Skip to content

chore(deps): update github/gh-aw action to v0.81.6#369

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github-gh-aw-0.x
Open

chore(deps): update github/gh-aw action to v0.81.6#369
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github-gh-aw-0.x

Conversation

@renovate

@renovate renovate Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
github/gh-aw action minor v0.67.1v0.81.6

Release Notes

github/gh-aw (github/gh-aw)

v0.81.6

Compare Source

🌟 Release Highlights

This release focuses on stability and observability — restoring broken fleet-wide token tracking, hardening CI quality gates, and adding release traceability for merged PRs.

✨ What's New
  • Release PR notifications — A new post-agent release job now automatically comments on every PR included in each release, making it easy to trace which release shipped your changes (#​41834).
  • Loop engineering playbook.github/aw/loop.md codifies patterns from autoloop, goal, and crane into a unified reference for building robust agentic loops (#​41833).
  • Benchstat regression gate — The CI bench job now compares against a stored baseline using benchstat, preventing silent performance regressions from merging (#​41813).
🐛 Bug Fixes & Improvements
  • Restored fleet-wide token usage collectionTokenUsage had been reporting 0 across the entire fleet since June 20 due to two co-conspirating bugs in the conclusion job. Both are fixed, restoring accurate AI credit tracking (#​41823).
  • Security: pinned govulncheck to go.mod version — CI vulnerability scans now use the exact version declared in go.mod and produce reproducible SARIF reports. A local make vuln-sarif target is also available (#​41815).
  • Hardened BYOK Ollama startup — The daily BYOK Ollama test now gates on explicit model and API readiness before proceeding, eliminating pre-agent failures from incomplete startup (#​41838).
  • Stabilized Go Logger Enhancement compile — Fixed exit code 126 caused by unsafe shell glob expansion in the workflow tool allowlist (#​41840).
  • Enforced safe output completion in quality workflow — The daily compiler quality workflow now requires an explicit safe output call, preventing silent no-op runs (#​41841).
🔧 Internal
  • Refactored 5 extreme function-length hotspots (145–650 lines) in pkg/workflow and pkg/cli into focused, testable units (#​41800).
  • SortedKeys sweep and deduplication logic consolidation across the codebase (#​41829).

Generated by 🚀 Release · 32.9 AIC · ⊞ 8.3K


What's Changed

Full Changelog: github/gh-aw@v0.81.5...v0.81.6

v0.81.5

Compare Source

🌟 Release Highlights

This release focuses on org-mode maturity, performance optimizations, and sandbox hardening — making gh aw update/upgrade --org more robust and production-ready while delivering meaningful speed improvements across the compiler and validator.

✨ What's New
  • Action-pin mapping in aw.json (#​41579) — Define action-pin overrides directly in your aw.json configuration, giving you centralized control over pinned action versions.

  • manifest-version now optional in aw.yml (#​41687) — Reduces boilerplate in new workflow files; the field is inferred when omitted.

  • Non-TTY fallback for gh aw add wizard (#​41717) — The interactive add wizard now gracefully falls back to text prompts in non-interactive environments (CI, scripts), unblocking automation pipelines.

  • Org-mode improvements for update/upgrade --org (#​41617, #​41627, #​41719) — Workflow-targeted updates, repo prefiltering, version-tag display, unified repo discovery, and per-repo confirmation prompts (with --yes for CI). The --org flag is now significantly more useful for managing fleets of repositories.

  • Sandbox hardening at 50% baseline (#​41786) — Half of all eligible agentic workflows now run with sandbox.agent.sudo: false, reducing the blast radius of runaway agent steps.

  • Daily detection analysis report workflow (#​41802) — New built-in workflow that generates automated detection analysis reports.

⚡ Performance
  • Lazy-loaded embedded JSON datasets (#​41587) — Embedded compile-time JSON is no longer loaded at startup, reducing memory footprint for CLI commands that do not compile.
  • Lazy-loaded GitHub toolset permissions (#​41755) — Loaded via sync.Once so permission data is only read when needed.
  • Cached regexp in applySanitizePattern (#​41762) — Eliminates repeated regex compilation on hot code paths.
  • Faster ParseWorkflow (#​41772) — Model-alias cycle detection overhead reduced.
🐛 Bug Fixes & Improvements
  • Secret double-escape fix (#​41801) — Custom MCP server env/header secrets are no longer double-escaped in generated lock files.
  • Agent-supplied branch accepted in push_to_pull_request_branch (#​41654) — Fixes a regression where agent-provided branch names were rejected.
  • MODEL_NOT_SUPPORTED detection extended (#​41792) — The pattern now catches 404 "Model not found" responses, improving resilience for unsupported model errors.
  • Bundle manifest path resolution (#​41790) — .github/ paths are now resolved as repo-root-relative in nested bundle manifests.
  • MCP post-completion relaunch is non-fatal (#​41713) — A failed MCP server relaunch after job completion no longer fails the workflow.
  • PR Sous Chef cooldown (#​41759) — Prevents back-to-back comments by enforcing a 30-minute cooldown.
  • Harness exits cleanly (#​41675) — Exits with code 0 when expected safe-outputs were already produced, even when subsequent steps encounter permission-denied errors.
  • GH_AW_POLICY_STRICT enforced at runtime (#​41682) — Non-strict compiled workflows now properly respect the strict policy flag at runtime.
📚 Documentation
  • Blog: Custom Linters, Sergo, Linter Miner & LintMonster (#​41663) — A new blog post walking through the custom linter ecosystem. Read it →
  • gh aw env governance guide (#​41758) — New documentation covering defaults and scope inheritance for environment configuration.

