chore(deps): update github/gh-aw action to v0.81.6#369
Conversation
|
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Python | May 6, 2026 11:42a.m. | Review ↗ | |
| Secrets | May 6, 2026 11:42a.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
Merge Queue Status
This pull request spent 1 day 33 seconds in the queue, with no time running CI. ReasonThe pull request #369 has been manually updated HintIf you want to requeue this pull request, you can post a |
Code Review SummaryStatus: No Issues Found | Recommendation: Merge OverviewChanges are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.81.5). No functional changes detected. This is a Renovate bot update for GitHub Actions. Files Reviewed (2 files)
Previous Review Summaries (6 snapshots, latest commit 3030fd6)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit 3030fd6)Status: No Issues Found | Recommendation: Merge OverviewChanges are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.80.9). No functional changes detected. This is a Renovate bot update for GitHub Actions. Files Reviewed (2 files)
Previous review (commit f1d3998)Status: No Issues Found | Recommendation: Merge OverviewFull diff review (incremental base unavailable due to history rewrite) — changes are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.80.9). No functional changes detected. Files Reviewed (2 files)
Previous review (commit e352849)Status: No Issues Found | Recommendation: Merge OverviewIncremental changes since commit Files Reviewed (2 files)
Previous review (commit 3c9b0f5)Status: No Issues Found | Recommendation: Merge OverviewFull diff review (incremental history unavailable) - changes are routine version bumps in auto-generated workflow lock files. No functional changes detected. Files Reviewed (2 files)
Previous review (commit f04c221)Status: No Issues Found | Recommendation: Merge OverviewIncremental changes since previous review (commit Files Reviewed (2 files)
Previous review (commit 566df55)Status: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Reviewed by laguna-m.1-20260312:free · Input: 244.4K · Output: 2.3K · Cached: 313.1K |
962ccd6 to
12bb3e3
Compare
Merge Queue Status
This pull request spent 2 days 16 hours 57 minutes 39 seconds in the queue, with no time running CI. ReasonThe pull request #369 has been manually updated HintIf you want to requeue this pull request, you can post a |
12bb3e3 to
989e44b
Compare
Merge Queue Status
This pull request spent 2 hours 39 minutes 5 seconds in the queue, with no time running CI. ReasonThe pull request #369 has been manually updated HintIf you want to requeue this pull request, you can post a |
989e44b to
aa3aa42
Compare
Merge Queue Status
This pull request spent 1 day 4 hours 53 minutes 29 seconds in the queue, with no time running CI. ReasonThe pull request #369 has been manually updated HintIf you want to requeue this pull request, you can post a |
aa3aa42 to
a1b536b
Compare
|
3518c9b to
f04c221
Compare
f04c221 to
3c9b0f5
Compare
3c9b0f5 to
e352849
Compare
e352849 to
f1d3998
Compare
Merge Queue Status
This pull request spent 3 days 6 hours 50 minutes 20 seconds in the queue, including 6 minutes 35 seconds running CI. Required conditions to merge
ReasonThe pull request #369 has been manually updated Requeued — the merge queue status continues in this comment ↓. |
Merge Queue Status
This pull request spent 4 hours 52 minutes 3 seconds in the queue, including 50 seconds running CI. ReasonThe pull request #369 has been manually updated Requeued — the merge queue status continues in this comment ↓. |
Merge Queue Status
This pull request spent 2 days 11 hours 45 minutes 53 seconds in the queue, including 36 seconds running CI. Required conditions to merge
ReasonThe pull request #369 has been manually updated Requeued — the merge queue status continues in this comment ↓. |
|
Merge Queue Status
|
Merge Queue Status
|
Merge Queue Status
|
Merge Queue Status
|



This PR contains the following updates:
v0.67.1→v0.81.6Release Notes
github/gh-aw (github/gh-aw)
v0.81.6Compare Source
🌟 Release Highlights
This release focuses on stability and observability — restoring broken fleet-wide token tracking, hardening CI quality gates, and adding release traceability for merged PRs.
