v0.82.5
Pre-releaseπ Release Highlights
This release focuses on developer guardrails and code quality tooling, hardening ESLint rules, improving compile-time safety, and adding proactive security checks for credential hygiene.
β¨ What's New
-
Workflow-edit guard for stale lock files β A lightweight CI guard now catches agents that edit
.github/workflows/*.mdwithout recompiling the corresponding.lock.yml. This surfaces CI failures early, before the heavyweightcheck-workflow-driftjob runs. (#44238) -
OAuth token detection in activation jobs β The activation job now flags
COPILOT_GITHUB_TOKENandGH_AW_GITHUB_TOKENvalues that are OAuth tokens (gho_...). OAuth tokens are over-provisioned user-scoped credentials unsuitable for automation, and early detection prevents hard-to-debug permission failures downstream. (#44204) -
Runtime sink-visibility β
sink-visibilityin the MCP guard policy config is now computed at runtime instead of baked in at compile time. This eliminates stale configs and removes the network call during compilation. (#44245)
π Bug Fixes & Improvements
-
ESLint:
try/finallywithoutcatchtreated as unprotected βisInsideTryBlockwas returningtruefortry/finallyblocks with nocatchclause. Since a catch-lesstry/finallydoes not suppress thrown errors, these call sites are now correctly flagged. (#44256) -
ESLint:
require-fs-sync-try-catchcatches destructured and aliased fs bindings β The rule previously only matchedfs.method()call patterns, silently missing bindings introduced by destructuring (e.g.,const { appendFileSync } = fs) or aliasing. Unprotected file-system calls using these patterns are now correctly reported. (#44240) -
Designer:
dismiss-pull-request-reviewadded to Safe Output Mapping β The Designer Drift Audit had falsely flagged 15 missing network ecosystem identifiers due to a head-limit truncation bug, and one genuinely missing safe output type (dismiss-pull-request-review). Both are now fixed. (#44209) -
Go code gen:
string()cast emitted for named string types βwritebytestringnow correctly emits astring(s)cast when writing named string types (e.g.,type MyStr string), fixing non-compiling generated code.RunWithSuggestedFixessupport was also added. (#44208)
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by π Release Β· 26 AIC Β· β 7.6K
What's Changed
- [jsweep] Clean compact_numbers.cjs β add comprehensive test suite by @github-actions[bot] in #44189
- fix(designer): add dismiss-pull-request-review to Safe Output Mapping; fix head limits in drift audit by @pelikhan with @Copilot in #44209
- feat: add lightweight workflow-edit guard for stale lock files by @pelikhan with @Copilot in #44238
- fix(writebytestring): emit string() cast for named string types; add RunWithSuggestedFixes by @pelikhan with @Copilot in #44208
- refactor: compute sink-visibility at runtime instead of compile time by @pelikhan with @Copilot in #44245
- Refactor
getOrCreateListRepoCloneinto focused helpers in parser remote file listing by @pelikhan with @Copilot in #44179 - [instructions] Sync instruction files with release v0.82.4 by @github-actions[bot] in #44252
- fix(eslint-factory): require-fs-sync-try-catch catches destructured and aliased fs bindings by @pelikhan with @Copilot in #44240
- fix(eslint-factory): treat try/finally without catch as unprotected in isInsideTryBlock by @pelikhan with @Copilot in #44256
- feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN by @pelikhan with @Copilot in #44204
Full Changelog: v0.82.4...v0.82.5