v0.82.10
Pre-release
Pre-release
Immutable
release. Only release title and notes can be modified.
🌟 Release Highlights
This release brings declarative custom-engine support, expanded evals infrastructure, CLI improvements, and an important security default change — alongside a strong wave of bug fixes and code quality improvements.
⚠️ Breaking Changes
- Strict security mode is now the default —
sudoinjection and--enable-host-accessare no longer injected automatically. Workflows relying on these must opt in explicitly. (#45360)
✨ What's New
- Declarative custom-engine frontmatter — Crush, OpenCode, and other engines can now be declared via shared behavior definitions in frontmatter, removing boilerplate and improving portability. (#44465)
engine.driverfrontmatter field — New reference field lets you pin workflows to a specific engine driver. Learn more (#45420)- Evals on agentic workflows — BinEval evals enabled on 10 workflows; daily evals report added; evals results now captured in conclusion usage artifacts;
--evalsflag added tologsandauditcommands for filtering. (#45751, #45805, #45373) - Bootstrap config consolidation —
gh aw addandgh aw add-wizardnow share a unified config; theactionssubcommand is renamed toconfigfor clarity. (#45758) - Azure OpenAI BYOK support documented — New guide covers bringing your own Azure OpenAI key for Copilot workflows. (#45276)
nilctxpassedGo linter — New analyzer catchesnilcontext passed to functions, preventing hard-to-debug runtime panics. (#45799)
🐛 Bug Fixes & Improvements
- Fixed secrets context leaking into
ignore-if-missingguard expressions, which could silently suppress legitimate failures. (#45828) - Fixed
update_projectsilently ignoring string-typedfieldsby iterating over characters instead of field names. (#45825) - Fixed missing
id-token: writepermission on activation/conclusion/safe_outputs jobs for OTLP OIDC auth. (#45823) - Fixed a recurring 60 s timeout in the logs MCP tool that was corrupting audit datasets. (#45714)
- Fixed MCP gateway config to use raw header serialization for the GitHub remote Authorization header. (#45335)
- Fixed safe-outputs scope rejection incorrectly triggering when the agent changeset had no workflow files. (#45870)
- CLI consistency pass:
--no-stagedrenamed for clarity,-eshorthand added tologs, grammar and style fixes. (#45280) - Reduced GitHub API consumption in PR review cluster via pre-fetching and caching (~significant reduction in rate-limit pressure). (#45431)
📚 Documentation
- New BinEval syntax and question decomposition guide at
.github/aw/evals.md. (#45833) - Replaced deprecated
dispatch_repositoryreference block with a migration note. (#45786) - CLI help text, shared flag usage, and setup docs aligned for consistency. (#45753)
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by 🚀 Release · 16.9 AIC · ⊞ 7.6K
What's Changed
- [caveman] Optimize instruction verbosity — skills.md (2026-07-13) by @github-actions[bot] in #45328
- fix: CLI consistency — rename
--no-staged, add-eto logs, grammar/style fixes by @pelikhan with @Copilot in #45280 - [WIP] Fix failing GitHub Actions job Integration: Workflow Misc Part 2 by @pelikhan with @Copilot in #45293
- [jsweep] Clean validate_secrets.cjs by @github-actions[bot] in #45184
- Propagate runner topology into detection AWF image pre-pull by @pelikhan with @Copilot in #45274
- Refactor token env lookup and schedule helpers to remove semantic drift by @pelikhan with @Copilot in #45298
- feat(eslint-factory): add Object.assign suggestion to no-throw-plain-object rule by @pelikhan with @Copilot in #45299
- [linter-miner] feat(linters): add bytesbufferstring linter — flag string(buf.Bytes()) in favour of buf.String() by @github-actions[bot] in #45301
- Strengthen action pin mapping spec coverage and assertion rigor in
