v0.79.5

🌟 Release Highlights

This release focuses on AI cost visibility and control: the legacy “effective tokens” metric is now called AI Credits across all surfaces, threat detection gets a configurable cost cap, and the add-wizard gains smarter Copilot org billing guidance. Several reliability improvements round out the release.

✨ What’s New

• AI Credits Terminology — “Effective tokens” is now AI Credits (AIC) throughout the UI and workflow metrics, providing clearer cost reporting aligned with the primary billing metric. (#38481)

• Threat Detection Cost Cap — safe-outputs.threat-detection now supports a max-ai-credits field (default: 400) with runtime override, giving you independent budget control over security-scan runs. Learn more (#38456)

• Smarter Copilot Org Billing Setup — gh aw add-wizard now asks Copilot users whether they want to use copilot-requests (org billing via Actions token, no PAT required) or a traditional PAT, simplifying enterprise onboarding. (#38449)

• AI Metrics in Failure Comments — Agent failure issue comments now include AI credit metrics from detection jobs, making cost attribution transparent even when runs fail. (#38453)

🐛 Bug Fixes & Improvements

• Fixed false secret validation warnings for Copilot org billing mode — no more spurious warnings when secrets are correctly configured. (#38459)

• Improved safe-outputs error surfacing — comment_memory now fails (instead of silently skipping) in non-PR contexts, and add_comment hard-fails on unrecognized message targets. (#38447)

• Fixed Docker Hub dependency in safe-outputs — Safe-outputs no longer pulls node:lts-alpine from Docker Hub, restoring reliability for environments with restricted container registries. (#38452)

• Fixed push_to_pull_request_branch — Branch derivation now always uses the PR’s actual head ref, resolving incorrect branch targeting. (#37863)

• Fixed numeric telemetry — gh-aw.aic is now always emitted as a numeric value for agent/detection spans, ensuring consistent OpenTelemetry ingestion. (#38432)

📚 Documentation

• Automated self-healing documentation fixes applied from issue analysis. (#38464)

Generated by 🚀 Release · 95.1 AIC · ⊞ 28.8K

---

What's Changed

• fix: always emit gh-aw.aic as numeric for agent/detection spans by @Copilot in #38432
• Update .github/aw guidance for frontier-model cost architecture (triage, context pull, bounded sub-agents) by @Copilot in #38429
• [caveman] Optimize instruction verbosity — network, pr-reviewer, report, reuse, workflow-health (2026-06-10) by @github-actions[bot] in #38440
• Creating integration tests for gh aw mcp server by @Copilot in #38448
• Fix #37835: always derive push_to_pull_request_branch from PR head ref by @dsyme in #37863
• fix: safe outputs — comment_memory fails instead of skips in non-PR context; add_comment hard-fails on unrecognized message target by @Copilot in #38447
• Include detection job AI metrics in agent failure issue comment footer by @Copilot in #38453
• Fix secret validation false warnings for copilot org billing mode by @Copilot in #38459
• fix: stop pulling node:lts-alpine for safe-outputs (Docker Hub unreachable) by @Copilot in #38452
• feat: add-wizard prompts Copilot users to choose copilot-requests (org billing) vs PAT by @Copilot in #38449
• [docs] Self-healing documentation fixes from issue analysis - 2026-06-11 by @github-actions[bot] in #38464
• Add threat-detection max-ai-credits with 400 default and runtime override by @Copilot in #38456
• Bump gh-aw-firewall to v0.27.1 by @Copilot in #38480
• Replace "effective tokens" with "AI Credits" in user-facing text by @Copilot in #38481
• [community] Update community contributions in README by @github-actions[bot] in #38493

Full Changelog: v0.79.4...v0.79.5