v0.82.7
Pre-releaseπ Release Highlights
This release delivers significant reliability improvements for ARC/DIND runners, MCP Gateway upgrades, expanded checkout authentication, and a wave of bug fixes and documentation enhancements.
β¨ What's New
-
Safe-output GitHub App checkout auth β Workflows can now authenticate checkouts in
safe_outputsjobs using a GitHub App (checkout.safe-output-github-app), enabling secure, credential-scoped repository access without using personal tokens. (#44444) -
MCP Gateway v0.4.1 β Upgraded the embedded MCP Gateway (
mcpg) to v0.4.1, bringing the latest guard-policy fixes and sink-visibility support to all agentic workflow runs. (#44403) -
Smoke tests for
model: smallalias β A new daily smoke workflow validates that themodel: smallalias resolves correctly end-to-end, catching regressions before they reach production. (#44288) -
Decentralized
label_commandauto-permissions β The compiler now automatically grantspull-requests:readtopre_activationjobs whenlabel_commandis used onpull_requestevents, eliminating a common manual permission boilerplate. (#44282) -
Formal checkout behavior spec β Agent and
safe_outputsjob checkout behavior is now formally specified, giving workflow authors a clear contract for credential availability and repo access. (#44225)
β‘ Performance
- Faster
run-scriptexpression guardrail β CutYAMLGenerationoverhead in therun-scriptexpression guardrail, improving compilation throughput for workflows with many run steps. (#44438)
π Bug Fixes & Improvements
-
ARC/DIND runner fix β Propagating
RunnerConfigto the detection job resolves aENOENTerror on ARC-dind Copilot runners. (#44445) -
Sandbox firewall directory permissions β Root-owned sandbox firewall directories are now reclaimed on reused runners, preventing
EACCESerrors on subsequent runs. (#44276) -
Copilot CLI hang on exit fixed β Reduced the post-completion idle watchdog timeout and added cleanup timeouts, preventing the Copilot CLI from hanging after workflow completion. (#44254)
-
Elixir runtime
erlexposure βerlis now correctly exposed in the AWF sandbox when usingruntimes.elixir. (#44283) -
Nested repo-memory glob matching β Fixed glob matching for memory files stored in nested subdirectories. (#44215)
-
Claude startup failure hardening β Empty-log Avenger runs no longer fail silently; Claude startup failures are now detected and surfaced correctly. (#44332)
-
Safe-outputs graceful fallback β
GH_AW_SAFE_OUTPUTSis now correctly passed to the "Parse agent logs" step, activating the graceful fallback path when needed. (#44354) -
Engine driver schema broadened β The
engine.driverschema description now matches the actual runtime multi-language support, reducing schema validation false positives. (#44355)
π Documentation
-
Sink visibility field β Documented the
sink-visibilityfield in the MCP Gateway write-sink guard policy (spec v1.15.0) and tightened guard-policy prose. (#44373, #44305) -
--force-public-reposproxy flag β The--force-public-reposflag for theproxysubcommand is now documented. (#44360) -
CLI flag alignment β
audit,status,experiments, and legacy--disable-*flags are now consistently documented with their deprecation behavior. (#44312) -
Custom model pricing FAQ β Added a FAQ entry covering custom model pricing in agentic workflow frontmatter. (#44450)
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by π Release Β· 36.5 AIC Β· β 7.6K
What's Changed
- add smoke-copilot-small workflow to validate
model: smallalias resolution by @pelikhan with @Copilot in #44288 - Fix repo-memory glob matching for nested memory files by @pelikhan with @Copilot in #44215
- Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events by @pelikhan with @Copilot in #44282
- fix: reduce post-completion idle watchdog and add cleanup timeouts to prevent Copilot CLI hang on exit by @pelikhan with @Copilot in #44254
- docs(parser): document missing internal dependencies in README by @pelikhan with @Copilot in #44308
- docs: document sink-visibility field in MCP Gateway write-sink guard policy (spec v1.15.0) by @lpcox with @Copilot in #44305
- docs: document --force-public-repos flag for proxy subcommand by @lpcox in #44360
- Copilot/document sink visibility field by @lpcox in #44373
- [linter-miner] linter: add bytescomparestring β flag string(a)==string(b) where a,b are []byte by @github-actions[bot] in #44389
- Add formal checkout behavior specification for agent and safe_outputs jobs by @pelikhan with @Copilot in #44225
- [docs] docs: tighten MCP gateway guard-policy prose by @github-actions[bot] in #44365
- fix: broaden engine.driver schema description to match runtime multi-language support by @pelikhan with @Copilot in #44355
- [safe-output-integrator] Add missing safe-output type fixtures and Go test coverage (11 types) by @github-actions[bot] in #44405
- [dead-code] chore: remove dead functions β 1 function removed by @github-actions[bot] in #44330
- fix: pass GH_AW_SAFE_OUTPUTS to "Parse agent logs" step to activate graceful fallback by @pelikhan with @Copilot in #44354
- Normalize report body formatting rules across 11 reporting workflows by @pelikhan with @Copilot in #44314
- Bump MCP Gateway (mcpg) to v0.4.1 by @lpcox with @Copilot in #44403
- Schedule Smoke Copilot Sub Agents workflow to run daily by @pelikhan with @Copilot in #44443
- Align CLI docs and deprecation behavior for audit, status, experiments, and legacy
--disable-*flags by @pelikhan with @Copilot in #44312 - Refactor safe-outputs config parsing into focused workflow modules by @pelikhan with @Copilot in #44313
- SPDD 2026-07-08: close spec sync gaps and enforce add-flow rollback semantics by @pelikhan with @Copilot in #44358
- fix: expose erl in AWF sandbox when using runtimes.elixir by @pelikhan with @Copilot in #44283
- docs: FAQ entry for custom model pricing in agentic workflow frontmatter by @pelikhan with @Copilot in #44450
- Harden Claude startup failure handling for empty-log Avenger runs by @pelikhan with @Copilot in #44332
- perf(workflow): cut YAMLGeneration overhead in run-script expression guardrail by @pelikhan with @Copilot in #44438
- fix: reclaim root-owned sandbox firewall dirs to prevent EACCES on reused runners by @pelikhan with @Copilot in #44276
- fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT by @pelikhan with @Copilot in #44445
- Add
checkout.safe-output-github-appsupport for safe_outputs checkout auth by @pelikhan with @Copilot in #44444
Full Changelog: v0.82.6...v0.82.7