v0.79.1

🌟 Release Highlights

This patch release sharpens agent resilience, expands automated testing coverage, and delivers targeted bug fixes across codemods, linters, and safe-output handlers.

✨ What's New

• Daily safeoutputs git simulator workflow (#38108) — A new daily agentic workflow continuously validates the safeoutputs git simulation path, catching regressions before they reach users.
• Two new codemods for persistent cross-repo compile failures (#38097) — Automated codemods now resolve recurring compile failures in maui and azure-rest-api-specs, reducing manual triage for common build patterns.
• Dedicated daily Windows CLI integration workflow (#38048) — Windows-specific CLI smoke tests now run on a dedicated daily schedule, giving earlier signal on platform regressions.
• Compact MCP CLI help (#38056) — MCP CLI help output now fits full command and option names within 20–30 lines, making it easier to scan available tools at a glance.

🐛 Bug Fixes & Improvements

• Standardized error codes on safe-output handlers (#38100) — Four safe-output handlers now emit structured USE-001 error codes, making failures easier to identify and debug programmatically.
• Tool-denial handling hardened (#38051, #38036, #38101) — Workflow prompts and failure reports now handle repeated permission-denial patterns more accurately: repeated denials surface before generic warnings, and the last denied request is formatted for clarity.
• sortslice linter precision fix (#38053) — The sortslice analyzer now matches stdlib sort calls by type identity rather than identifier text, eliminating false positives from identically-named non-stdlib functions.
• Windows PowerShell --help/version check fixed (#38115) — Corrects flag detection in the Windows CLI integration workflow so PowerShell-specific invocation patterns are properly validated.
• Hardened validate-yaml lockfile detection in CGO workflow (#38112) — Lockfile presence checks during release builds are now more reliable, preventing false failures in CGO compilation workflows.
• Compacted system prompt blocks (#38049) — Generated system prompts are smaller by flattening redundant XML wrappers and deduplicating guidance, reducing token usage on every agent invocation.

📚 Documentation

• sortslice added to linters namespace docs and public-API spec list, now covering 23 analyzers (#38052).
• Daily documentation and glossary updates for features shipped in this cycle (#38098, #38092).

Generated by 🚀 Release · 108.7 AIC · ⊞ 28.4K

---

What's Changed

• Align workflow designer skill mappings with current AW reference surface by @Copilot in #38033
• Prioritize repeated-permission-denial context over generic missing-tool warning by @Copilot in #38036
• Add dedicated daily Windows CLI integration workflow by @Copilot in #38048
• [instructions] Sync instruction files with release v0.79.0 by @github-actions[bot] in #38077
• Bump @types/node from 25.9.1 to 25.9.2 in /actions/setup/js by @dependabot[bot] in #38082
• Bump golang.org/x/crypto from 0.52.0 to 0.53.0 by @dependabot[bot] in #38081
• [docs] Update glossary - daily scan by @github-actions[bot] in #38092
• [spec-extractor] Update package specifications for stringutil, styles, testutil, timeutil by @github-actions[bot] in #38088
• Bump golang.org/x/mod from 0.36.0 to 0.37.0 by @dependabot[bot] in #38084
• [docs] Update documentation for features from 2026-06-09 by @github-actions[bot] in #38098
• Sync sortslice into linters namespace docs and public-API spec list (23 analyzers) by @Copilot in #38052
• [jsweep] Clean validate_secrets.cjs by @github-actions[bot] in #38031
• chore: remove committed snapshot file and gitignore snapshots by @Copilot in #38104
• feat: daily safeoutputs git simulator agentic workflow by @Copilot in #38108
• sortslice: match stdlib sort calls by type identity, not identifier text by @Copilot in #38053
• Fix Windows PowerShell --help/version checks in Windows CLI integration workflow by @Copilot in #38115
• Harden validate-yaml release-build lockfile detection in CGO workflow by @Copilot in #38112
• Improve tool-denial failure report formatting for last denied request by @Copilot in #38101
• Harden workflow prompts against systemic tool-denial patterns by @Copilot in #38051
• feat: add two codemods for persistent cross-repo compile failures (maui, azure-rest-api-specs) by @Copilot in #38097
• [ab-advisor] A/B experiment: prefetch_strategy for daily-safe-output-optimizer by @Copilot in #38096
• fix(USE-001): add standardized error codes to four safe-output handlers by @Copilot in #38100
• Compact MCP CLI help to show full command/option names within 20/30 lines by @Copilot in #38056
• Removing snapshot test by @Copilot in #38124
• Compact generated system prompt blocks by flattening XML wrappers and removing duplicated guidance by @Copilot in #38049
• Enforce trusted-reviewer triage in pr-finisher/copilot-review and expand gh PR query filters by @Copilot in #38127

Full Changelog: v0.79.0...v0.79.1

v0.79.0

🌟 Release Highlights

v0.79.0 is a significant milestone release centered on the AI Credits (AIC) naming migration, smarter budget guardrails, Windows platform support, and a wave of compiler and tooling improvements.