pkg/actionpinsby @pelikhan with @Copilot in #45340 - Remove the client-side
issue_intentsruntime gate by @pelikhan with @Copilot in #45275 - eslint-factory: detect aliased/destructured/computed core.setFailed in require-return-after-core-setfailed by @pelikhan with @Copilot in #45334
- feat: enable evals on smoke-copilot by @pelikhan with @Copilot in #45324
- Stabilize Sighthound Security Scan by scanning a clean archived repo snapshot by @pelikhan with @Copilot in #45361
- Fix autofix import robustness: use actual local binding qualifier in sprintfint/writebytestring/bytescomparestring by @pelikhan with @Copilot in #45339
- Fix MCP gateway config JSON: use raw header serialization for GitHub remote MCP Authorization header by @pelikhan with @Copilot in #45335
- Annotate allowed issue field allowlist as SEC-004 exempt by @pelikhan with @Copilot in #45363
- [log] Add debug logging to docker-sbx install step generators by @github-actions[bot] in #45374
- refactor(workflow): split 420-line buildMainJob into focused helpers by @pelikhan with @Copilot in #45333
- Refine interpolated-route diagnostics for opaque Octokit route helpers by @pelikhan with @Copilot in #45364
- Document Azure OpenAI BYOK configuration for Copilot workflows by @pelikhan with @Copilot in #45276
- [community] Update community contributions in README by @github-actions[bot] in #45367
- [yamllint-fixer] fix(workflow): reduce yamllint noise in generated lock files (16 → 3) by @github-actions[bot] in #45372
- Harden daily multi-device docs tester for Playwright startup and docs preview readiness by @pelikhan with @Copilot in #45399
- fix(create_pull_request): redirect fallback issue to alternate repo when target has issues disabled (410) by @pelikhan with @Copilot in #45359
- Lock in tag-scoped
on.pushas a valid scoped trigger by @pelikhan with @Copilot in #45362 - Audit: surface actionable failure diagnostics from step logs or agent-stdio fallback by @pelikhan with @Copilot in #45398
- docs: add
engine.driverto frontmatter reference by @pelikhan with @Copilot in #45420 - [instructions] Sync instruction files with release v0.82.9 by @github-actions[bot] in #45422
- feat: add --evals flag to logs and audit commands to filter by evals results by @pelikhan with @Copilot in #45373
- [jsweep] Clean harness_retry_config.cjs by @github-actions[bot] in #45378
- Add declarative custom-engine frontmatter and migrate Crush/OpenCode to shared behavior definitions by @pelikhan with @Copilot in #44465
- chore: remove outdated package workflows for dependabot by @mnkiefer in #45433
- [docs] Update glossary - daily scan by @github-actions[bot] in #45447
- feat: reduce GitHub API consumption in PR review cluster via pre-fetching and caching by @pelikhan with @Copilot in #45431
- Handle braceless
core.setFailed()control-flow inrequire-return-after-core-setfailedby @pelikhan with @Copilot in #45430 - [rendering-scripts] Fix Pi log parser for the v3 streaming schema (empty step summaries) by @github-actions[bot] in #45414
- enforce: add stringsindexcontains + stringscountcontains to CI linter batch by @pelikhan with @Copilot in #45409
- feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings by @pelikhan with @Copilot in #45417
- Harden Semantic Function Refactoring against empty terminal exits by @pelikhan with @Copilot in #45418
- [tidy] Format JavaScript and TypeScript code by @github-actions[bot] in #45453
- Tighten
require-spawnsync-error-checkfor destructuring and guard semantics by @pelikhan with @Copilot in #45419 - [code-scanning-fix] Fix REST API path injection in ghAPIGet/ghAPIGetArray (alerts #641, #642) by @github-actions[bot] in #45400
- [eslint-miner] eslint: require-return-after-core-setfailed — handle braceless if/else consequents by @github-actions[bot] in #45425