✨ What's New
.github/aw/loop.mdcodifies patterns from autoloop, goal, and crane into a unified reference for building robust agentic loops (#41833).benchstat, preventing silent performance regressions from merging (#41813).🐛 Bug Fixes & Improvements
TokenUsagehad been reporting0across the entire fleet since June 20 due to two co-conspirating bugs in the conclusion job. Both are fixed, restoring accurate AI credit tracking (#41823).govulnchecktogo.modversion — CI vulnerability scans now use the exact version declared ingo.modand produce reproducible SARIF reports. A localmake vuln-sariftarget is also available (#41815).🔧 Internal
pkg/workflowandpkg/cliinto focused, testable units (#41800).What's Changed
.github/aw/loop.mdplaybook synthesizing loop-engineering patterns from autoloop/goal/crane by @pelikhan with @Copilot in #41833Full Changelog: github/gh-aw@v0.81.5...v0.81.6
v0.81.5Compare Source
🌟 Release Highlights
This release focuses on org-mode maturity, performance optimizations, and sandbox hardening — making
gh aw update/upgrade --orgmore robust and production-ready while delivering meaningful speed improvements across the compiler and validator.✨ What's New
Action-pin mapping in
aw.json(#41579) — Define action-pin overrides directly in youraw.jsonconfiguration, giving you centralized control over pinned action versions.manifest-versionnow optional inaw.yml(#41687) — Reduces boilerplate in new workflow files; the field is inferred when omitted.Non-TTY fallback for
gh aw addwizard (#41717) — The interactive add wizard now gracefully falls back to text prompts in non-interactive environments (CI, scripts), unblocking automation pipelines.Org-mode improvements for
update/upgrade --org(#41617, #41627, #41719) — Workflow-targeted updates, repo prefiltering, version-tag display, unified repo discovery, and per-repo confirmation prompts (with--yesfor CI). The--orgflag is now significantly more useful for managing fleets of repositories.Sandbox hardening at 50% baseline (#41786) — Half of all eligible agentic workflows now run with
sandbox.agent.sudo: false, reducing the blast radius of runaway agent steps.Daily detection analysis report workflow (#41802) — New built-in workflow that generates automated detection analysis reports.
⚡ Performance
sync.Onceso permission data is only read when needed.applySanitizePattern(#41762) — Eliminates repeated regex compilation on hot code paths.ParseWorkflow(#41772) — Model-alias cycle detection overhead reduced.🐛 Bug Fixes & Improvements
push_to_pull_request_branch(#41654) — Fixes a regression where agent-provided branch names were rejected..github/paths are now resolved as repo-root-relative in nested bundle manifests.GH_AW_POLICY_STRICTenforced at runtime (#41682) — Non-strict compiled workflows now properly respect the strict policy flag at runtime.📚 Documentation
gh aw envgovernance guide (#41758) — New documentation covering defaults and scope inheritance for environment configuration.What's Changed
gh aw update --orgto support workflow-targeted updates and repo prefiltering by @pelikhan with @Copilot in #41617GH_AW_POLICY_STRICTat runtime for non-strict compiled workflows by @pelikhan with @Copilot in #41682messagefield with actionable guidance when no runs found by @pelikhan with @Copilot in #41693BannerStyleand standardizingShowWelcomeBannerby @pelikhan with @Copilot in #41716--yesCI bypass by @pelikhan with @Copilot in #41719gh aw envdefaults and scope inheritance by @pelikhan with @Copilot in #41758add_labelsREST payload behind feature flag by @pelikhan with @Copilot in #41725pr-finisherin Copilot nudge by @pelikhan with @Copilot in #41768deploy --orgto run through shared org runner by @pelikhan with @Copilot in #41761sync.Onceby @pelikhan with @Copilot in #41755pkg/consolehelpers across six commands by @pelikhan with @Copilot in #41773.github/paths as repo-root-relative in nested bundle manifests by @mnkiefer with @Copilot in #41790Full Changelog: github/gh-aw@v0.81.4...v0.81.5
v0.81.4Compare Source
🌟 Release Highlights
This release focuses on reliability, performance, and new operational capabilities — fixing silent failures across the compiler and agent harnesses, reducing wasted credits on hot paths, and adding important new tooling.
✨ What's New
--orgflag forupgradecommand (#41335) — Theupgradecommand now supports--organd--reposflags, matching the org-wide mode already available inupdate. Bulk-preview or open upgrade PRs across an entire organization with a single command.Daily YAML Lint Fixer workflow (#41574) — A new agentic workflow automatically fixes yamllint violations in generated
*.lock.ymlfiles, keeping CI lint checks clean without manual intervention.AWF Firewall startup failure detection (#41472) — Firewall proxy startup failures (e.g., DNS not yet resolving at probe time) are now detected and surfaced in the agent failure issue — making previously silent infra failures immediately actionable.
