[gh-aw-upgrade] gh-aw upgrade available: v0.80.9 → v0.81.4

[github-actions]

A new version of gh-aw is available. We are currently on v0.80.9, latest is v0.81.4.

Upgrade Assessment

Urgency: Recommended

The upgrade is worth tracking because recent releases include safe-output hardening and a new replace-label safe output that applies directly to the PR Labeler workflow. No open duplicate was found for v0.80.9 → v0.81.4.

Relevant Changes

v0.81.4

Security

• Safe-output detection hardened (github/gh-aw#41547): release notes say detection now stays in warn mode on parser/agent failures so non-reviewable safe outputs are blocked instead of silently passing through. This repo has many workflows with write-capable safe outputs, for example .github/workflows/gh-aw-pr-labeler.md:60-69 declares add-labels and remove-labels safe outputs.

Bug Fixes

• Silent YAML parse errors fixed (github/gh-aw#41577): malformed generated YAML now propagates errors instead of producing empty step lists. This is relevant because this repo compiles 52 gh-aw-*.md workflows into generated lock files.
• workflow_call permissions use union of caller + worker (github/gh-aw#41387): generated call-job permissions are now annotated correctly. Workflows such as .github/workflows/gh-aw-pr-labeler.md:19-44 expose workflow_call inputs and .github/workflows/gh-aw-pr-labeler.md:48-53 declare required permissions.

v0.81.3

Breaking Changes

• sandbox.agent.network-isolation renamed to sandbox.agent.default-route (github/gh-aw#41302): no matching usage was found in the current gh-aw-*.md workflow configuration, so this does not appear to require a repo change.

Bug Fixes

• Locked-PR 422 handled gracefully for safe outputs (github/gh-aw#41155): safe outputs now treats HTTP 422 on locked PRs as a soft skip with retry rather than a hard failure. This is relevant to PR-targeting workflows such as .github/workflows/gh-aw-pr-labeler.md.

v0.81.0

Breaking Changes

• CLI flag rename (github/gh-aw#40822): --skip-secret, --disable-security-scanner, and --disable-release-bump were renamed to --no-secret, --no-security-scanner, and --no-release-bump. No runtime workflow usage was found in the current gh-aw-*.md files.

New Features Worth Adopting

• replace-label safe-output type (github/gh-aw#40423): this can atomically swap issue/PR labels. The current PR Labeler uses separate add-labels and remove-labels safe outputs in .github/workflows/gh-aw-pr-labeler.md:60-69, and its prompt instructs agents to remove outdated labels first and then add desired labels in .github/workflows/gh-aw-pr-labeler.md:149-152. Switching this workflow to replace-label would reduce partial-update risk when replacing mutually exclusive classification labels.

Upgrade Steps

• Update GH_AW_VERSION, GH_AW_BUILD_VERSION, and GH_AW_COMPAT_VERSION in Makefile:4-6 from v0.80.9 to v0.81.4.
• Update .github/workflows/gh-aw-pr-labeler.md to use replace-label where it currently performs remove-then-add replacement with remove-labels and add-labels.
• Revisit the PR Labeler pre-sanitizer at .github/workflows/gh-aw-pr-labeler.md:70-119 so it recognizes the replace-label output shape once adopted.
• Run make compile and verify 0 errors, 0 warnings.
• Review generated lockfile diffs for the v0.81.x compiler/runtime changes.

Generated by Internal: Upgrade Check · 929.4 AIC · ⌖ 15.7 AIC · ⊞ 24.6K · ◷

• expires on Jul 3, 2026, 2:24 PM UTC