- Use live gh-aw version for MCP inspector and make tool icons spec-compliant by @pelikhan with @Copilot in #45450
- Refactor tool description constraint rendering to remove
enhanceToolDescriptionhotspot by @pelikhan with @Copilot in #45449 - Link experiment success metrics to declared evals by @pelikhan with @Copilot in #45445
- Split
log.Fatal*ownership betweenrawloginlibandlogfatallibraryto remove overlap by @pelikhan with @Copilot in #45460 - Harden PR Sous Chef pre-agent PR queue fetch against transient/API failures by @pelikhan with @Copilot in #45459
- [instructions] Add prior-art lookup guidance for the-power by @pelikhan with @Copilot in #45476
- docs: add workshop callout to README and docs by @pelikhan with @Copilot in #45491
- feat: add bootstrap command for reusable auth, setup & repository checks by @mnkiefer in #45524
- docs: add how-to guide for configuring a third-party agent by @pelikhan with @Copilot in #45559
- docs: add "prefer deterministic tools" opening to cost optimization docs by @pelikhan with @Copilot in #45501
- Compiler: fix docker-sbx runtime output for TTY, CLI staging, and agentTimeout by @lpcox with @Copilot in #45554
- [docs] Self-healing documentation fixes from issue analysis - 2026-07-15 by @github-actions[bot] in #45578
- feat: add gh-aw-detection: true to 4 flagged audit/analysis workflows by @pelikhan with @Copilot in #45575
- [docs] docs: unbloat audit reference by @github-actions[bot] in #45532
- [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #45503
- docs: fix stale package specifications (12 packages) by @pelikhan with @Copilot in #45499
- fix: update stale NewEngineCatalog comment to include pi and antigravity by @pelikhan with @Copilot in #45496
- Persist evals to
evals/*branches and make audit/logs branch-aware by @pelikhan with @Copilot in #45492 - Refactor MCP JSON section helpers to share rendering skeleton by @pelikhan with @Copilot in #45410
- [docs] Update Astro dependencies - 2026-07-15 by @github-actions[bot] in #45612
- Hide top-level setup and bootstrap commands from CLI help by @pelikhan with @Copilot in #45615
- Remove built-in Crush engine support by @pelikhan with @Copilot in #45515
- [code-scanning-fix] Fix workflow-graphql-injection-unescaped-input: validate org slug before search query interpolation by @github-actions[bot] in #45548
- build(deps-dev): Bump @types/node from 26.0.1 to 26.1.1 in /actions/setup/js by @dependabot[bot] in #45443
- build(deps-dev): Bump prettier from 3.9.4 to 3.9.5 in /actions/setup/js by @dependabot[bot] in #45442
- Extract bootstrap marker paths into named constants by @pelikhan with @Copilot in #45602
- [linter-miner] feat(linters): add mapdeletecheck linter — flag redundant existence checks before delete(m, k) by @github-actions[bot] in #45533
- build(deps-dev): Bump @github/copilot-sdk from 1.0.4 to 1.0.6 in /actions/setup/js by @dependabot[bot] in #45436
- build(deps-dev): Bump @vitest/ui from 4.1.9 to 4.1.10 in /actions/setup/js by @dependabot[bot] in #45439
- [log] Add debug logging to CLI repository bootstrap/setup flow by @github-actions[bot] in #45621
- cli: add --engine/-e and --repo/-r to upgrade, --approve to update by @pelikhan with @Copilot in #45573
- ci: enforce bytesbufferstring, ioutildeprecated, mapdeletecheck linters by @pelikhan with @Copilot in #45631
- fix: restore safe-output actuation tracking and reconcile 0% SafeItemsCount by @pelikhan with @Copilot in #45623
- refactor: deduplicate strings*contains linter helpers into astutil by @pelikhan with @Copilot in #45622
- [yamllint-fixer] fix: trim trailing whitespace in generated YAML to reduce yamllint noise by @github-actions[bot] in #45620
- refactor: split compiler_yaml.go (1262 lines) into focused modules by @pelikhan with @Copilot in #45494
- build(deps-dev): Bump typescript from 6.0.3 to 7.0.2 in /actions/setup/js by @dependabot[bot] in #45441
