v0.57.0

🌟 Release Highlights

This release delivers a meaningful rename that clarifies the product model, a new concurrency primitive for fan-out workflows, and a focused round of reliability fixes across safe-outputs and developer tooling.

⚠️ Breaking Changes

safe-inputs renamed to mcp-scripts

The safe-inputs frontmatter field has been renamed to mcp-scripts throughout the compiler, schema, documentation, and runtime to better reflect its purpose as a lightweight MCP Script host.

Migration: Run the built-in codemod to update your workflows automatically:

gh aw fix --write safe-inputs-to-mcp-scripts

All documentation, environment variables, log messages, and shared workflows have been updated accordingly. (#20115)

---

✨ What's New

concurrency.job-discriminator for fan-out workflows

A new job-discriminator field in the concurrency frontmatter block prevents concurrent fan-out runs from cancelling each other. When set, the expression is appended to compiler-generated job-level concurrency groups (agent, output jobs), making each dispatch unique.

# Allow concurrent runs dispatched with different inputs
concurrency:
  job-discriminator: $\{\{ inputs.finding_id }}

# Use run_id for scheduled workflows with no distinguishing input
concurrency:
  job-discriminator: $\{\{ github.run_id }}

This is especially useful for workflows invoked in batch — such as per-repository analysis jobs — where the default static concurrency group would cancel all-but-two concurrent runs. (#20190)

---

🐛 Bug Fixes & Improvements

Safe-Outputs reliability:

• created_issue_* outputs now emitted correctly — created_issue_number and created_issue_url were silently dropped after a successful create-issue action due to the handler manager never calling the emitter. Workflows gating on these outputs will now work as expected. (#20130)
• pull_request_target events now recognized as PR context — Safe-output operations using target: "triggering" (e.g., update-pull-request) were silently skipped or failed when triggered via pull_request_target. (#20198)
• Cross-repo safe-outputs now pass GITHUB_TOKEN to git CLI — Custom token sources are now wired into the GITHUB_TOKEN environment variable for create-pull-request and push-to-pull-request-branch steps involving cross-repo checkouts. (#19890)

Tooling fixes:

• gh aw health now finds workflow runs — The path field was accidentally dropped from the gh run list query, causing the .lock.yml filter to discard every run and always report "No workflow runs found". (#20221)
• Firewall analysis no longer inflates blocked counts — Internal Squid error entries (client ::1:, domain -) were being counted as blocked requests. (#20137)
• Campaign discovery no longer crashes — The campaign workflow step now inlines discovery logic instead of referencing /opt/gh-aw/actions/campaign_discovery.cjs, which is not a built-in module. (#20109)
• repo-memory no longer fails on repos without a Wiki — The __GH_AW_WIKI_NOTE__ placeholder in repo_memory_prompt.md is now correctly substituted when wiki: true is not set. (#20236)
• create-pull-request integer expires values now converted correctly — Integer values (e.g., expires: 14) representing days were previously stored as-is instead of being converted to hours. (#20231)
• Agent failure issues now use cleaner titles — Pre-agent stage denomination removed; failure issues always use the format [aw] (workflow-name) failed. (#20146)

Engine parity:

• Codex runs now display a rich session preview in the "Parse agent logs" step, matching the output format of Copilot, Claude, and Gemini engines. (#20199)

No-op runs:

• The auto-created no-op runs issue template now includes a helpful tip explaining how to disable reporting via safe-outputs. (#20229)

