Skip to content

build(deps): Bump github/gh-aw from 0.66.1 to 0.68.1#920

Merged
microsasa merged 2 commits intomainfrom
dependabot/github_actions/github/gh-aw-0.68.1
Apr 13, 2026
Merged

build(deps): Bump github/gh-aw from 0.66.1 to 0.68.1#920
microsasa merged 2 commits intomainfrom
dependabot/github_actions/github/gh-aw-0.68.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026
edited
Loading

Bumps github/gh-aw from 0.66.1 to 0.68.1.

Release notes

Sourced from github/gh-aw's releases.

v0.68.1

🌟 Release Highlights

This release delivers a critical Copilot CLI reliability hotfix, a new engine.bare control for AI context management, significant security hardening, and resolutions for 9 community-reported issues.

✨ What's New

  • engine.bare frontmatter field — Disable automatic context loading for supported engines, giving you full control over what the AI agent sees. Use bare: true with copilot (suppresses AGENTS.md and user instructions) or claude (suppresses CLAUDE.md memory files). Unsupported engines emit a compiler warning. (#25661)

  • Frontmatter hash checker improvements — When a stale lock file is detected, the activation job now emits step-by-step [hash-debug] log lines and creates a clear, actionable issue/comment (with progressive disclosure) to guide you through fixing it. (#25571)

  • actions/github-script upgraded to v9 — Scripts now get getOctokit as a built-in context parameter, eliminating the need for dynamic @actions/github imports in safe-output handlers. (#25553)

  • Squash-merge fallback in gh aw add — When a repository disallows merge commits, the setup PR now automatically falls back to squash merge rather than failing. (#25609)

🐛 Bug Fixes & Improvements

  • [Critical] Copilot CLI pinned to v1.0.21 — Fixes Copilot-engine workflows that were hanging indefinitely or producing 0-byte output due to incompatibilities with v1.0.22. v1.0.21 is the last confirmed working version. (#25689)

  • Security: agent-stdio.log permissions hardened — Log file is now pre-created with 0600 permissions before tee writes, preventing world-readable exposure of MCP gateway bearer tokens. Dynamic gateway token redaction added to redact_secrets.cjs. (#25618)

  • Agent file injection fixed for Codex and Gemini — Both engines now read INSTRUCTION from prompt.txt (already assembled by the compiler), eliminating fragile shell-variable injection and double-inclusion of agent file content. (#25681)

  • Claude agent file injection fixed — Claude now reliably reads its agent file via prompt.txt in AWF sandbox mode, resolving crashes caused by --env-all not propagating shell variables into AWF containers. (#25589)

  • Write-to-read codemod no longer converts id-token/copilot-requests — The "Convert write permissions to read" codemod now correctly skips write-only permissions that cannot meaningfully be set to read. (#25604)

  • Race condition in PR checkout — When a PR is merged milliseconds after triggering a workflow (stale state: open in the payload), the agent now re-queries the API before treating the checkout failure as a hard error. (#25581)

  • CLI consistency fixes — Aligned --dir flag semantics across add/add-wizard/compile/fix/upgrade; added missing --dir flag to remove; corrected misleading --no-fix description; improved help text for trial, run, mcp add, and pr transfer. (#25658)

  • smoke-gemini now triggers on the smoke label — Fixes the Gemini smoke test being excluded from the standard PR smoke suite. (#25639)

📚 Documentation

  • firewall-audit-logs artifact reference — New docs/reference/artifacts.md documents all artifact names, their download paths, and the correct way to access token usage data (it lives in firewall-audit-logs, not agent). (#25684)

🌍 Community Contributions

@adamhenson

@bbonafed

... (truncated)

Commits
  • 5a06d31 fix: bump Copilot CLI from v1.0.20 to v1.0.21 (#25689)
  • cc56642 Doc: document firewall-audit-logs artifact name for downstream consumers (#...
  • 5b9e980 feat: add engine.bare frontmatter field to suppress automatic context loading...
  • 17dff22 fix: set supportsNativeAgentFile=false for Codex and Gemini engines; remove a...
  • a0803a5 fix(cli): address 7 CLI consistency issues across help text and flag behavior...
  • e61c83d security: fix agent-stdio.log world-readable exposure and MCP gateway token l...
  • 314d821 refactor: centralize close-flow logic into shared createCloseEntityHandler ...
  • 7b2108a fix(smoke-gemini): trigger on "smoke" label instead of "water" (#25639)
  • c144ee3 test: add regression coverage for .github/agents/ root-relative import path...
  • a8dedce chore: remove dead functions — 5 functions removed (#25630)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 13, 2026
@dependabot dependabot Bot mentioned this pull request Apr 13, 2026
Closed
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github/gh-aw-0.68.1 branch from 42768cf to 6af8533 Compare April 13, 2026 15:53
@microsasa microsasa self-requested a review April 13, 2026 15:53
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github/gh-aw-0.68.1 branch from 6af8533 to 620a28b Compare April 13, 2026 16:16
@microsasa
Copy link
Copy Markdown
Owner

microsasa commented Apr 13, 2026

Fixed — Dependabot only updates the uses: SHA pin but doesn't know about the version: input parameter. Pushed a commit to bump version: v0.66.1version: v0.68.1 so both match.

@microsasa microsasa requested a review from Copilot April 13, 2026 16:35
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the pinned github/gh-aw GitHub Action used by the Copilot setup workflow, aligning the workflow with gh-aw v0.68.1.

Changes:

  • Bump github/gh-aw/actions/setup-cli from v0.66.1 to v0.68.1 (SHA pin + version input).

dependabot Bot and others added 2 commits April 13, 2026 09:44
@dependabot @microsasa
build(deps): Bump github/gh-aw from 0.66.1 to 0.68.1
02561de 
Bumps [github/gh-aw](https://github.com/github/gh-aw) from 0.66.1 to 0.68.1.
- [Release notes](https://github.com/github/gh-aw/releases)
- [Changelog](https://github.com/github/gh-aw/blob/main/CHANGELOG.md)
- [Commits](github/gh-aw@d688a4a...5a06d31)

---
updated-dependencies:
- dependency-name: github/gh-aw
  dependency-version: 0.68.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@microsasa
fix: also bump gh-aw CLI version to v0.68.1
ef6c7d0 
Dependabot updated the action SHA pin but not the version input parameter,
causing a mismatch between the setup-cli action (v0.68.1) and the CLI
binary it installs (v0.66.1).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@microsasa microsasa force-pushed the dependabot/github_actions/github/gh-aw-0.68.1 branch from 508ea5e to ef6c7d0 Compare April 13, 2026 16:44
microsasa
microsasa approved these changes Apr 13, 2026
View reviewed changes
Comment thread .github/workflows/copilot-setup-steps.yml Outdated
@microsasa microsasa enabled auto-merge April 13, 2026 16:47
@microsasa microsasa merged commit 6986d79 into main Apr 13, 2026
6 checks passed
@microsasa microsasa deleted the dependabot/github_actions/github/gh-aw-0.68.1 branch April 13, 2026 16:47
Copilot stopped work on behalf of microsasa due to an error April 13, 2026 16:47
Failed to launch agent
@microsasa microsasa mentioned this pull request Apr 16, 2026
Closed
microsasa pushed a commit that referenced this pull request Apr 16, 2026
fix: recompile lock files with gh-aw v0.68.3 (#940)
33f1b9b 
Lock files were compiled with v0.66.1 but PRs #919/#920 bumped
gh-aw to 0.68.1 without recompiling. The version mismatch caused
all agent workflows to fail with:

  ! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'

Recompiled all 8 workflows with gh-aw v0.68.3 (latest).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@microsasa microsasa mentioned this pull request Apr 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@microsasa microsasa microsasa approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@microsasa