- Unshadow package logger identifiers to restore
rawloginlibdetection by @pelikhan with @Copilot in #45637 - Cache confirmed-zero-AIC run results in daily guardrail to cut Smoke CI REST API footprint by @pelikhan with @Copilot in #45624
- Split engine provider selection from harness execution and route Claude/Codex via reflected CAPI endpoints by @pelikhan with @Copilot in #45490
- Refactor actionlint execution helpers to reduce largefunc backlog by @pelikhan with @Copilot in #45598
- Suppress spurious
report_incompletefailures after successful Copilot task output by @pelikhan with @Copilot in #45599 - feat: replace
setup auth/setup repowith unifieddoctorcommand by @pelikhan with @Copilot in #45632 - feat: convert sighthound-security-scan to daily scheduled workflow by @pelikhan with @Copilot in #45659
- refactor: extract shared AIC cache JSONL prune logic into daily_aic_cache_helpers by @pelikhan with @Copilot in #45645
- eslint: extend no-core-exportvariable-non-string to recognize coreObj alias by @pelikhan with @Copilot in #45655
- eslint: exempt intentional JSON-RPC error shape from no-throw-plain-object by @pelikhan with @Copilot in #45656
- Disambiguate compile update-check logger namespace by @pelikhan with @Copilot in #45668
- Fix
lint jstypecheck regression inresolveProviderEndpointFromReflectby @pelikhan with @Copilot in #45680 - [WIP] Fix failing GitHub Actions job Integration: CMD Tests by @pelikhan with @Copilot in #45681
- Fix js-typecheck regression in awf_reflect endpoint resolution by @pelikhan with @Copilot in #45685
- Update root help test to stop rejecting newly added commands by @pelikhan with @Copilot in #45683
- refactor(daily-aic): remove duplicate JSONL parser, add focused tests by @pelikhan with @Copilot in #45644
- fix: resolve symlinks in GitHub API file reader for activation hash check by @pelikhan with @Copilot in #45646
- refactor(cli): split downloadRunArtifactsConcurrent (430 lines) into focused helpers by @pelikhan with @Copilot in #45635
- [code-scanning-fix] Fix GraphQL string injection in project_command.go (alerts #643, #644) by @github-actions[bot] in #45676
- [rendering-scripts] Fix empty Pi step-summary conversation rendering by @github-actions[bot] in #45688
- [instructions] Sync instruction files with release v0.82.9 by @github-actions[bot] in #45701
- Capture evals results in conclusion usage artifacts by @pelikhan with @Copilot in #45677
- [spec-extractor] Update package specifications for parser, repoutil, semverutil, sliceutil by @github-actions[bot] in #45712
- fix: surface fleet-wide token total in audit telemetry by @pelikhan with @Copilot in #45657
- Add bootstrap profile loading by @mnkiefer in #45660
- fix: authorize custom org repository roles via base permission by @pelikhan with @Copilot in #45641
- Update gosec to v2.28.0 and align local/CI scanner installs by @pelikhan with @Copilot in #45715
- [eslint-miner] eslint: add require-mkdirsync-try-catch rule by @github-actions[bot] in #45709
- fix(lint): replace map[string]bool sets and len(s)>0 string checks in workflow package by @pelikhan with @Copilot in #45702
- chore: bump default Claude/Codex/Pi CLI versions and regenerate compiled workflow artifacts by @pelikhan with @Copilot in #45670
- Share nolint and generated-file indexes across custom Go analyzers by @pelikhan with @Copilot in #45700
- docs(linters): document 4 missing subpackages in pkg/linters/README.md by @pelikhan with @Copilot in #45747
- chore(workflow): make logger namespaces statically greppable by @pelikhan with @Copilot in #45721
- compiler: render evals results as progressive disclosure details section in step summary by @pelikhan with @Copilot in #45661
- fix: reject submit_pull_request_review max > 1 at compile time by @pelikhan with @Copilot in #45647
