v0.82.4
Pre-releaseπ Release Highlights
This release focuses on memory step ordering reliability, security hardening, and compiler improvements that enhance the predictability and safety of agentic workflow execution.
β¨ What's New
-
Memory stores available earlier in agent jobs β
cache-memory,repo-memory, andcomment-memoryare now restored before user-definedsteps:, ensuring your workflow steps always have access to memory context. Custom jobs also benefit from automaticrestore-memorystep injection (#44037, #43984, #43952). -
Deterministic dispatch gating β Memory stores are now exposed to
on.stepsin pre-activation, enabling more reliable conditional dispatch logic based on memory state (#44015). -
Sink visibility in compiled policies β Compiled write-sink guard policies now emit
sink-visibilitymetadata, improving auditability of what each job can write (#44154). -
Loopback MCP server isolation β Loopback HTTP MCP servers are now rejected in network isolation mode, strengthening the security boundary for isolated workflow runs (#44113).
-
Binary evaluations via BinEval β The compiler now supports an
evalsjob type for BinEval binary evaluations, enabling structured model evaluation pipelines (#43700). -
set_issue_fieldfield validation β Builtin fields are now refused inset_issue_fieldto prevent accidental overwrites of system-managed fields (#44170).
π Bug Fixes & Improvements
-
Stale
/tmp/gh-awownership fixed β Root-owned temp directories are now reclaimed before AWF invocation, preventing permission errors in agent runs (#44022). -
arc-dind workspace mount β Removed the deprecated
--docker-host-path-prefixCLI flag and added an explicit workspace mount for the arc-dind topology, ensuring reliable container builds (#44145). -
Parser field population fix β
required-labelsandrequired-title-prefixfields are now correctly populated in theupdate-pull-requestandupdate-issueparsers (#44168). -
Security: safer installer pattern β Replaced
curl | shinstaller pipes with a download-then-verify pattern, eliminating a supply-chain risk (RGS-018) (#43716). -
CLI flag and docs consistency β Corrected
--yesverb,--direnv hint, and add-wizard documentation across 9 commands for a more consistent developer experience (#44050). -
SHA-pinned build-tools image β The firewall image for arc-dind topology is now SHA-pinned, ensuring reproducible and tamper-resistant builds (#44044).
π Documentation
- Clarified Quick Start terminology for frontmatter and
.lock.ymlto reduce onboarding confusion (#44079). - Trimmed cache-memory reference bloat and updated the glossary for cleaner, more focused documentation (#44088, #44010).
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by π Release Β· 25.5 AIC Β· β 7.6K
What's Changed
- fix: reclaim stale root-owned /tmp/gh-aw before AWF invocation by @lpcox in #44022
- Move comment-memory preparation before user
steps:in agent job by @pelikhan with @Copilot in #43952 - eslint-factory: detect catch-variable aliases in require-error-cause-in-rethrow by @pelikhan with @Copilot in #43966
- [instructions] Sync instruction files with release v0.82.2 by @github-actions[bot] in #43990
- [spec-extractor] Update package specifications for stringutil, styles, testutil, timeutil by @github-actions[bot] in #44007
- [docs] Update glossary - daily scan 2026-07-07 by @github-actions[bot] in #44010
- Update package specs for modelsdev, console, and logger by @pelikhan with @Copilot in #44047
- fix: SHA-pin build-tools firewall image for arc-dind topology by @lpcox with @Copilot in #44044
- [eslint-miner] eslint: add require-fs-sync-try-catch rule by @github-actions[bot] in #43994
- feat(go-gh): modernize go-gh API usage β drop gh.Exec for GraphQL, add timeouts, tidy DefaultRESTClient by @pelikhan with @Copilot in #43985
- Targeted custom-lint cleanup: append byte conversion, context propagation, error wrapping, and param-count reduction by @pelikhan with @Copilot in #43938
- Move cache-memory and repo-memory restore steps before user
steps:in agent job by @pelikhan with @Copilot in #43984 - Clarify Quick Start terminology for frontmatter and
.lock.ymlby @pelikhan with @Copilot in #44079 - [docs] docs: trim cache-memory reference bloat by @github-actions[bot] in #44088
- Route pdf-summary discussions to Audits category by @pelikhan with @Copilot in #44092
- refactor(workflow): extract helpers to fix function-length lint violations by @pelikhan with @Copilot in #44008
- fix(doc-healer): gate artifact constant check on actual artifact production by @pelikhan with @Copilot in #44134
- test(constants): table-driven assertions and extend octal-literal check to cmd/ by @pelikhan with @Copilot in #44114
- Add restore-memory step injection for custom jobs by @pelikhan with @Copilot in #44037
- fix: correct --yes verb, --dir env hint, and add-wizard docs across 9 commands by @pelikhan with @Copilot in #44050
- refactor: split logs_orchestrator.go (1284 lines) into 5 focused modules by @pelikhan with @Copilot in #44051
- [linter-miner] linters: add writebytestring β flag w.Write([]byte(s)) calls that should use io.WriteString by @github-actions[bot] in #44101
- Reduce BenchmarkValidation overhead by caching safe-output field order by @pelikhan with @Copilot in #44090
- Reject loopback HTTP MCP servers in network isolation mode by @pelikhan with @Copilot in #44113
- Extend envutil for bool/string access and remove direct CI bypasses by @pelikhan with @Copilot in #44097
- compiler: add evals job for BinEval binary evaluations by @pelikhan with @Copilot in #43700
- Expose memory stores to
on.stepsin pre-activation for deterministic dispatch gating by @pelikhan with @Copilot in #44015 - Emit
sink-visibilityin compiled write-sink guard policies by @lpcox with @Copilot in #44154 - fix(arc-dind): remove --docker-host-path-prefix CLI flag and add explicit workspace mount by @lpcox in #44145
- fix(security): replace curl|sh installer pipes with download+verify (RGS-018) by @pelikhan with @Copilot in #43716
- [log] Add debug logging to parser and workflow files by @github-actions[bot] in #44183
- [community] Update community contributions in README by @github-actions[bot] in #44171
- feat: refuse builtin fields in set_issue_field by @pelikhan with @Copilot in #44170
- Bump AWF to v0.27.27 and MCPG to v0.4.0 by @lpcox with @Copilot in #44173
- Replace hard-coded activation symlink path literals with named/shared path constants by @pelikhan with @Copilot in #44177
- fix: populate required-labels and required-title-prefix in update-pull-request and update-issue parsers by @pelikhan with @Copilot in #44168
Full Changelog: v0.82.3...v0.82.4