v0.82.1
Pre-release🌟 Release Highlights
v0.82.1 focuses on a major dashboard overhaul, new workflow authoring primitives, expanded static analysis coverage, and reliability fixes across the compiler and runtime.
⚠️ Behavioral Change: sandbox.agent.sudo Defaults to false
The global default for sandbox.agent.sudo has changed from true to false (network isolation / rootless mode). Workflows that relied on elevated sandbox access must now explicitly set sandbox.agent.sudo: true. This aligns the default with the recommended security posture.
✨ What's New
-
Frontmatter
skillssupport — Workflows can now declare SHA-pinned skills directly in frontmatter. At activation time,gh awautomatically installs them viagh skill installand wires them into the engine. Learn more (#42426, #42543) -
Model policy controls — New
models.allowedandmodels.disallowedfrontmatter fields let you restrict which AI models a workflow can use, with environment-variable overrides for flexibility. (#41824) -
ARC/DinD rootless topology —
runner.topology: arc-dindis now a first-class frontmatter option, enabling GitHub ARC runners with Docker-in-Docker rootless execution. (#42371) -
brandingfield inaw.yml— Package manifests can now include a GitHub Actionsbrandingblock without failing schema validation. (#42454) -
Per-model Copilot SDK
wireApi— Updated for Copilot SDK v1.0.4's multi-provider BYOK registry, where transport behavior can vary by model. (#42497)
🖥️ Dashboard Overhaul
The agentic workflows dashboard received extensive polish this release:
- TypeScript migration — Backend modules migrated from ESM
.mjsto strict TypeScript, eliminating allanytypes and narrowingunknown(#42321, #42353) - Bundled into single artifacts — Alpine.js and Node.js code are now bundled into self-contained
app.js— no external CDN dependencies (#42300, #42352) - Skeleton loaders & spinners — Loading states are now visually communicated while runs and definitions fetch (#42345)
- Cross-session log caching — Downloaded logs are cached in a shared user-level directory, reducing redundant fetches (#42349)
- Compact single-line rows — Definitions and Runs lists now render in tighter, more scannable single-line format (#42344)
- Missing
ghbinary detection — Dashboard shows a targeted install prompt when theghCLI is not found (#42303) - Fixed hang on inherited handles — Detached spawn prevents
gh awfrom hanging when dashboard subprocess inherits stdio handles (#42311)
🐛 Bug Fixes & Improvements
- Fixed concurrent schedule overlap —
every N minutescron expressions are now scattered across different offsets, preventing all same-interval workflows from firing simultaneously (#42524) - Hardened API fallbacks — Unauthenticated
api.github.comcalls now carry a 30-second timeout and request context, eliminating potential goroutine hangs during compilation (#42521) - Fixed AWF access.log path — Firewall log analysis now correctly finds
access.login thesquid-logs/subdirectory (#42513) - Codex retry loop fix — Codex harness no longer retries on TPM exhaustion or unfinished-goal errors, avoiding run quota drain (#42420)
- Better engine typo detection — Invalid
engine:values now surface as the primary error rather than being masked by downstream schema failures (#42235) - Auto-derive checkout
path:— Compiler now warns and auto-derives thepath:for cross-repo checkout entries where it was missing (#42257)
🔍 New Static Analysis Rules
sprintfintGo linter — Flagsfmt.Sprintf("%d", x)wherexisint, suggestingstrconv.Itoafor clarity (#42538)errortypeassertionGo analyzer — Catches directerror-to-concrete type assertions and steers code towarderrors.As(#42323)httpnoctxenhancement — Now detects thehttp.NewRequest(...)+client.Do(req)path, not just helper functions (#42536)- ESLint
no-core-setoutput-non-string— Flags non-string values passed tocore.setOutput, preventing type coercion bugs in Actions JavaScript (#42453)
📚 Documentation
- Aligned
gh awCLI help text with docs forversion,deploy,strict, andsecretsflags (#42496) - Streamlined MemoryOps guide and troubleshooting common issues pages (#42533, #42308)
- Added
sandbox.agent.sudoglossary entry documenting the AWF privilege model (#42466)
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by 🚀 Release · 64.3 AIC · ⊞ 7.7K
What's Changed
- Use Sonnet consistently in pr-sous-chef by @pelikhan with @Copilot in #42292
- feat: add audit logging to comment_release_prs job by @pelikhan with @Copilot in #42306
- [docs] docs: unbloat troubleshooting common issues by @github-actions[bot] in #42308
- Skip
signed/jsweep/*branches in PR Description Updater by @pelikhan with @Copilot in #42296 - Refactor forecast command into focused modules and isolate render helper tests by @pelikhan with @Copilot in #42274
