Skip to content

v0.82.5

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 08 Jul 10:26
Immutable release. Only release title and notes can be modified.
f9635a3

🌟 Release Highlights

This release focuses on developer guardrails and code quality tooling, hardening ESLint rules, improving compile-time safety, and adding proactive security checks for credential hygiene.

✨ What's New

  • Workflow-edit guard for stale lock files β€” A lightweight CI guard now catches agents that edit .github/workflows/*.md without recompiling the corresponding .lock.yml. This surfaces CI failures early, before the heavyweight check-workflow-drift job runs. (#44238)

  • OAuth token detection in activation jobs β€” The activation job now flags COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN values that are OAuth tokens (gho_...). OAuth tokens are over-provisioned user-scoped credentials unsuitable for automation, and early detection prevents hard-to-debug permission failures downstream. (#44204)

  • Runtime sink-visibility β€” sink-visibility in the MCP guard policy config is now computed at runtime instead of baked in at compile time. This eliminates stale configs and removes the network call during compilation. (#44245)

πŸ› Bug Fixes & Improvements

  • ESLint: try/finally without catch treated as unprotected β€” isInsideTryBlock was returning true for try/finally blocks with no catch clause. Since a catch-less try/finally does not suppress thrown errors, these call sites are now correctly flagged. (#44256)

  • ESLint: require-fs-sync-try-catch catches destructured and aliased fs bindings β€” The rule previously only matched fs.method() call patterns, silently missing bindings introduced by destructuring (e.g., const { appendFileSync } = fs) or aliasing. Unprotected file-system calls using these patterns are now correctly reported. (#44240)

  • Designer: dismiss-pull-request-review added to Safe Output Mapping β€” The Designer Drift Audit had falsely flagged 15 missing network ecosystem identifiers due to a head-limit truncation bug, and one genuinely missing safe output type (dismiss-pull-request-review). Both are now fixed. (#44209)

  • Go code gen: string() cast emitted for named string types β€” writebytestring now correctly emits a string(s) cast when writing named string types (e.g., type MyStr string), fixing non-compiling generated code. RunWithSuggestedFixes support was also added. (#44208)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by πŸš€ Release Β· 26 AIC Β· ⊞ 7.6K


What's Changed

  • [jsweep] Clean compact_numbers.cjs β€” add comprehensive test suite by @github-actions[bot] in #44189
  • fix(designer): add dismiss-pull-request-review to Safe Output Mapping; fix head limits in drift audit by @pelikhan with @Copilot in #44209
  • feat: add lightweight workflow-edit guard for stale lock files by @pelikhan with @Copilot in #44238
  • fix(writebytestring): emit string() cast for named string types; add RunWithSuggestedFixes by @pelikhan with @Copilot in #44208
  • refactor: compute sink-visibility at runtime instead of compile time by @pelikhan with @Copilot in #44245
  • Refactor getOrCreateListRepoClone into focused helpers in parser remote file listing by @pelikhan with @Copilot in #44179
  • [instructions] Sync instruction files with release v0.82.4 by @github-actions[bot] in #44252
  • fix(eslint-factory): require-fs-sync-try-catch catches destructured and aliased fs bindings by @pelikhan with @Copilot in #44240
  • fix(eslint-factory): treat try/finally without catch as unprotected in isInsideTryBlock by @pelikhan with @Copilot in #44256
  • feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN by @pelikhan with @Copilot in #44204

Full Changelog: v0.82.4...v0.82.5