Skip to content

v0.82.10

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 16 Jul 06:35
Immutable release. Only release title and notes can be modified.
de126a1

🌟 Release Highlights

This release brings declarative custom-engine support, expanded evals infrastructure, CLI improvements, and an important security default change — alongside a strong wave of bug fixes and code quality improvements.

⚠️ Breaking Changes

  • Strict security mode is now the defaultsudo injection and --enable-host-access are no longer injected automatically. Workflows relying on these must opt in explicitly. (#45360)

✨ What's New

  • Declarative custom-engine frontmatter — Crush, OpenCode, and other engines can now be declared via shared behavior definitions in frontmatter, removing boilerplate and improving portability. (#44465)
  • engine.driver frontmatter field — New reference field lets you pin workflows to a specific engine driver. Learn more (#45420)
  • Evals on agentic workflows — BinEval evals enabled on 10 workflows; daily evals report added; evals results now captured in conclusion usage artifacts; --evals flag added to logs and audit commands for filtering. (#45751, #45805, #45373)
  • Bootstrap config consolidationgh aw add and gh aw add-wizard now share a unified config; the actions subcommand is renamed to config for clarity. (#45758)
  • Azure OpenAI BYOK support documented — New guide covers bringing your own Azure OpenAI key for Copilot workflows. (#45276)
  • nilctxpassed Go linter — New analyzer catches nil context passed to functions, preventing hard-to-debug runtime panics. (#45799)

🐛 Bug Fixes & Improvements

  • Fixed secrets context leaking into ignore-if-missing guard expressions, which could silently suppress legitimate failures. (#45828)
  • Fixed update_project silently ignoring string-typed fields by iterating over characters instead of field names. (#45825)
  • Fixed missing id-token: write permission on activation/conclusion/safe_outputs jobs for OTLP OIDC auth. (#45823)
  • Fixed a recurring 60 s timeout in the logs MCP tool that was corrupting audit datasets. (#45714)
  • Fixed MCP gateway config to use raw header serialization for the GitHub remote Authorization header. (#45335)
  • Fixed safe-outputs scope rejection incorrectly triggering when the agent changeset had no workflow files. (#45870)
  • CLI consistency pass: --no-staged renamed for clarity, -e shorthand added to logs, grammar and style fixes. (#45280)
  • Reduced GitHub API consumption in PR review cluster via pre-fetching and caching (~significant reduction in rate-limit pressure). (#45431)

📚 Documentation

  • New BinEval syntax and question decomposition guide at .github/aw/evals.md. (#45833)
  • Replaced deprecated dispatch_repository reference block with a migration note. (#45786)
  • CLI help text, shared flag usage, and setup docs aligned for consistency. (#45753)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by 🚀 Release · 16.9 AIC · ⊞ 7.6K


What's Changed

  • [caveman] Optimize instruction verbosity — skills.md (2026-07-13) by @github-actions[bot] in #45328
  • fix: CLI consistency — rename --no-staged, add -e to logs, grammar/style fixes by @pelikhan with @Copilot in #45280
  • [WIP] Fix failing GitHub Actions job Integration: Workflow Misc Part 2 by @pelikhan with @Copilot in #45293
  • [jsweep] Clean validate_secrets.cjs by @github-actions[bot] in #45184
  • Propagate runner topology into detection AWF image pre-pull by @pelikhan with @Copilot in #45274
  • Refactor token env lookup and schedule helpers to remove semantic drift by @pelikhan with @Copilot in #45298
  • feat(eslint-factory): add Object.assign suggestion to no-throw-plain-object rule by @pelikhan with @Copilot in #45299
  • [linter-miner] feat(linters): add bytesbufferstring linter — flag string(buf.Bytes()) in favour of buf.String() by @github-actions[bot] in #45301
  • Strengthen action pin mapping spec coverage and assertion rigor in pkg/actionpins by @pelikhan with @Copilot in #45340
  • Remove the client-side issue_intents runtime gate by @pelikhan with @Copilot in #45275
  • eslint-factory: detect aliased/destructured/computed core.setFailed in require-return-after-core-setfailed by @pelikhan with @Copilot in #45334
  • feat: enable evals on smoke-copilot by @pelikhan with @Copilot in #45324
  • Stabilize Sighthound Security Scan by scanning a clean archived repo snapshot by @pelikhan with @Copilot in #45361
  • Fix autofix import robustness: use actual local binding qualifier in sprintfint/writebytestring/bytescomparestring by @pelikhan with @Copilot in #45339
  • Fix MCP gateway config JSON: use raw header serialization for GitHub remote MCP Authorization header by @pelikhan with @Copilot in #45335
  • Annotate allowed issue field allowlist as SEC-004 exempt by @pelikhan with @Copilot in #45363
  • [log] Add debug logging to docker-sbx install step generators by @github-actions[bot] in #45374
  • refactor(workflow): split 420-line buildMainJob into focused helpers by @pelikhan with @Copilot in #45333
  • Refine interpolated-route diagnostics for opaque Octokit route helpers by @pelikhan with @Copilot in #45364
  • Document Azure OpenAI BYOK configuration for Copilot workflows by @pelikhan with @Copilot in #45276
  • [community] Update community contributions in README by @github-actions[bot] in #45367
  • [yamllint-fixer] fix(workflow): reduce yamllint noise in generated lock files (16 → 3) by @github-actions[bot] in #45372
  • Harden daily multi-device docs tester for Playwright startup and docs preview readiness by @pelikhan with @Copilot in #45399
  • fix(create_pull_request): redirect fallback issue to alternate repo when target has issues disabled (410) by @pelikhan with @Copilot in #45359
  • Lock in tag-scoped on.push as a valid scoped trigger by @pelikhan with @Copilot in #45362
  • Audit: surface actionable failure diagnostics from step logs or agent-stdio fallback by @pelikhan with @Copilot in #45398
  • docs: add engine.driver to frontmatter reference by @pelikhan with @Copilot in #45420
  • [instructions] Sync instruction files with release v0.82.9 by @github-actions[bot] in #45422
  • feat: add --evals flag to logs and audit commands to filter by evals results by @pelikhan with @Copilot in #45373
  • [jsweep] Clean harness_retry_config.cjs by @github-actions[bot] in #45378
  • Add declarative custom-engine frontmatter and migrate Crush/OpenCode to shared behavior definitions by @pelikhan with @Copilot in #44465
  • chore: remove outdated package workflows for dependabot by @mnkiefer in #45433
  • [docs] Update glossary - daily scan by @github-actions[bot] in #45447
  • feat: reduce GitHub API consumption in PR review cluster via pre-fetching and caching by @pelikhan with @Copilot in #45431
  • Handle braceless core.setFailed() control-flow in require-return-after-core-setfailed by @pelikhan with @Copilot in #45430
  • [rendering-scripts] Fix Pi log parser for the v3 streaming schema (empty step summaries) by @github-actions[bot] in #45414
  • enforce: add stringsindexcontains + stringscountcontains to CI linter batch by @pelikhan with @Copilot in #45409
  • feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings by @pelikhan with @Copilot in #45417
  • Harden Semantic Function Refactoring against empty terminal exits by @pelikhan with @Copilot in #45418
  • [tidy] Format JavaScript and TypeScript code by @github-actions[bot] in #45453
  • Tighten require-spawnsync-error-check for destructuring and guard semantics by @pelikhan with @Copilot in #45419
  • [code-scanning-fix] Fix REST API path injection in ghAPIGet/ghAPIGetArray (alerts #641, #642) by @github-actions[bot] in #45400
  • [eslint-miner] eslint: require-return-after-core-setfailed — handle braceless if/else consequents by @github-actions[bot] in #45425
  • Use live gh-aw version for MCP inspector and make tool icons spec-compliant by @pelikhan with @Copilot in #45450
  • Refactor tool description constraint rendering to remove enhanceToolDescription hotspot by @pelikhan with @Copilot in #45449
  • Link experiment success metrics to declared evals by @pelikhan with @Copilot in #45445
  • Split log.Fatal* ownership between rawloginlib and logfatallibrary to remove overlap by @pelikhan with @Copilot in #45460
  • Harden PR Sous Chef pre-agent PR queue fetch against transient/API failures by @pelikhan with @Copilot in #45459
  • [instructions] Add prior-art lookup guidance for the-power by @pelikhan with @Copilot in #45476
  • docs: add workshop callout to README and docs by @pelikhan with @Copilot in #45491
  • feat: add bootstrap command for reusable auth, setup & repository checks by @mnkiefer in #45524
  • docs: add how-to guide for configuring a third-party agent by @pelikhan with @Copilot in #45559
  • docs: add "prefer deterministic tools" opening to cost optimization docs by @pelikhan with @Copilot in #45501
  • Compiler: fix docker-sbx runtime output for TTY, CLI staging, and agentTimeout by @lpcox with @Copilot in #45554
  • [docs] Self-healing documentation fixes from issue analysis - 2026-07-15 by @github-actions[bot] in #45578
  • feat: add gh-aw-detection: true to 4 flagged audit/analysis workflows by @pelikhan with @Copilot in #45575
  • [docs] docs: unbloat audit reference by @github-actions[bot] in #45532
  • [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #45503
  • docs: fix stale package specifications (12 packages) by @pelikhan with @Copilot in #45499
  • fix: update stale NewEngineCatalog comment to include pi and antigravity by @pelikhan with @Copilot in #45496
  • Persist evals to evals/* branches and make audit/logs branch-aware by @pelikhan with @Copilot in #45492
  • Refactor MCP JSON section helpers to share rendering skeleton by @pelikhan with @Copilot in #45410
  • [docs] Update Astro dependencies - 2026-07-15 by @github-actions[bot] in #45612
  • Hide top-level setup and bootstrap commands from CLI help by @pelikhan with @Copilot in #45615
  • Remove built-in Crush engine support by @pelikhan with @Copilot in #45515
  • [code-scanning-fix] Fix workflow-graphql-injection-unescaped-input: validate org slug before search query interpolation by @github-actions[bot] in #45548
  • build(deps-dev): Bump @types/node from 26.0.1 to 26.1.1 in /actions/setup/js by @dependabot[bot] in #45443
  • build(deps-dev): Bump prettier from 3.9.4 to 3.9.5 in /actions/setup/js by @dependabot[bot] in #45442
  • Extract bootstrap marker paths into named constants by @pelikhan with @Copilot in #45602
  • [linter-miner] feat(linters): add mapdeletecheck linter — flag redundant existence checks before delete(m, k) by @github-actions[bot] in #45533
  • build(deps-dev): Bump @github/copilot-sdk from 1.0.4 to 1.0.6 in /actions/setup/js by @dependabot[bot] in #45436
  • build(deps-dev): Bump @vitest/ui from 4.1.9 to 4.1.10 in /actions/setup/js by @dependabot[bot] in #45439
  • [log] Add debug logging to CLI repository bootstrap/setup flow by @github-actions[bot] in #45621
  • cli: add --engine/-e and --repo/-r to upgrade, --approve to update by @pelikhan with @Copilot in #45573
  • ci: enforce bytesbufferstring, ioutildeprecated, mapdeletecheck linters by @pelikhan with @Copilot in #45631