---

📚 Documentation

• Cost management reference guide updated with gh aw logs monitoring section and corrected skip-if-match / skip-if-no-match YAML examples. (#20128)
• Getting-started MCP guide streamlined by 21% — duplicate content and verbose tables removed. (#20136)
• Project Operations page updated with improved authentication guidance and visual examples. (#20165)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [log] Add debug logging to MCP inspection, workflow resolution, and repo memory by @github-actions[bot] in #20119
• fix: inline campaign discovery logic in campaign workflow step by @Copilot in #20109
• [WIP] Improve cost management reference documentation by @Copilot in #20128
• fix(safe-outputs): emit created_issue_* outputs from handler manager by @Copilot in #20130
• [instructions] Sync github-agentic-workflows.md with v0.40.1 — document safe-outputs step action outputs by @github-actions[bot] in #20134
• [docs] docs: unbloat getting-started-mcp guide by @github-actions[bot] in #20136
• Rename safe-inputs to mcp-scripts by @Copilot in #20115
• fix: expose GITHUB_TOKEN env var for cross-repo git CLI operations in safe outputs by @Copilot in #19890
• Fix firewall analysis inflating blocked count with internal Squid error entries by @Copilot in #20137
• [WIP] Fix agent failure issue creation by removing pre-agent denomination by @Copilot in #20146
• [jsweep] Clean assign_to_agent.cjs by @github-actions[bot] in #20155
• [docs] Update documentation for features from 2026-03-09 by @github-actions[bot] in #20159
• chore: update project ops page by @mnkiefer in #20165
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #20191
• [architecture] Update architecture diagram - 2026-03-09 by @github-actions[bot] in #20175
• [specs] Update layout specification - 2026-03-09 by @github-actions[bot] in #20170
• fix(safe-outputs): include pull_request_target in PR context detection by @Copilot in #20198
• Fix broken anchor links in project-ops docs causing CI build failure by @Copilot in #20173
• Show Codex session preview in parse agent log step like other engines by @Copilot in #20199
• Add concurrency.job-discriminator to prevent fan-out cancellations in job-level concurrency groups by @Copilot in #20190
• Add GFM tip to no-op runs issue template explaining how to disable reporting by @Copilot in #20229
• fix: use preprocessExpiresField for create-pull-request integer expires conversion by @samueltauil in #20231
• fix: gh aw health always returns "No workflow runs found" by @Copilot in #20221
• Fix __GH_AW_WIKI_NOTE__ placeholder not substituted when wiki is disabled by @Copilot in #20236

New Contributors

• @samueltauil made their first contribution in #20231

Full Changelog: v0.56.2...v0.57.0

v0.56.2

🌟 Release Highlights

This release focuses on reliability improvements across protected-file handling, setup CLI pinning, and cross-repo workflows — along with an upgrade to GitHub MCP server v0.32.0 and a new strict allowlist feature for protected-file protection.

✨ What's New

• allowed-files strict allowlist for protected-file PR safe outputs (#20051) — You can now configure an explicit allowlist of files that are permitted in protected-file PRs. Any file outside the allowlist is blocked, giving teams tighter control over what agents can modify in sensitive branches.

🐛 Bug Fixes & Improvements

• Protected-file fallback-to-issue now works when workflows permission is absent (#20106) — When an agent patch touches .github/workflows/ files and the GitHub App lacks workflows permission, gh-aw now correctly creates a fallback review issue rather than silently failing.
• Default branch no longer hardcoded to main (#20099) — create_pull_request and related operations now query the repository's actual default branch, fixing failures in repos using master, develop, or any non-main default.
• add-wizard correctly syncs working tree after PR merge (#20094) — Switching to the default branch after merging a wizard-created PR ensures workflow files are visible immediately, eliminating "workflow file not found" errors.
• setup-cli action now respects pinned version input (#20081) — The action verifies the installed version matches the requested version after gh extension install, falling back to a manual binary download if there's a mismatch.
• Safe output handler gracefully handles custom safe output job types (#20114) — Unknown job types no longer surface as unhandled errors; they are now logged and skipped cleanly.

⚡ Performance

• Compiled regex patterns moved to package-level variables (#20073, #20079) — regexp.MustCompile calls across pkg/cli, pkg/workflow, and the expression-validation hot path are now initialized once at startup rather than on every invocation, reducing allocation pressure in high-frequency compilation paths.

🔧 Dependencies & Infrastructure

• GitHub MCP server upgraded to v0.32.0 (#20100) — Picks up the latest GitHub MCP tooling improvements and bug fixes.