Generated by 🚀 Release · 41.2 AIC · ⊞ 8.3K


What's Changed

Full Changelog: github/gh-aw@v0.81.4...v0.81.5

v0.81.4

Compare Source

🌟 Release Highlights

This release focuses on reliability, performance, and new operational capabilities — fixing silent failures across the compiler and agent harnesses, reducing wasted credits on hot paths, and adding important new tooling.

✨ What's New
  • --org flag for upgrade command (#​41335) — The upgrade command now supports --org and --repos flags, matching the org-wide mode already available in update. Bulk-preview or open upgrade PRs across an entire organization with a single command.

  • Daily YAML Lint Fixer workflow (#​41574) — A new agentic workflow automatically fixes yamllint violations in generated *.lock.yml files, keeping CI lint checks clean without manual intervention.

  • AWF Firewall startup failure detection (#​41472) — Firewall proxy startup failures (e.g., DNS not yet resolving at probe time) are now detected and surfaced in the agent failure issue — making previously silent infra failures immediately actionable.

  • Spec-driven engine.env allowlist (#​41465) — The engine environment variable allowlist is now derived from GetSupportedEnvVarKeys rather than a fragile runtime heuristic, enabling strict: false to be safely removed from smoke workflows.

  • Copilot engine launched from ${GITHUB_WORKSPACE} (#​41459) — The Copilot engine now starts from the workspace root, enabling APM skill discovery for context-aware agent behaviour.

🐛 Bug Fixes & Improvements
  • Silent YAML parse errors fixed (#​41577) — Five yaml.Unmarshal call sites in workflow_builder.go were silently discarding errors, producing empty step lists on malformed YAML with no diagnostic. All errors now propagate correctly.

  • Copilot SDK hang bounded by idle watchdog (#​41572) — After an agent's final tool result, sendAndWait could hang indefinitely until the step timeout killed the runner. A post-completion idle watchdog now bounds this wait, preventing wasted runner minutes.

  • Codex harness no longer drains tokens on rate-limit reconnects (#​41385) — When Codex hit a TPM rate limit and exhausted reconnect retries, the harness kept retrying unnecessarily. It now recognises exhausted-reconnect exits and stops, preserving credits.

  • Claude harness stops retrying on max_runs_exceeded (#​41361) — Fresh-run fallbacks no longer burn the full quota when a session has already hit its 20-invocation limit.

  • Issue Monster false-positive 429 detection eliminated (#​41471) — Rate-limit false positives no longer trigger spurious failure handling.

  • assign_to_agent no longer posts error comments on PRs (#​41475) — Error comments are now only posted to issues, matching expected behaviour.

  • Daily schedule runs restored (#​41362) — Daily schedule runs broken since June 5 are now fixed.

  • workflow_call permissions use union of caller + worker (#​41387) — Imported workflow_call permissions in generated call jobs are now correctly annotated.

⚡ Performance
  • YAML generation is faster (#​41333) — Duplicate run-script scans in the skip-validation fast path collapsed to a single pass, restoring compilation performance.

  • Design Decision Gate costs reduced (#​41332) — Now defaults to Sonnet instead of Opus and skips issue lookups on no-op paths, meaningfully reducing AI credit consumption per run.

🔒 Security
  • Safe-output detection hardened (#​41547) — Detection stays in warn mode on parser/agent failures, ensuring non-reviewable safe outputs are blocked rather than passed through silently.

  • Pi threat-detection model normalisation (#​41545) — Pi threat-detection models are now normalised before Copilot fallback, preventing misclassification due to model name variance.