  • fix: restore safe-output actuation tracking and reconcile 0% SafeItemsCount by @pelikhan with @Copilot in #45623
  • refactor: deduplicate strings*contains linter helpers into astutil by @pelikhan with @Copilot in #45622
  • [yamllint-fixer] fix: trim trailing whitespace in generated YAML to reduce yamllint noise by @github-actions[bot] in #45620
  • refactor: split compiler_yaml.go (1262 lines) into focused modules by @pelikhan with @Copilot in #45494
  • build(deps-dev): Bump typescript from 6.0.3 to 7.0.2 in /actions/setup/js by @dependabot[bot] in #45441
  • Unshadow package logger identifiers to restore rawloginlib detection by @pelikhan with @Copilot in #45637
  • Cache confirmed-zero-AIC run results in daily guardrail to cut Smoke CI REST API footprint by @pelikhan with @Copilot in #45624
  • Split engine provider selection from harness execution and route Claude/Codex via reflected CAPI endpoints by @pelikhan with @Copilot in #45490
  • Refactor actionlint execution helpers to reduce largefunc backlog by @pelikhan with @Copilot in #45598
  • Suppress spurious report_incomplete failures after successful Copilot task output by @pelikhan with @Copilot in #45599
  • feat: replace setup auth/setup repo with unified doctor command by @pelikhan with @Copilot in #45632
  • feat: convert sighthound-security-scan to daily scheduled workflow by @pelikhan with @Copilot in #45659
  • refactor: extract shared AIC cache JSONL prune logic into daily_aic_cache_helpers by @pelikhan with @Copilot in #45645
  • eslint: extend no-core-exportvariable-non-string to recognize coreObj alias by @pelikhan with @Copilot in #45655
  • eslint: exempt intentional JSON-RPC error shape from no-throw-plain-object by @pelikhan with @Copilot in #45656
  • Disambiguate compile update-check logger namespace by @pelikhan with @Copilot in #45668
  • Fix lint js typecheck regression in resolveProviderEndpointFromReflect by @pelikhan with @Copilot in #45680
  • [WIP] Fix failing GitHub Actions job Integration: CMD Tests by @pelikhan with @Copilot in #45681
  • Fix js-typecheck regression in awf_reflect endpoint resolution by @pelikhan with @Copilot in #45685
  • Update root help test to stop rejecting newly added commands by @pelikhan with @Copilot in #45683
  • refactor(daily-aic): remove duplicate JSONL parser, add focused tests by @pelikhan with @Copilot in #45644
  • fix: resolve symlinks in GitHub API file reader for activation hash check by @pelikhan with @Copilot in #45646
  • refactor(cli): split downloadRunArtifactsConcurrent (430 lines) into focused helpers by @pelikhan with @Copilot in #45635
  • [code-scanning-fix] Fix GraphQL string injection in project_command.go (alerts #643, #644) by @github-actions[bot] in #45676
  • [rendering-scripts] Fix empty Pi step-summary conversation rendering by @github-actions[bot] in #45688
  • [instructions] Sync instruction files with release v0.82.9 by @github-actions[bot] in #45701
  • Capture evals results in conclusion usage artifacts by @pelikhan with @Copilot in #45677
  • [spec-extractor] Update package specifications for parser, repoutil, semverutil, sliceutil by @github-actions[bot] in #45712
  • fix: surface fleet-wide token total in audit telemetry by @pelikhan with @Copilot in #45657
  • Add bootstrap profile loading by @mnkiefer in #45660
  • fix: authorize custom org repository roles via base permission by @pelikhan with @Copilot in #45641
  • Update gosec to v2.28.0 and align local/CI scanner installs by @pelikhan with @Copilot in #45715
  • [eslint-miner] eslint: add require-mkdirsync-try-catch rule by @github-actions[bot] in #45709
  • fix(lint): replace map[string]bool sets and len(s)>0 string checks in workflow package by @pelikhan with @Copilot in #45702
  • chore: bump default Claude/Codex/Pi CLI versions and regenerate compiled workflow artifacts by @pelikhan with @Copilot in #45670
  • Share nolint and generated-file indexes across custom Go analyzers by @pelikhan with @Copilot in #45700
  • docs(linters): document 4 missing subpackages in pkg/linters/README.md by @pelikhan with @Copilot in #45747
  • chore(workflow): make logger namespaces statically greppable by @pelikhan with @Copilot in #45721