📚 Documentation

• New Cost Management reference page (#20078) — Added guidance on understanding and controlling the compute costs associated with running agentic workflows.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @dsyme for Change to protected file not correctly using a fallback issue (#20103)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add missing scanner.Buffer() calls to prevent silent truncation in gateway_logs.go by @Copilot in #20074
• chore: hoist regexp.MustCompile calls to package-level vars across pkg/cli and pkg/workflow by @Copilot in #20073
• perf: hoist regexp.MustCompile calls to package-level vars in validateExpressionForDangerousProps by @Copilot in #20079
• IMP-003: Move generateCustomJobToolDefinition to safe_outputs_config_generation.go by @Copilot in #20080
• docs: add Cost Management reference page by @Copilot in #20078
• Fix setup-cli action ignoring pinned version input by @Copilot in #20081
• fix: query repo default branch instead of hardcoding 'main' (#20098) by @dsyme in #20099
• [dead-code] chore: remove dead functions — 9 functions removed by @github-actions[bot] in #20101
• fix: switch to default branch before pulling after add-wizard PR merge by @Copilot in #20094
• fix: create protected-file review issue when push fails due to workflows permission by @dsyme in #20106
• Update MCP gateway GitHub guard terminology by @claude in #20096
• Upgrade GitHub MCP server to v0.32.0, recompile workflows by @Copilot in #20100
• Add allowed-files strict allowlist for protected-file protection on PR safe outputs by @Copilot in #20051
• Fix safe output handler to gracefully ignore custom safe output job types by @Copilot in #20114
• [code-simplifier] refactor: simplify generateCustomJobToolDefinition and extractDispatchWorkflowNames by @github-actions[bot] in #20107

Full Changelog: v0.56.1...v0.56.2

v0.56.1

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several subtle but impactful bugs in sandbox execution, bot identity matching, workflow compilation, and safe-output handling, alongside expanded documentation.

🐛 Bug Fixes & Improvements

• Bot identity canonicalization — on.bots allow-lists now correctly match GitHub App actors regardless of whether they appear as my-app or my-app[bot]. Previously, the exact-string mismatch silently blocked activations. (#20059)

• AWF sandbox git identity — The first git commit inside an AWF sandbox no longer fails with "Author identity unknown." Host Git identity environment variables are now injected into sandbox execution steps, preserving the caller's author/committer info. (#20056)

• dispatch-workflow compile-order independence — Workflows that dispatch other workflows in the same compile batch no longer require a specific compilation order. Targets that exist as .md files (without a pre-existing .lock.yml) are now accepted. (#20057)

• safe-outputs: failures now fail the workflow — When a safe-output handler returns {success: false}, the step now calls core.setFailed() and exits non-zero. Previously, failures were only emitted as warnings and the workflow continued as successful. (#20055)

• Gateway log truncation fix — Log lines exceeding 64 KB in gateway.jsonl (common with large AI tool call payloads) were silently truncated. Missing scanner.Buffer() calls have been added to prevent this. (#20074)

• Firewall analysis blocked domain display — The firewall log viewer now correctly shows the destination IP:port for iptables-dropped traffic instead of displaying "-". (#20016)

📚 Documentation

• Docker-based MCP server configuration — The MCP server reference now covers running gh-aw as an MCP server via Docker, for environments where the gh CLI is not installed locally. (#20053)

• Workflow status message style guide — A new .github/aw/messages.md establishes consistent conventions for tone and emoji usage in safe-outputs status messages across all workflows. (#20052)

• Updated feature documentation and permissions reference cleanup. (#20020, #20003)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @samuelkahessay for safe-outputs: handler failures never escalated to core.setFailed() (#20035)
• @strawgate for Agent sandbox git identity missing: first commit fails, then agent self-configures (#20033)
• @samuelkahessay for dispatch-workflow validation is compile-order dependent (#20031)
• @samuelkahessay for on.bots matching is exact-string only and fails for (slug) vs (slug)[bot] (#20030)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] docs: reduce bloat in permissions.md by @github-actions[bot] in #20003
• [docs] Update documentation for features from 2026-03-08 by @github-actions[bot] in #20020
• Fix firewall analysis showing "-" instead of actual blocked domains for iptables-dropped traffic by @Copilot in #20016
• fix: canonicalize bot identifiers so <slug> and <slug>[bot] match in on.bots by @Copilot in #20059
• docs: add Docker-based MCP server configuration by @Copilot in #20053
• safe-outputs: escalate handler failures to core.setFailed() by @Copilot in #20055
• Fix dispatch-workflow validation: accept .md-only targets in same compile batch by @Copilot in #20057
• Add workflow status message style guide by @Copilot in #20052
• Fix: Inject git identity env vars into AWF sandbox execution steps by @Copilot in #20056