- fix(dashboard): button group styling and Alpine.js FOUC prevention by @pelikhan with @Copilot in #42309
- fix(aw-dashboard): use detached spawn to prevent gh-aw hang on inherited handles by @pelikhan in #42311
- Add maintenance view to the agentic workflows dashboard by @pelikhan with @Copilot in #42297
- Scale MCP logs timeout for larger fetch windows by @pelikhan with @Copilot in #42295
- feat(dashboard): detect missing gh binary and show targeted install prompt by @pelikhan with @Copilot in #42303
- fix(contribution-check): eliminate E002 safe-output collisions and retry loops by @pelikhan with @Copilot in #42316
- docs(aw): add compliance and design-governance patterns to authoring guidance by @pelikhan with @Copilot in #42315
- Bundle Alpine.js into the dashboard extension by @pelikhan with @Copilot in #42300
- Simplify
gh aw statustable output by @pelikhan with @Copilot in #42312 - Prioritize invalid engine typos over downstream schema/import failures by @pelikhan with @Copilot in #42235
- Honor global mention allowlists in add-comment sanitization by @pelikhan with @Copilot in #42313
- Normalize report-style prompts in Priority 1 workflows (h3+ headers +
<details>guidance) by @pelikhan with @Copilot in #42324 - Migrate dashboard backend modules from ESM
.mjsto strict TypeScript by @pelikhan with @Copilot in #42321 - Allow
create_pull_requestbundle transport to fall back when branch pinning is unavailable by @pelikhan with @Copilot in #42318 - dashboard: memoize binary detection and robust JSON parsing by @pelikhan in #42334
- fix(dashboard): alert box spacing and scrollbar polish by @pelikhan with @Copilot in #42335
- dashboard: add left margin to Counter badges by @pelikhan with @Copilot in #42337
- dashboard: structured logging, fix cwd/spawn bugs, add build:ts + AGENTS.md by @pelikhan in #42338
- Extract shared SafeOutputAllowBlockConfig across safe-output handlers by @pelikhan with @Copilot in #42322
- dashboard: compact single-line rows for Definitions and Runs by @pelikhan with @Copilot in #42344
- Add spinners and skeleton loaders to dashboard loading states by @pelikhan with @Copilot in #42345
- fix: replace BtnGroup with gapped flex for consistent button spacing in dashboard by @pelikhan with @Copilot in #42347
- [caveman] Optimize instruction verbosity — safe-outputs-automation, safe-outputs-content (2026-06-29) by @github-actions[bot] in #42348
- dashboard: cache downloaded logs in a shared user-level dir across sessions by @pelikhan with @Copilot in #42349
- feat(linters): add errortypeassertion analyzer for error-to-concrete assertions by @pelikhan with @Copilot in #42323
- Bundle dashboard extension Node.js code into single app.js by @pelikhan with @Copilot in #42352
- safe_outputs: set git safe.directory via process-scoped env vars before bundle branch pinning by @pelikhan with @Copilot in #41830
- Strengthen TypeScript types in dashboard extension — eliminate
any, narrowunknownby @pelikhan with @Copilot in #42353 - Add model policy frontmatter + import unioning + env policy overrides by @pelikhan with @Copilot in #41824
- opt(mattpocock-skills-reviewer): install only prompt-referenced skills by @pelikhan with @Copilot in #42355
- fix: replace panic with error return in errortypeassertion linter by @pelikhan with @Copilot in #42358
- Reduce ambient prompt footprint in Test Quality Sentinel and shared PR review config by @pelikhan with @Copilot in #42359
- Default sandbox.agent.sudo to false (network isolation) by @pelikhan with @Copilot in #42354
- Map models to Copilot SDK provider type instead of hardcoding "openai" by @pelikhan with @Copilot in #42351
- Update Matt Pocock skills reviewer to current upstream skill names by @pelikhan with @Copilot in #42365
- Remove unused engine/provider config types; fix AuthDefinition YAML tags and schema gaps by @pelikhan with @Copilot in #42357
- feat(dashboard): require workflow selection before loading runs by @pelikhan in #42363
- [docs] Self-healing documentation fixes from issue analysis - 2026-06-30 by @github-actions[bot] in #42374
- feat: add runner.topology arc-dind support for ARC/DinD rootless execution by @lpcox in #42371
- Remove in-repo agentic-workflows dashboard extension and cleanup build integrations by @pelikhan with @Copilot in #42397
- [WIP] Fix failing GitHub Actions job for CLI Completion by @pelikhan with @Copilot in #42379
- compiler: auto-derive and warn on missing
path:for cross-repo checkout entries by @dsyme with @Copilot in #42257 - refactor(pkg/cli): relocate isGHCLIAvailable() to git.go and upgrade getParentDir() to path.Dir by @pelikhan with @Copilot in #42395
