The release also included Copilot driver retry logic and a `--runner-guard` compilation flag. + +### [v0.67.3](https://github.com/github/gh-aw/releases/tag/v0.67.3) — April 8 + +The star of this release is the new **`pre-steps` frontmatter field** — inject steps that run _before_ checkout and the agent inside the same job. This is the recommended pattern for token-minting actions (e.g., `actions/create-github-app-token`, `octo-sts`) that need to check out external repos. Because the minted token stays in the same job, it never gets masked when crossing a job boundary. Also shipped: `${{ github.aw.import-inputs.* }}` expression support in the `imports:` section, and `assignees` support on `create-pull-request` fallback issues. + +### [v0.67.2](https://github.com/github/gh-aw/releases/tag/v0.67.2) — April 6 + +Reliability-focused: cross-repo workflow hash checks, checkout tokens no longer silently dropped on newer runners, `curl`/`wget` flag-bearing invocations now allowed in `network.allowed` workflows, and a `timeout-minutes` schema cap at 360. + +## Notable Merged Pull Requests + +Beyond the releases, the past week also delivered: + +- **[#25923](https://github.com/github/gh-aw/pull/25923)**: Image artifacts can now be uploaded without zip archiving using `skip-archive: true`, and the resulting artifact URLs are surfaced as outputs — enabling workflows to embed images directly in Markdown comments. +- **[#25908](https://github.com/github/gh-aw/pull/25908)**: A new scheduled `cleanup-cache-memory` job was added to the agentics maintenance workflow to prune outdated cache-memory entries automatically (and can be triggered on demand). +- **[#25914](https://github.com/github/gh-aw/pull/25914) + [#25972](https://github.com/github/gh-aw/pull/25972)**: OTel exception span events now emit `exception.type` alongside `exception.message` and individual error attributes are queryable — no more digging through pipe-delimited strings in Grafana. +- **[#25960](https://github.com/github/gh-aw/pull/25960)**: Fixed a sneaky bug where `push_repo_memory` would run on every bot-triggered no-op because `always()` bypassed skip propagation. +- **[#25971](https://github.com/github/gh-aw/pull/25971)**: Raw subprocess output from `gh aw compile --validate` is now sanitized before being embedded into issue bodies, closing a Markdown injection vector. + +## 🤖 Agent of the Week: auto-triage-issues + +The quiet backbone of issue hygiene — reads every new issue and applies the right labels so the right people see it. + +This week `auto-triage-issues` proved it's doing its job almost too well. In the scheduled run on April 13, it scanned all open issues and found exactly **zero** unlabeled issues — reporting a 100% label coverage rate with zero action required. It had already handled the labeling in near-real-time as issues arrived, including one run on April 12 where it correctly tagged a freshly opened issue with `enhancement`, `mcp`, `compiler`, and `security` in a single pass. Four labels, zero hesitation. + +That "security" label is doing a lot of work — the workflow spotted MCP and compiler concerns that genuinely deserved the tag, not just keyword-matched on it. We'll take it. + +💡 **Usage tip**: Pair `auto-triage-issues` with label-based notification rules so your team gets automatically paged for `security` or `critical` issues without anyone having to babysit the issue tracker. + +→ [View the workflow on GitHub](https://github.com/github/gh-aw/blob/main/.github/workflows/auto-triage-issues.md) + +## Try It Out + +Update to [v0.68.1](https://github.com/github/gh-aw/releases/tag/v0.68.1) today to get the Copilot CLI hotfix and the new `engine.bare` control. As always, contributions and feedback are welcome in [github/gh-aw](https://github.com/github/gh-aw).