Full Changelog: v0.56.0...v0.56.1

v0.56.0

🌟 Release Highlights

This release brings meaningful quality-of-life improvements to workflow automation: smarter add-wizard scheduling, better protection for critical files, and a proactive fix for repo-memory size failures — plus a notable security hardening for git authentication.

✨ What's New

• Schedule frequency picker in add-wizard — When adding a scheduled workflow, gh aw add-wizard now prompts you to choose a frequency (hourly, 3-hourly, daily, weekly, monthly, or custom cron). No more being locked to whatever schedule the upstream workflow shipped with. (#19709)

• Protected-files enforcement in safe outputs — Workflows can now declare protected-files to prevent agents from inadvertently modifying critical files (e.g., AGENTS.md, .github/ configs, runtime manifests). When a push attempts to touch a protected file, safe outputs surfaces a clear remediation message instead of silently failing or overwriting. (#19958)

• Early size validation for repo-memory — A new push_repo_memory MCP tool validates memory size before pushing, catching oversized payloads early and giving agents a chance to trim content rather than failing at upload time. (#19977)

• Remote workflow dependencies fetched on gh aw add — When adding a workflow that uses dispatch-workflow dependencies or declares resources, gh aw add now automatically fetches and saves those assets locally. (#19965)

🐛 Bug Fixes & Improvements

• Security: git credentials no longer written to disk — Git authentication tokens are now passed as environment variables to the fetch subprocess rather than written to .git/config. This closes a window where an attacker monitoring filesystem events (e.g., via inotify) could capture the token. (#19963)

• Cleaner first-run experience for repo-memory — Suppressed 5 spurious GitHub Actions error annotations that appeared on the first run of push_repo_memory (where git fetch/git pull failing is expected because the memory branch doesn't exist yet). (#19979)

• Clearer compile command help text — The gh aw compile short description now explicitly states it converts .md files to .lock.yml, removing a common source of confusion for new users. (#19988)

📚 Documentation

• Streamlined permissions.md reference (~18% shorter) by consolidating duplicate sections, fixing a broken callout, and correcting heading hierarchy — all technical content preserved. (#20003)

🌍 Community Contributions

A huge thank you to the community members who reported issues resolved in this release:

• @dsyme for repo-memory fails when memory exceeds allowed size (#19976)
• @dsyme for gh aw add-wizard for scheduled workflow should offer choice of frequencies (#19708)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: pass git auth via environment variables instead of writing to .git/config by @Copilot in #19963
• add-wizard: offer schedule frequency selection for scheduled workflows by @Copilot in #19709
• feat(add): fetch dispatch-workflow dependencies and resources when adding remote workflows by @Copilot in #19965
• [code-simplifier] refactor: extract shared sanitizeForFilename helper in generate_git_patch.cjs by @github-actions[bot] in #19980
• Add protected-files support to runtimes and enforce protected file protection in safe outputs by @Copilot in #19958
• fix: suppress spurious error annotations in push_repo_memory for expected git failures by @Copilot in #19979
• feat: Add push_repo_memory MCP tool for early size validation by @Copilot in #19977
• Improve compile command help text to clarify input/output formats by @Copilot in #19988

Full Changelog: v0.55.0...v0.56.0

v0.55.0

🌟 Release Highlights

This release sharpens the developer experience with smarter error messages, a more reliable audit command, and automatic strict-mode enforcement for public repositories.

✨ What's New

• Automatic strict mode for public repositories — Lockdown validation now enforces strict: true automatically for public repos, ensuring agentic workflows default to the safest configuration without requiring manual setup. (#19948)

• "Did you mean?" suggestions for permission typos — When a permission level is mistyped (e.g., rite instead of write), the compiler now surfaces a nearest-match suggestion for nested enum violations, making YAML configuration errors much faster to diagnose. (#19925)

🐛 Bug Fixes & Improvements

• gh aw audit now surfaces ##[error] annotations from flat log files — The audit command previously left the errors array empty for failed runs when GitHub Actions stored logs in the flat per-job format (workflow-logs/{N}_{job_name}.txt). Error annotations are now correctly extracted regardless of log file layout. (#19923)

• CLI consistency fixes across 7 commands — A broken documentation URL in the project new command and several medium/low severity inconsistencies surfaced by automated inspection have been resolved. (#19927)

📚 Documentation

• Environment variables reference updated — Documentation for GITHUB_STEP_SUMMARY support in agent step summaries has been added. (#19928)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [jsweep] Clean assign_to_user.cjs by @github-actions[bot] in #19924
• fix(audit): surface ##[error] annotations from flat GitHub Actions log files by @Copilot in #19923
• fix: resolve 7 CLI consistency issues from automated inspection by @Copilot in #19927
• [docs] Update documentation for features from 2026-03-07 by @github-actions[bot] in #19928
• refactor: implement semantic function clustering improvements across pkg/ by @Copilot in #19926
• fix: "Did you mean?" suggestions for nested enum violations (e.g., permission level typos) by @Copilot in #19925
• [actions] Update GitHub Actions versions by @github-actions[bot] in #19938
• Enforce strict: true for public repositories in lockdown validation by @Copilot in #19948

Full Changelog: v0.54.0...v0.55.0

v0.54.0

🌟 Release Highlights

This release focuses on expanding workflow capabilities with Agent Package Manager support and broader temporary ID coverage, while hardening security and improving reliability for public repository workflows.

✨ What's New

• Agent Package Manager (APM) support — Workflows can now declare microsoft/apm dependencies directly in frontmatter. The compiler emits a SHA-pinned microsoft/apm-action step to install packages before agent execution, making it easier to manage agent dependencies declaratively.

• Temporary IDs for all project operations — #aw_* temporary IDs are now supported across all project-related safe outputs, enabling cross-references between operations within the same workflow run.

• Engines always use latest versions — Agentic engines (Copilot, Claude Code, Codex, Gemini) now bind to "latest" instead of pinned versions, ensuring workflows automatically benefit from the newest AI capabilities without manual version bumps. CLI versions in this release: Claude Code 2.1.70, Copilot CLI 0.0.422, Codex 0.111.0.

🐛 Bug Fixes & Improvements

• Fixed gh aw add auth failure for public repos — The downloadFileFromGitHubWithDepth function now falls back to git/raw-URL when REST client creation fails with an auth error, resolving failures when adding workflows from public repositories in agentic contexts.

• Security: Go module cache disabled in agentic setup — The actions/setup-go step now runs with cache: false in agentic workflows, closing a potential cache poisoning vector via prompt injection. This mirrors the existing mitigation already in place for Node.js.

📚 Documentation

• Streamlined the SideRepoOps patterns page for better readability.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Update CLI versions: Claude Code 2.1.70, Copilot CLI 0.0.422, Codex 0.111.0 by @Copilot in #19854
• Reclassify 5 minor changesets as major breaking changes by @Copilot in #19870
• fix: disable Go module cache in agentic setup actions to prevent cache poisoning by @Copilot in #19865
• [dead-code] chore: remove 10 dead functions from analyzer batch run by @github-actions[bot] in #19880
• [code-simplifier] refactor: use ExtraWithFields merge in Go go-mod-file setup path by @github-actions[bot] in #19884
• Fix gh aw add auth failure for public repos in agentic workflows by @Copilot in #19853
• [docs] docs: unbloat SideRepoOps page by @github-actions[bot] in #19906
• [docs] Consolidate developer specs: fix 2 tone issues (v3.8) by @github-actions[bot] in #19904
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #19902
• [log] Add debug logging to spinner, import processor, and utility packages by @github-actions[bot] in #19894
• Bind all agentic engines to "latest" instead of pinning versions by @Copilot in #19882
• chore(deps): bump express-rate-limit from 8.2.1 to 8.3.0 in /.github/workflows in the npm_and_yarn group across 1 directory by @dependabot[bot] in #19881
• Allow temporary IDs for all project operations by @Copilot in #19573
• Add microsoft/apm dependencies support to frontmatter by @Copilot in #19883

Full Changelog: v0.53.6...v0.54.0

v0.53.6

🌟 Release Highlights

This is a focused patch release that resolves a long-standing step summary truncation issue affecting all AI engines, alongside a documentation improvement and an internal test reliability fix.