Spec-driven
engine.envallowlist (#41465) — The engine environment variable allowlist is now derived fromGetSupportedEnvVarKeysrather than a fragile runtime heuristic, enablingstrict: falseto be safely removed from smoke workflows.Copilot engine launched from
${GITHUB_WORKSPACE}(#41459) — The Copilot engine now starts from the workspace root, enabling APM skill discovery for context-aware agent behaviour.🐛 Bug Fixes & Improvements
Silent YAML parse errors fixed (#41577) — Five
yaml.Unmarshalcall sites inworkflow_builder.gowere silently discarding errors, producing empty step lists on malformed YAML with no diagnostic. All errors now propagate correctly.Copilot SDK hang bounded by idle watchdog (#41572) — After an agent's final tool result,
sendAndWaitcould hang indefinitely until the step timeout killed the runner. A post-completion idle watchdog now bounds this wait, preventing wasted runner minutes.Codex harness no longer drains tokens on rate-limit reconnects (#41385) — When Codex hit a TPM rate limit and exhausted reconnect retries, the harness kept retrying unnecessarily. It now recognises exhausted-reconnect exits and stops, preserving credits.
Claude harness stops retrying on
max_runs_exceeded(#41361) — Fresh-run fallbacks no longer burn the full quota when a session has already hit its 20-invocation limit.Issue Monster false-positive 429 detection eliminated (#41471) — Rate-limit false positives no longer trigger spurious failure handling.
assign_to_agentno longer posts error comments on PRs (#41475) — Error comments are now only posted to issues, matching expected behaviour.Daily schedule runs restored (#41362) — Daily schedule runs broken since June 5 are now fixed.
workflow_callpermissions use union of caller + worker (#41387) — Importedworkflow_callpermissions in generated call jobs are now correctly annotated.⚡ Performance
YAML generation is faster (#41333) — Duplicate run-script scans in the skip-validation fast path collapsed to a single pass, restoring compilation performance.
Design Decision Gate costs reduced (#41332) — Now defaults to Sonnet instead of Opus and skips issue lookups on no-op paths, meaningfully reducing AI credit consumption per run.
🔒 Security
Safe-output detection hardened (#41547) — Detection stays in warn mode on parser/agent failures, ensuring non-reviewable safe outputs are blocked rather than passed through silently.
Pi threat-detection model normalisation (#41545) — Pi threat-detection models are now normalised before Copilot fallback, preventing misclassification due to model name variance.
🔧 Internal
updateandupgradecommands (#41553)What's Changed
2026062.220.1 by @github-actions[bot] in #41373sandbox.agent.sudo: falseusage to policy target across agentic workflows by @pelikhan with @Copilot in #41463${GITHUB_WORKSPACE}to enable APM skill discovery by @pelikhan with @Copilot in #41459Full Changelog: github/gh-aw@v0.81.3...v0.81.4
v0.81.3Compare Source
🌟 Release Highlights
This release focuses on expanded automation reach with org-wide update management, greater expressiveness through GitHub Actions expression support in more places, and a round of critical fixes across Windows, rootless installs, and assignee resolution.
sandbox.agent.network-isolationrenamed tosandbox.agent.default-routeThe frontmatter key
sandbox.agent.network-isolationhas been renamed tosandbox.agent.default-route(#41302). Update any workflows using this key to use the new name.✨ What's New
gh aw update— Rungh aw updateacross an entire org with dry-run PR previews before applying changes, making fleet-wide workflow upgrades safer and more auditable (#41247).safe-outputs.stagedvalues —safe-outputs.stagednow accepts GitHub Actions expressions (${{ ... }}), enabling dynamic output values at workflow runtime (#41296).link-sub-issueaccepts GitHub expressions — Theallowed-reposfield inlink-sub-issuenow supports GitHub Actions expressions for more flexible cross-repo linking (#41237).ready_for_reviewtrigger support —pull_request_targetworkflows can now trigger on theready_for_reviewevent, enabling automation when draft PRs are marked ready (#41161).gh aw trial—gh aw trial --clone-reponow correctly honors theGH_HOSTenvironment variable for GHES environments (#41159).sudoavailable by default, unblocking common agent install patterns (#41313).sudofrom generated lock files; bundled firewall and MCP gateway updated (#41269).⚡ Performance
gh aw auditnow runs analysis tasks in parallel, significantly reducing latency for long-running workflows (#41185).🐛 Bug Fixes
gh awto crash on startup on Windows (#41235).gh awinstalls correctly into$HOME/.localwithout root and properly exports$GITHUB_PATHin rootless environments (#41310).UpdateContainerPinsno longer wipes containers — Fixed a regression wheregh aw updateerased the entirecontainerssection on every run (#41262).set_issue_typemigrated to REST API — Replaced the GraphQL-basedset_issue_typesafe output with a single REST call for better reliability (#41241).lenstringsplitfalse positives with empty separators andctxbackgroundfalse negatives in closures are resolved (#41188, #41187).📚 Documentation
What's Changed
python-datavizimports from daily reporting workflows by @pelikhan with @Copilot in #41158ready_for_reviewforpull_request_targettriggers by @pelikhan with @Copilot in #41161issue_intents.cjsfalse positive by @pelikhan with @Copilot in #41182Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.