- Enable BinEval evals on 10 agentic workflows by @pelikhan with @Copilot in #45751
- fix: restrict Q workflow triggers to eliminate action_required from PR events by @pelikhan with @Copilot in #45745
- [dead-code] chore: remove dead functions — 2 functions removed by @github-actions[bot] in #45757
- Split frontmatter YAML extraction into focused workflow helpers by @pelikhan with @Copilot in #45744
- fix(blog-auditor): relax keyword check from
compilertocompileby @pelikhan with @Copilot in #45772 - Align CLI help text, shared flag usage, and setup docs by @pelikhan with @Copilot in #45753
- Add run/artifact metadata to persisted evals records by @pelikhan with @Copilot in #45756
- feat: add production-side compile-time interface assertions for engine and condition types by @pelikhan with @Copilot in #45773
- Docs: replace deprecated
dispatch_repositoryreference block with migration note by @pelikhan with @Copilot in #45786 - Add Claude branch to README onboarding block by @pelikhan with @Copilot in #45788
- Implement discussion outcome evaluators and sync security architecture evidence by @pelikhan with @Copilot in #45784
- feat(spec): formal model & test suite for safe-output-outcome-evaluation (P1–P12) by @pelikhan with @Copilot in #45781
- Run
evalsin parallel withsafe_outputsby rewiring compiler job needs by @pelikhan with @Copilot in #45752 - Fix recurring 60s timeout in logs MCP tool degrading audit datasets by @pelikhan with @Copilot in #45714
- feat: merge bootstrap config into add/add-wizard; rename actions→config by @pelikhan with @Copilot in #45758
- feat: add daily-evals-report workflow by @pelikhan with @Copilot in #45805
- feat(linters): add nilctxpassed analyzer by @pelikhan with @Copilot in #45799
- feat: read evals from usage artifact instead of dedicated evals artifact by @pelikhan with @Copilot in #45797
- optimize(detection-analysis-report): ~45 AIC/run savings via prompt compaction and script extraction by @pelikhan with @Copilot in #45820
- Fix missing
id-token: writeon activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth by @pelikhan with @Copilot in #45823 - fix: filter secrets context from ignore-if-missing if: guard expression by @pelikhan with @Copilot in #45828
- docs: add .github/aw/evals.md — BinEval syntax and question decomposition guide by @pelikhan with @Copilot in #45833
- feat: resolve eval question text for metrics referencing evals in experiments analyze by @pelikhan with @Copilot in #45834
- [community] Update community contributions in README by @github-actions[bot] in #45871
- [log] Add debug logging to bootstrap flow and aw_info generation by @github-actions[bot] in #45881
- [ubuntu-image] research: update Ubuntu runner image analysis to 20260705.232.1 by @github-actions[bot] in #45889
- safeoutputs: prohibit concurrency-control fields on push_to_pull_request_branch by @pelikhan with @Copilot in #45822
- feat: default to strict security mode, stop injecting sudo and --enable-host-access by @lpcox in #45360
- fix: replace hard-coded
.github/path literals withconstants.GithubDirin add_workflow_resolution by @pelikhan with @Copilot in #45894 - fix(update_project): parse string-typed
fieldsinstead of iterating over characters by @pelikhan with @Copilot in #45825 - Add multi-agent research workflow instruction file distilled from CDC prompt by @pelikhan with @Copilot in #45911
- fix(safe-outputs): skip workflows scope rejection when agent changeset has no workflow files by @pelikhan with @Copilot in #45870
- [yamllint-fixer] fix(workflow): eliminate yamllint comments-indentation noise in generated lock files by @github-actions[bot] in #45879
- Refactor duplicated workflow parsing and timeline rendering helpers in
pkg/cliandpkg/workflowby @pelikhan with @Copilot in #45858
Full Changelog: v0.82.9...v0.82.10