🐛 Bug Fixes & Improvements

• Step summary output expanded to 2000 characters — Agent step summaries were silently truncated at 500 characters. This release increases the limit to 2000 characters and correctly forwards GITHUB_STEP_SUMMARY into the sandbox for all engines (Copilot, Codex, Claude, Gemini), ensuring agents can write meaningful summaries without silent data loss. (#19821)

📚 Documentation

• Added a PDF download link to the slides documentation page, making it easier to share and reference presentation materials offline. (#19842)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @danielmeppiel for Step summary truncates agent output at 500 chars with no visible warning (#19810)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add PDF download link to slides doc page by @Copilot in #19842
• Fix label trigger integration test type assertions for names field by @Copilot in #19843
• Fix step summary truncation: forward GITHUB_STEP_SUMMARY into sandbox for all engines, increase text limit to 2000 chars by @Copilot in #19821

Full Changelog: v0.53.5...v0.53.6

v0.53.5

🌟 Release Highlights

This release focuses on reliability improvements for label-trigger workflows and GitHub App token handling, plus new capabilities for repo memory and the add_comment safe output tool.

✨ What's New

• GitHub Wiki backing for repo-memory — The repo-memory frontmatter now supports a wiki: true flag to use a repository's GitHub Wiki git backend as persistent memory storage, following GitHub Wiki markdown conventions. (#19800)

• Temporary ID support in add_comment — The add_comment safe output tool now accepts temporary_id, enabling cross-referencing of not-yet-created comments within the same workflow run. (#19737)

• /ace slash command workflow — A new built-in workflow responds to /ace in PR comments, generates ACE editor session URLs, and posts a reply linking teammates to a collaborative editing session. (#19741)

🐛 Bug Fixes & Improvements

• Label trigger shorthand now correctly filters by label name — Workflows using on: pull_request labeled my-label were firing on any labeled event due to a Go type mismatch ([]string vs []any). The activation job's if: clause now correctly includes the github.event.label.name condition. (#19824)

• Label trigger shorthand wires item_number for manual dispatch — The compiler now properly wires inputs.item_number as a fallback for entity number expressions in label-shorthand workflows, fixing empty PR/issue numbers on manual workflow_dispatch runs. (#19795)

• assign-to-agent auto-fallback for GitHub App tokens — The Copilot assignment API rejects GitHub App installation tokens, causing "not available as an assignee" failures. The fix auto-falls back to GH_AW_AGENT_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN, while explicit github-token: overrides still take precedence. (#19796)

• MCP compile errors now surface Docker retry instructions — The compile MCP tool previously swallowed helpful guidance when Docker images weren't cached. Users now see actionable retry instructions instead of a bare "docker images not ready" message. (#19792)

• Allowed tool filter respected for mcp-servers section — The tools.allowed filter is now correctly applied when compiling MCP server tool configurations. (#19801)

• GH_AW_HOME defined once at job level — Eliminates repeated fallback macro expansion (\$\{GH_AW_HOME:-/opt/gh-aw}) across workflow steps by hoisting the variable definition to the job level. (#19823)

🌍 Community Contributions

A huge thank you to the community members who reported issues resolved in this release:

• @deyaaeldeen for Bug: Label trigger shorthand does not produce label filter condition in compiled workflow (#19770)
• @deyaaeldeen for Bug: workflow_dispatch item_number not wired into expression extraction for label trigger shorthand (#19773)
• @mason-tim for assign-to-agent fails with GitHub App tokens — Copilot assignment API requires a PAT (#19765)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add /ace slash command workflow that posts ACE editor session links on PR comments by @Copilot in #19741
• [docs] docs: consolidate repetitive engine sections in engines.md by @github-actions[bot] in #19779
• [docs] Fix 3 tone issues in scratchpad specs (v3.7) by @github-actions[bot] in #19778
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-05 by @github-actions[bot] in #19755
• [code-simplifier] refactor: simplify recent code changes for clarity and idiomaticity by @github-actions[bot] in #19753
• [dead-code] chore: remove dead functions — 8 functions removed by @github-actions[bot] in #19750
• [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @github-actions[bot] in #19777
• Update action pin tests to match updated action_pins.json data by @Copilot in #19794
• fix: surface Docker image retry instructions in MCP compile error message by @Copilot in #19792
• chore(deps): bump dompurify from 3.3.0 to 3.3.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #19791
• [docs] Update documentation for features from 2026-03-06 by @github-actions[bot] in #19805
• Fix: wire inputs.item_number fallback for label trigger shorthand workflows by @Copilot in #19795
• feat: add temporary ID support to add_comment tool by @Copilot in #19737
• Fix assign-to-agent failing with GitHub App tokens — auto-fallback to GH_AW_AGENT_TOKEN by @Copilot in #19796
• refactor: resolve 4 semantic function clustering findings by @Copilot in #19799
• Ensure allowed tool filter for mcp-servers section by @Copilot in #19801
• [docs] Update glossary - daily scan by @github-actions[bot] in #19822
• Add wiki flag to repo-memory frontmatter for GitHub Wiki git backing by @Copilot in #19800
• fix: label trigger shorthand missing label filter condition in compiled workflow by @Copilot in #19824
• ci: split CLI MCP Inspect GitHub matrix group, pin upload-artifact action by @Copilot in #19825
• [docs] Update glossary - daily scan by @github-actions[bot] in #19826
• [docs] Update glossary - daily scan by @github-actions[bot] in #19840

Full Changelog: v0.53.4...v0.53.5

v0.53.4

🌟 Release Highlights

This patch release delivers a targeted security fix for GHES environments and documentation improvements, keeping the workflow engine running smoothly across all deployment types.

🐛 Bug Fixes & Improvements

• GHES incremental patch fetch authentication fixed — The push_to_pull_request_branch MCP handler was failing with Cannot generate incremental patch: failed to fetch on GitHub Enterprise Server (GHES) because generate_git_patch.cjs ran git fetch origin without authentication. The fix configures the correct http.(serverUrl)/.extraheader using GITHUB_TOKEN and GITHUB_SERVER_URL (matching the pattern already used in dynamic_checkout.cjs), and uses a try/finally block to ensure the token is removed from .git/config immediately after the fetch — preserving the credential isolation security boundary. (#19685)

📚 Documentation

• Glossary expanded — New terms added: CentralRepoOps (a MultiRepoOps variant using a single private repo as a control plane), Trigger File (a .yml workflow that separates trigger definitions from agentic workflow logic), workflow_call (trigger type enabling compiled workflows to be invoked by other workflows), and Conclusion Job concurrency documentation. (#19712)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @AlexanderWert for safeoutputs-push_to_pull_request_branch fails on fetch (#18703)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] Update glossary - daily scan 2026-03-05 by @github-actions[bot] in #19712
• [actions] Update GitHub Actions versions - 2026-03-05 by @github-actions[bot] in #19707
• [fp-enhancer] Improve pkg/cli: use sliceutil.Filter/Map for functional slice operations by @github-actions[bot] in #19705
• fix: configure git auth for GHES in incremental patch fetch by @Copilot in #19685

Full Changelog: v0.53.3...v0.53.4

v0.53.3

🌟 Release Highlights

This release focuses on reliability and correctness — eliminating workflow toggle loops, hardening enterprise compatibility, and improving the gh aw upgrade experience so lock files stay consistent across commands.

✨ What's New

• Concurrency safety for conclusion jobs — The conclusion job now uses a concurrency group keyed to the workflow run ID, preventing race conditions when multiple workflow runs finish simultaneously (#19616).
• Enterprise GitHub Server support in safe outputs — Hardcoded github.com references in the safe output JavaScript layer have been replaced with GITHUB_SERVER_URL, enabling correct behavior in GitHub Enterprise Cloud environments (#19621).

🐛 Bug Fixes & Improvements

• gh aw upgrade / gh aw compile no longer produce divergent lock files — A long-standing issue where running both commands in sequence caused files to toggle between two states is now fixed (#19681).
• gh aw upgrade no longer corrupts SHA-pinned uses: lines — The upgrader was wrapping the entire uses: value (including the inline # vX.Y.Z comment) in quotes; this is now corrected (#19679).
• Conclusion job survives API failures — The handle_create_pr_error function now degrades gracefully when GitHub API calls fail, preventing conclusion job crashes (#19683).
• Audit command surfaces activation errors — gh aw audit now correctly surfaces errors from the activation job even when no agent artifacts were uploaded, giving clearer diagnostics on early failures (#19678).
• No more duplicate No-Op Runs issues — Transient search failures no longer cause the workflow to create duplicate [aw] No-Op Runs issues (#19613).
• Label constraint messages are unambiguous — Label names containing spaces are now quoted in compiler constraint messages, eliminating parsing ambiguity (#19682).
• Correct pull request history links — History links now use type=pullrequests for accurate navigation (#19676).
• Version-pinning fix applied to install script source — The version-pinning correction is now applied directly to install-gh-aw.sh, the source of truth, rather than a generated copy (#19686).

📚 Documentation

Documentation for the CentralRepoOps pattern has been expanded with trigger file and workflow_call usage examples, and the compilation process guide has been trimmed by ~20% for clarity (#19693, #19664).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @srgibbs99 for Bug: gh aw upgrade wraps uses value in quotes, including the inline comment (#19640)
• @srgibbs99 for Bug: gh aw upgrade and gh aw compile produce different lock files — toggle endlessly (#19622)
• @samuelkahessay for handle_create_pr_error: unhandled exceptions on API calls crash conclusion job (#19605)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: prevent duplicate [aw] No-Op Runs issues on transient search failure by @Copilot in #19613
• fix: add agentic-workflows label to recompile-needed issues by @Copilot in #19612
• [WIP] Rewrite changes and review tests from pull request 19591 by @Copilot in #19609
• feat: add concurrency group to conclusion job using workflow ID by @Copilot in #19616
• Fix failing JS test: sync expected labels with implementation in check_workflow_recompile_needed by @Copilot in #19628
• chore(deps): bump svgo from 4.0.0 to 4.0.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #19665
• [docs] docs: reduce compilation-process.md by ~20% by removing redundant content by @github-actions[bot] in #19664
• [docs] Developer Documentation Consolidation v3.6 — 2 tone fixes by @github-actions[bot] in #19663
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #19661
• [log] Add debug logging to tar, schema utilities, MCP config types, and wizard command by @github-actions[bot] in #19651
• Enterprise: replace hardcoded github.com with GITHUB_SERVER_URL in safe output JS by @Copilot in #19621
• [dead-code] chore: remove dead functions — 10 functions removed by @github-actions[bot] in #19643
• chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #19654
• [jsweep] Clean add_reviewer.cjs by @github-actions[bot] in #19680
• fix(audit): surface activation job errors when no agent artifacts were uploaded by @Copilot in #19678
• fix: use type=pullrequests for pull request history links by @Copilot in #19676
• Quote label names in constraint messages to eliminate ambiguity with spaces by @Copilot in #19682
• fix: graceful degradation in handle_create_pr_error when API calls fail by @Copilot in #19683
• fix: migrate version-pinning fix to source file install-gh-aw.sh by @Copilot in #19686
• fix: gh aw upgrade wraps SHA-pinned uses: value in quotes, including inline comment by @Copilot in #19679
• [docs] Update documentation for features from 2026-03-05 by @github-actions[bot] in #19690
• fix: gh aw upgrade and gh aw compile produce identical lock files by @Copilot in #19681
• docs: add trigger file + workflow_call pattern to CentralRepoOps by @Copilot in #19693

Full Changelog: v0.53.2...v0.53.3