- [community] Update community contributions in README by @github-actions[bot] in #42401
- [log] Add debug logging to five Go files by @github-actions[bot] in #42409
- [aw] Raise Daily yamllint Fixer turn budget to prevent max-runs exhaustion by @pelikhan with @Copilot in #42411
- Allow
brandingfield inaw.ymlpackage manifests by @mnkiefer with @Copilot in #42454 - [docs] Update glossary - daily scan 2026-06-30 by @github-actions[bot] in #42466
- [spec-extractor] docs(styles): add missing exported styles to Public API overview table by @github-actions[bot] in #42464
- chore: bump gh-aw-firewall to v0.27.15 by @lpcox with @Copilot in #42408
- [ci-coach] fix: update MCP gateway test for default network isolation mode by @github-actions[bot] in #42488
- [code-simplifier] simplify: extract buildAllowedFieldSet helper and format replay one-liner by @github-actions[bot] in #42410
- [jsweep] Clean workflow_metadata_helpers.cjs by @github-actions[bot] in #42415
- Stop Codex harness retry loops on TPM exhaustion and unfinished-goal errors by @pelikhan with @Copilot in #42420
- build(deps): bump @primer/octicons from 19.28.1 to 19.29.1 in /docs by @dependabot[bot] in #42461
- build(deps-dev): bump @types/node from 26.0.0 to 26.0.1 in /actions/setup/js by @dependabot[bot] in #42460
- build(deps-dev): bump @github/copilot-sdk from 1.0.1 to 1.0.4 in /actions/setup/js by @dependabot[bot] in #42463
- build(deps): bump pdfjs-dist from 6.0.227 to 6.1.200 in /docs by @dependabot[bot] in #42457
- Fix CJS typecheck regression in
loadModelsJsoncache path by @pelikhan with @Copilot in #42491 - Update PR Sous Chef workflow and inline agent to Sonnet 4.5 by @pelikhan with @Copilot in #42492
- Deduplicate glob-list validation across workflow validators by @pelikhan with @Copilot in #42431
- [eslint-miner] eslint-factory: add no-core-setoutput-non-string rule by @github-actions[bot] in #42453
- Deduplicate sandbox and MCP mount validation flow by @pelikhan with @Copilot in #42430
- Align
gh awdocs and help text for version/deploy/strict/secrets consistency by @pelikhan with @Copilot in #42496 - Support per-model Copilot SDK wireApi via provider/model registry metadata by @pelikhan with @Copilot in #42497
- docs: flag
get_meas unusable under integration token; steer agents togithub-contextby @pelikhan with @Copilot in #42514 - Add frontmatter
skillssupport with activation-timegh skillinstall and engine wiring by @pelikhan with @Copilot in #42426 - Allow full bash tool access in PR Sous Chef to prevent denial-threshold aborts by @pelikhan with @Copilot in #42518
- optimize test-quality-sentinel: pre-fetch awk stats, 40 KB diff cap, slim prompt by @pelikhan with @Copilot in #42519
- [docs] docs: unbloat MemoryOps guide by @github-actions[bot] in #42533
- SPDD 2026-06-30: tighten normative requirements across 5 specs by @pelikhan with @Copilot in #42530
- Enable threat detection on token audit/report workflows by @pelikhan with @Copilot in #42520
- [formal-spec] Add replace-label formal model test suite (P1–P15 + edge cases) by @pelikhan with @Copilot in #42527
- Scatter every-N-minutes schedules to reduce concurrent overlap by @pelikhan with @Copilot in #42524
- fix: find access.log in sandbox/firewall/logs/squid-logs/ subdirectory by @pelikhan with @Copilot in #42513
- fix: harden unauthenticated GitHub API fallbacks with context and 30s timeout by @pelikhan with @Copilot in #42521
- Auto-label PR Triage report issues on creation by @pelikhan with @Copilot in #42535
- set_issue_field: remove org-level issueFields fallback from field discovery query by @pelikhan with @Copilot in #42517
- eslint-factory: remove useless rethrow from require-json-parse-try-catch suggestion by @pelikhan with @Copilot in #42537
- [linter-miner] linter: add sprintfint — flag fmt.Sprintf("%d", x) where x is int by @github-actions[bot] in #42538
- fix: correct
gh skill installinvocation for frontmatter skills by @pelikhan with @Copilot in #42543 - Bump gh-aw-firewall to v0.27.16 and sync AWF integration artifacts by @lpcox with @Copilot in #42542
- httpnoctx: detect context-free
NewRequest + Dopaths by @pelikhan with @Copilot in #42536 - test(actionpins): improve spec_test.go coverage per testify-expert checklist by @pelikhan with @Copilot in #42551
- [caveman] Optimize instruction verbosity — serena-tool, skills, subagents (2026-06-30) by @github-actions[bot] in #42573
- refactor(logs): extract AggregatedSummaryBase from near-duplicate summary structs by @pelikhan with @Copilot in #42552
- [workflow-style] Normalize
daily-team-statusreport formatting guidance by @pelikhan with @Copilot in #42567
Full Changelog: v0.82.0...v0.82.1