🔧 Internal
  • Bumped gh-aw-firewall to v0.27.11 and regenerated pinned workflow artifacts (#​41555)
  • Bumped Codex 0.142.1 and Copilot SDK 1.0.4 (#​41430)
  • Extracted shared org-wide runner for update and upgrade commands (#​41553)

Generated by 🚀 Release · 44.1 AIC · ⊞ 8.3K


What's Changed

Full Changelog: github/gh-aw@v0.81.3...v0.81.4

v0.81.3

Compare Source

🌟 Release Highlights

This release focuses on expanded automation reach with org-wide update management, greater expressiveness through GitHub Actions expression support in more places, and a round of critical fixes across Windows, rootless installs, and assignee resolution.

⚠️ Breaking Changes
sandbox.agent.network-isolation renamed to sandbox.agent.default-route

The frontmatter key sandbox.agent.network-isolation has been renamed to sandbox.agent.default-route (#​41302). Update any workflows using this key to use the new name.

✨ What's New
  • Organization-wide gh aw update — Run gh aw update across an entire org with dry-run PR previews before applying changes, making fleet-wide workflow upgrades safer and more auditable (#​41247).
  • Templatable safe-outputs.staged valuessafe-outputs.staged now accepts GitHub Actions expressions (${{ ... }}), enabling dynamic output values at workflow runtime (#​41296).
  • link-sub-issue accepts GitHub expressions — The allowed-repos field in link-sub-issue now supports GitHub Actions expressions for more flexible cross-repo linking (#​41237).
  • ready_for_review trigger supportpull_request_target workflows can now trigger on the ready_for_review event, enabling automation when draft PRs are marked ready (#​41161).
  • GH_HOST support in gh aw trialgh aw trial --clone-repo now correctly honors the GH_HOST environment variable for GHES environments (#​41159).
  • Sudo enabled in agentic sandboxes — All agentic workflow sandboxes now have sudo available by default, unblocking common agent install patterns (#​41313).
  • Firewall v0.27.10 + mcpg v0.3.30 — Network-isolated workflows omit unnecessary sudo from generated lock files; bundled firewall and MCP gateway updated (#​41269).
⚡ Performance
  • Parallelized audit analysisgh aw audit now runs analysis tasks in parallel, significantly reducing latency for long-running workflows (#​41185).
🐛 Bug Fixes
  • Windows ConPTY crash fixed — Removed a compat import that caused gh aw to crash on startup on Windows (#​41235).
  • Rootless AWF installgh aw installs correctly into $HOME/.local without root and properly exports $GITHUB_PATH in rootless environments (#​41310).
  • Copilot assignee resolution restored — Assignee checks now prefer issue-scoped resolution, fixing cases where the wrong user was assigned (#​41306).
  • UpdateContainerPins no longer wipes containers — Fixed a regression where gh aw update erased the entire containers section on every run (#​41262).
  • Locked-PR 422 handled gracefully — Safe outputs now treats HTTP 422 on locked PRs as a soft skip with retry rather than a hard failure (#​41155).
  • Compiler error quality improved — Errors now include accurate YAML context offsets, import hints, and early engine validation to help authors fix issues faster (#​41234).
  • set_issue_type migrated to REST API — Replaced the GraphQL-based set_issue_type safe output with a single REST call for better reliability (#​41241).
  • Linter fixeslenstringsplit false positives with empty separators and ctxbackground false negatives in closures are resolved (#​41188, #​41187).
  • Codex MCP CLI wrapper resolution — Fixed safe output path resolution for the Codex MCP CLI wrapper (#​41242).
📚 Documentation
  • Safe rollout guidance streamlined for clarity (#​41272).
  • Glossary updated with latest terminology (#​41211).

Generated by 🚀 Release · 36.2 AIC · ⊞ 8.3K


What's Changed

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@deepsource-io

deepsource-io Bot commented Apr 10, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in a4ccdc8...53b257c on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python May 6, 2026 11:42a.m. Review ↗
Secrets May 6, 2026 11:42a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@mergify

mergify Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-04-10 00:53 UTC · Rule: Github Actions Updates
  • 🚫 Left the queue2026-04-11 00:54 UTC · at 962ccd6975185fe90f9ffcf7f2c85630e810ca44

This pull request spent 1 day 33 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

@kilo-code-bot

kilo-code-bot Bot commented Apr 10, 2026

Copy link
Copy Markdown

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

Changes are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.81.5). No functional changes detected. This is a Renovate bot update for GitHub Actions.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml
Previous Review Summaries (6 snapshots, latest commit 3030fd6)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit 3030fd6)

Status: No Issues Found | Recommendation: Merge

Overview

Changes are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.80.9). No functional changes detected. This is a Renovate bot update for GitHub Actions.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml

Previous review (commit f1d3998)

Status: No Issues Found | Recommendation: Merge

Overview

Full diff review (incremental base unavailable due to history rewrite) — changes are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.80.9). No functional changes detected.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml

Previous review (commit e352849)

