Skip to content

v0.82.7

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 09 Jul 03:56
Immutable release. Only release title and notes can be modified.
f78aa11

🌟 Release Highlights

This release delivers significant reliability improvements for ARC/DIND runners, MCP Gateway upgrades, expanded checkout authentication, and a wave of bug fixes and documentation enhancements.

✨ What's New

  • Safe-output GitHub App checkout auth β€” Workflows can now authenticate checkouts in safe_outputs jobs using a GitHub App (checkout.safe-output-github-app), enabling secure, credential-scoped repository access without using personal tokens. (#44444)

  • MCP Gateway v0.4.1 β€” Upgraded the embedded MCP Gateway (mcpg) to v0.4.1, bringing the latest guard-policy fixes and sink-visibility support to all agentic workflow runs. (#44403)

  • Smoke tests for model: small alias β€” A new daily smoke workflow validates that the model: small alias resolves correctly end-to-end, catching regressions before they reach production. (#44288)

  • Decentralized label_command auto-permissions β€” The compiler now automatically grants pull-requests:read to pre_activation jobs when label_command is used on pull_request events, eliminating a common manual permission boilerplate. (#44282)

  • Formal checkout behavior spec β€” Agent and safe_outputs job checkout behavior is now formally specified, giving workflow authors a clear contract for credential availability and repo access. (#44225)

⚑ Performance

  • Faster run-script expression guardrail β€” Cut YAMLGeneration overhead in the run-script expression guardrail, improving compilation throughput for workflows with many run steps. (#44438)

πŸ› Bug Fixes & Improvements

  • ARC/DIND runner fix β€” Propagating RunnerConfig to the detection job resolves a ENOENT error on ARC-dind Copilot runners. (#44445)

  • Sandbox firewall directory permissions β€” Root-owned sandbox firewall directories are now reclaimed on reused runners, preventing EACCES errors on subsequent runs. (#44276)

  • Copilot CLI hang on exit fixed β€” Reduced the post-completion idle watchdog timeout and added cleanup timeouts, preventing the Copilot CLI from hanging after workflow completion. (#44254)

  • Elixir runtime erl exposure β€” erl is now correctly exposed in the AWF sandbox when using runtimes.elixir. (#44283)

  • Nested repo-memory glob matching β€” Fixed glob matching for memory files stored in nested subdirectories. (#44215)

  • Claude startup failure hardening β€” Empty-log Avenger runs no longer fail silently; Claude startup failures are now detected and surfaced correctly. (#44332)

  • Safe-outputs graceful fallback β€” GH_AW_SAFE_OUTPUTS is now correctly passed to the "Parse agent logs" step, activating the graceful fallback path when needed. (#44354)

  • Engine driver schema broadened β€” The engine.driver schema description now matches the actual runtime multi-language support, reducing schema validation false positives. (#44355)

πŸ“š Documentation

  • Sink visibility field β€” Documented the sink-visibility field in the MCP Gateway write-sink guard policy (spec v1.15.0) and tightened guard-policy prose. (#44373, #44305)

  • --force-public-repos proxy flag β€” The --force-public-repos flag for the proxy subcommand is now documented. (#44360)

  • CLI flag alignment β€” audit, status, experiments, and legacy --disable-* flags are now consistently documented with their deprecation behavior. (#44312)

  • Custom model pricing FAQ β€” Added a FAQ entry covering custom model pricing in agentic workflow frontmatter. (#44450)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by πŸš€ Release Β· 36.5 AIC Β· ⊞ 7.6K


What's Changed

  • add smoke-copilot-small workflow to validate model: small alias resolution by @pelikhan with @Copilot in #44288
  • Fix repo-memory glob matching for nested memory files by @pelikhan with @Copilot in #44215
  • Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events by @pelikhan with @Copilot in #44282
  • fix: reduce post-completion idle watchdog and add cleanup timeouts to prevent Copilot CLI hang on exit by @pelikhan with @Copilot in #44254
  • docs(parser): document missing internal dependencies in README by @pelikhan with @Copilot in #44308
  • docs: document sink-visibility field in MCP Gateway write-sink guard policy (spec v1.15.0) by @lpcox with @Copilot in #44305
  • docs: document --force-public-repos flag for proxy subcommand by @lpcox in #44360
  • Copilot/document sink visibility field by @lpcox in #44373
  • [linter-miner] linter: add bytescomparestring β€” flag string(a)==string(b) where a,b are []byte by @github-actions[bot] in #44389
  • Add formal checkout behavior specification for agent and safe_outputs jobs by @pelikhan with @Copilot in #44225
  • [docs] docs: tighten MCP gateway guard-policy prose by @github-actions[bot] in #44365
  • fix: broaden engine.driver schema description to match runtime multi-language support by @pelikhan with @Copilot in #44355
  • [safe-output-integrator] Add missing safe-output type fixtures and Go test coverage (11 types) by @github-actions[bot] in #44405
  • [dead-code] chore: remove dead functions β€” 1 function removed by @github-actions[bot] in #44330
  • fix: pass GH_AW_SAFE_OUTPUTS to "Parse agent logs" step to activate graceful fallback by @pelikhan with @Copilot in #44354
  • Normalize report body formatting rules across 11 reporting workflows by @pelikhan with @Copilot in #44314
  • Bump MCP Gateway (mcpg) to v0.4.1 by @lpcox with @Copilot in #44403
  • Schedule Smoke Copilot Sub Agents workflow to run daily by @pelikhan with @Copilot in #44443
  • Align CLI docs and deprecation behavior for audit, status, experiments, and legacy --disable-* flags by @pelikhan with @Copilot in #44312
  • Refactor safe-outputs config parsing into focused workflow modules by @pelikhan with @Copilot in #44313
  • SPDD 2026-07-08: close spec sync gaps and enforce add-flow rollback semantics by @pelikhan with @Copilot in #44358
  • fix: expose erl in AWF sandbox when using runtimes.elixir by @pelikhan with @Copilot in #44283
  • docs: FAQ entry for custom model pricing in agentic workflow frontmatter by @pelikhan with @Copilot in #44450
  • Harden Claude startup failure handling for empty-log Avenger runs by @pelikhan with @Copilot in #44332
  • perf(workflow): cut YAMLGeneration overhead in run-script expression guardrail by @pelikhan with @Copilot in #44438
  • fix: reclaim root-owned sandbox firewall dirs to prevent EACCES on reused runners by @pelikhan with @Copilot in #44276
  • fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT by @pelikhan with @Copilot in #44445
  • Add checkout.safe-output-github-app support for safe_outputs checkout auth by @pelikhan with @Copilot in #44444

Full Changelog: v0.82.6...v0.82.7