  • compiler: render evals results as progressive disclosure details section in step summary by @pelikhan with @Copilot in #45661
  • fix: reject submit_pull_request_review max > 1 at compile time by @pelikhan with @Copilot in #45647
  • Enable BinEval evals on 10 agentic workflows by @pelikhan with @Copilot in #45751
  • fix: restrict Q workflow triggers to eliminate action_required from PR events by @pelikhan with @Copilot in #45745
  • [dead-code] chore: remove dead functions — 2 functions removed by @github-actions[bot] in #45757
  • Split frontmatter YAML extraction into focused workflow helpers by @pelikhan with @Copilot in #45744
  • fix(blog-auditor): relax keyword check from compiler to compile by @pelikhan with @Copilot in #45772
  • Align CLI help text, shared flag usage, and setup docs by @pelikhan with @Copilot in #45753
  • Add run/artifact metadata to persisted evals records by @pelikhan with @Copilot in #45756
  • feat: add production-side compile-time interface assertions for engine and condition types by @pelikhan with @Copilot in #45773
  • Docs: replace deprecated dispatch_repository reference block with migration note by @pelikhan with @Copilot in #45786
  • Add Claude branch to README onboarding block by @pelikhan with @Copilot in #45788
  • Implement discussion outcome evaluators and sync security architecture evidence by @pelikhan with @Copilot in #45784
  • feat(spec): formal model & test suite for safe-output-outcome-evaluation (P1–P12) by @pelikhan with @Copilot in #45781
  • Run evals in parallel with safe_outputs by rewiring compiler job needs by @pelikhan with @Copilot in #45752
  • Fix recurring 60s timeout in logs MCP tool degrading audit datasets by @pelikhan with @Copilot in #45714
  • feat: merge bootstrap config into add/add-wizard; rename actions→config by @pelikhan with @Copilot in #45758
  • feat: add daily-evals-report workflow by @pelikhan with @Copilot in #45805
  • feat(linters): add nilctxpassed analyzer by @pelikhan with @Copilot in #45799
  • feat: read evals from usage artifact instead of dedicated evals artifact by @pelikhan with @Copilot in #45797
  • optimize(detection-analysis-report): ~45 AIC/run savings via prompt compaction and script extraction by @pelikhan with @Copilot in #45820
  • Fix missing id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth by @pelikhan with @Copilot in #45823
  • fix: filter secrets context from ignore-if-missing if: guard expression by @pelikhan with @Copilot in #45828
  • docs: add .github/aw/evals.md — BinEval syntax and question decomposition guide by @pelikhan with @Copilot in #45833
  • feat: resolve eval question text for metrics referencing evals in experiments analyze by @pelikhan with @Copilot in #45834
  • [community] Update community contributions in README by @github-actions[bot] in #45871
  • [log] Add debug logging to bootstrap flow and aw_info generation by @github-actions[bot] in #45881
  • [ubuntu-image] research: update Ubuntu runner image analysis to 20260705.232.1 by @github-actions[bot] in #45889
  • safeoutputs: prohibit concurrency-control fields on push_to_pull_request_branch by @pelikhan with @Copilot in #45822
  • feat: default to strict security mode, stop injecting sudo and --enable-host-access by @lpcox in #45360
  • fix: replace hard-coded .github/ path literals with constants.GithubDir in add_workflow_resolution by @pelikhan with @Copilot in #45894
  • fix(update_project): parse string-typed fields instead of iterating over characters by @pelikhan with @Copilot in #45825
  • Add multi-agent research workflow instruction file distilled from CDC prompt by @pelikhan with @Copilot in #45911
  • fix(safe-outputs): skip workflows scope rejection when agent changeset has no workflow files by @pelikhan with @Copilot in #45870
  • [yamllint-fixer] fix(workflow): eliminate yamllint comments-indentation noise in generated lock files by @github-actions[bot] in #45879
  • Refactor duplicated workflow parsing and timeline rendering helpers in pkg/cli and pkg/workflow by @pelikhan with @Copilot in #45858

Full Changelog: v0.82.9...v0.82.10