Status: No Issues Found | Recommendation: Merge

Overview

Incremental changes since commit 3c9b0f5b5bc6bd47d37bcdaa50f4a6b30ff56d6e are routine version bumps in auto-generated workflow lock files (v0.67.1 → v0.80.5). No functional changes detected.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml

Previous review (commit 3c9b0f5)

Status: No Issues Found | Recommendation: Merge

Overview

Full diff review (incremental history unavailable) - changes are routine version bumps in auto-generated workflow lock files. No functional changes detected.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml

Previous review (commit f04c221)

Status: No Issues Found | Recommendation: Merge

Overview

Incremental changes since previous review (commit 566df554b2b2750fe192348e6e5aea10cca7db9a) are routine version bumps in auto-generated workflow lock files. No functional changes detected.

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml

Previous review (commit 566df55)

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/code-simplifier.lock.yml
EOF

Reviewed by laguna-m.1-20260312:free · Input: 244.4K · Output: 2.3K · Cached: 313.1K

@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from 962ccd6 to 12bb3e3 Compare April 11, 2026 00:53
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.67.4 chore(deps): update github/gh-aw action to v0.68.1 Apr 11, 2026
@mergify

mergify Bot commented Apr 11, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-04-11 00:54 UTC · Rule: Github Actions Updates
  • 🚫 Left the queue2026-04-13 17:52 UTC · at 12bb3e3ff9585ab26910b80c10e5309e29b68450

This pull request spent 2 days 16 hours 57 minutes 39 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from 12bb3e3 to 989e44b Compare April 13, 2026 17:51
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.68.1 chore(deps): update github/gh-aw action to v0.68.2 Apr 13, 2026
@mergify

mergify Bot commented Apr 13, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-04-13 17:52 UTC · Rule: Github Actions Updates
  • 🚫 Left the queue2026-04-13 20:31 UTC · at 989e44b1b5e600b4c29575debef4592dbf4a301f

This pull request spent 2 hours 39 minutes 5 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from 989e44b to aa3aa42 Compare April 13, 2026 20:30
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.68.2 chore(deps): update github/gh-aw action to v0.68.1 Apr 13, 2026
@mergify

mergify Bot commented Apr 13, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-04-13 20:32 UTC · Rule: Github Actions Updates
  • 🚫 Left the queue2026-04-15 01:25 UTC · at aa3aa42aa7fe2b49fe23b2ef31a7de0829aec225

This pull request spent 1 day 4 hours 53 minutes 29 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from aa3aa42 to a1b536b Compare April 15, 2026 01:25
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.68.1 chore(deps): update github/gh-aw action to v0.68.3 Apr 15, 2026
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from 3518c9b to f04c221 Compare June 19, 2026 04:53
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.79.9 chore(deps): update github/gh-aw action to v0.80.5 Jun 19, 2026
@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from f04c221 to 3c9b0f5 Compare June 22, 2026 07:08
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.80.5 chore(deps): update github/gh-aw action to v0.80.9 Jun 22, 2026
@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from 3c9b0f5 to e352849 Compare June 22, 2026 13:03
@renovate renovate Bot changed the title chore(deps): update github/gh-aw action to v0.80.9 chore(deps): update github/gh-aw action to v0.80.5 Jun 22, 2026
@renovate renovate Bot force-pushed the renovate/github-gh-aw-0.x branch from e352849 to f1d3998 Compare June 22, 2026 19:55
@mergify

mergify Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 3 days 6 hours 50 minutes 20 seconds in the queue, including 6 minutes 35 seconds running CI.

Required conditions to merge
  • any of [🛡 GitHub repository ruleset rule main]:
    • check-neutral = @mergify/Mergify Merge Protections
    • check-skipped = @mergify/Mergify Merge Protections
    • check-success = @mergify/Mergify Merge Protections

Reason

The pull request #369 has been manually updated

Requeued — the merge queue status continues in this comment ↓.

@mergify

mergify Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 4 hours 52 minutes 3 seconds in the queue, including 50 seconds running CI.

Reason

The pull request #369 has been manually updated

Requeued — the merge queue status continues in this comment ↓.

@mergify

mergify Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 2 days 11 hours 45 minutes 53 seconds in the queue, including 36 seconds running CI.

Required conditions to merge
  • any of [🛡 GitHub repository ruleset rule main]:
    • check-neutral = @mergify/Mergify Merge Protections
    • check-skipped = @mergify/Mergify Merge Protections
    • check-success = @mergify/Mergify Merge Protections

Reason

The pull request #369 has been manually updated

Requeued — the merge queue status continues in this comment ↓.

@sonarqubecloud

Copy link
Copy Markdown

@mergify

mergify Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

@mergify

mergify Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

@mergify

mergify Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

@mergify

mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants