v0.82.6
Pre-releaseπ Release Highlights
This release focuses on correctness and reliability β fixing subtle bugs in workflow compilation, strengthening security defaults, and improving developer tooling with new ESLint rules and unit tests.
β¨ What's New
-
ESLint rule:
no-github-request-interpolated-routeβ A new static analysis rule flags interpolated template literals and string concatenation in Octokit.request()route arguments. This prevents malformed URLs and enforces the typed placeholder syntax ({owner},{repo}) that GitHub's REST API expects. (#44268) -
Comment-memory support for deterministic jobs β Custom jobs and
on.stepsflows withrestore-memory: truenow correctly receive the comment-memory config, enabling deterministic steps to consume persisted memory before agent execution. (#44214)
π Bug Fixes & Improvements
-
Safer lockdown defaults on API failure β When the
determine-automatic-lockdownstep cannot fetch repository visibility,sink-visibilitynow defaults to"public"(strict policy) instead of the previously unrecognized"unknown"value, preventing unpredictable guard policy behavior. (#44286) -
Detection job dependency fix β
engine.envvalues referencingneeds.<job>.outputs.*expressions now correctly propagate to thedetectionjob'sneedslist, preventing silent empty-string resolution at runtime. (#44202) -
Lockdown autodetection skip when guard policy is explicit β The
determine-automatic-lockdownstep is now skipped when guard policies are already statically configured in frontmatter, eliminating redundant runtime detection. (#44270) -
Deprecated output references cleaned up β All remaining uses of
needs.activation.outputs.{text,title,body}in tests and specs replaced with the currentsteps.sanitized.outputs.*form, eliminating spurious deprecation warnings. (#44255)
π Documentation
- Token type validation clarified β Auth reference docs now explicitly document that
COPILOT_GITHUB_TOKENandGH_AW_GITHUB_TOKENmust be fine-grained PATs. OAuth user tokens (gho_...) are intentionally rejected at activation with remediation guidance. (#44275, Learn more)
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by π Release Β· 24.6 AIC Β· β 7.6K
What's Changed
- [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @github-actions[bot] in #44266
- fix: skip lockdown autodetection step when guard policy is explicitly configured by @pelikhan with @Copilot in #44270
- Replace deprecated
needs.activation.outputs.{text,title,body}withsteps.sanitized.outputs.*by @pelikhan with @Copilot in #44255 - fix: detection job missing engine.env job dependencies in needs list by @pelikhan with @Copilot in #44202
- Restore comment-memory config for deterministic memory-read jobs by @pelikhan with @Copilot in #44214
- refactor(workflow): rename same-name/different-semantics helpers to eliminate navigation confusion by @pelikhan with @Copilot in #44149
- [docs] Update documentation for features from 2026-07-08 by @github-actions[bot] in #44275
- [docs] Update glossary - daily scan by @github-actions[bot] in #44273
- feat(eslint): add no-github-request-interpolated-route rule by @pelikhan with @Copilot in #44268
- fix: default sink-visibility to "public" when repository visibility check fails by @pelikhan with @Copilot in #44286
- Add unit tests for StripANSI in pkg/stringutil by @pelikhan with @Copilot in #44277
Full Changelog: v0.82.5...v0.82.6