⚠️ Breaking Changes

• setup-steps rejected on activation/pre-activation jobs — The compiler now fails fast if setup-steps is attached to activation or pre_activation jobs, where it could bypass built-in protection sequencing. Remove setup-steps from these job types before upgrading. (#37441)
• max-runs deprecated → max-turns — The top-level max-runs field is deprecated in favor of the canonical max-turns. Automated migration is available via gh aw fix --write. (#37587)

✨ What's New

• AI Credits (AIC) — complete migration — The project has fully migrated from "Effective Tokens" terminology to "AI Credits (AIC)" across all docs, workflow templates, telemetry, and OpenTelemetry attributes. The cost management docs reflect the new language. (#37692, #37693, #37691)
• max-ai-credits enabled by default — Workflows now default to a 1000 AI Credit budget with no configuration needed. Set max-ai-credits: -1 to disable enforcement entirely for unrestricted runs. (#37585, #37437)
• AIC exhaustion detection & smart retry halting — The harness now detects budget exhaustion from the firewall audit log and correctly classifies it separately from provider HTTP 429 throttling, preventing misleading failure reports and stopping unnecessary retries on credit exhaustion. (#37936, #38022, #38018)
• Windows platform support — A new CWI.yml push-triggered workflow builds the CLI for Windows and runs integration tests to validate cross-OS compatibility. (#37844)
• pr-finisher skill — New skill that guides agents through taking an in-flight PR to merge-ready state: local validation order, failing CI inspection, and iteration discipline. (#37873)
• add-comment: exact-match comment minimization — hide-older-comments.match now supports exact multi-workflow comment minimization, giving workflows precise control over which older comments are hidden. (#37977)
• temporary_id enforcement — create-issue and create-pull-request safe-output calls now require valid #aw_* IDs enforced at the frontmatter and MCP validation layer, preventing stale references leaking into user-facing artifacts. (#37469)
• gh aw compile --use-samples — New hidden flag for deterministic safe-outputs replay, replacing live agentic execution with recorded samples for reproducible testing. (#37359)

🐛 Bug Fixes & Improvements

• Fix gh aw add for long hyphenated repository names — Workflow specs with long hyphenated repo names were incorrectly rejected; parsing is now accurate for all valid owner/repo/path forms. (#37960)
• Fix bundle refs on non-main branch dispatch — refs/heads/<branch> is now correctly included in bundles when the agent HEAD is on the target branch during non-main dispatches. (#37929)
• Stop retrying Copilot CLI PAT-rejection 400 as transient — 400 errors from PAT rejection are now treated as permanent failures, avoiding wasteful retries. (#37937)
• Compiler: quote env scalars with : in YAML — Env values containing : are now properly quoted in compiled YAML, preventing parse errors in generated workflows. (#37706)
• TTY guard for ConfirmAction — Matches existing non-TTY fallback in list.go to prevent hangs in non-interactive environments. (#37933)
• Windows terminal startup guard — Terminal probing on Windows is now skipped when stderr is redirected, preventing hangs in CI environments. (#37823)

⚡ Performance

• Reduced set-memory overhead — High-traffic workflow and CLI paths now use map[string]struct{} sets instead of map[string]bool, reducing allocations in hot paths. (#37480)

📚 Documentation

• AI Credits terminology — All user-facing documentation migrated from "Effective Tokens" to "AI Credits" including the cost management reference. (#37692)
• GH_AW_GITHUB_TOKEN reference and Go cache guidance — New docs covering secure token configuration and Go build cache best practices. (#37583)
• PR lifecycle and setup-steps docs — CONTRIBUTING and DEVGUIDE updated with PR lifecycle guidance; setup-steps docs clarify pre-activation constraints. (#37964, #37436)

Generated by 🚀 Release · 185.4 AIC · ⊞ 28.5K

---

What's Changed

• Enforce bash parser specification invariants in JS Copilot SDK parser by @Copilot in #37394
• Align token-usage tests with table-based summary output (JS shard 3/4) by @Copilot in #37399
• Resolve lint-js failure by formatting new fuzz/parser JS files and preserve fuzz test coverage in CJS CI by @Copilot in #37406
• [aw] Update legacy ET rate-limit guidance to AI Credits-first format by @Copilot in #37400
• Emit compact usage artifact from conclusion job for forecast data access by @Copilot in #37408
• Trim ambient-context wording from generated footer metrics by @Copilot in #37414
• Refactor Antigravity log metrics parsing to meet function-length linter by @Copilot in #37413
• feat: add daily-formal-spec-verifier agentic workflow by @Copilot in #37407
• Stabilize Daily Caveman Optimizer by keeping model-size experiment and fixing small-agent alias by @Copilot in #37402
• recompile: regenerate lock files with dev build by @Copilot in #37422
• agentics-maintenance: run forecast directly without log predownload by @Copilot in #37423
• Use repo UTC for computed expiration times in generated footers by @Copilot in #37424
• Forecast: prefer usage artifact for token AIC, retain legacy agent fallback by @Copilot in #37427
• Use AIC in forecast issue report and consume AIC projection fields by @Copilot in #37428
• Normalize agentic workflow AI budgets to max-ai-credits: 1500 by @Copilot in #37431
• Refresh wasm golden fixtures for compiler output drift by @Copilot in #37433
• Standardize agent failure warnings on GitHub alert callouts by @Copilot in #37430
• Add AIC, ambient context metrics, and history link to noop comments by @Copilot in #37439
• feat(compile): add hidden --use-samples flag for deterministic safe-outputs replay by @dsyme in #37359
• Use usage-only forecast artifacts and cache forecast run logs in maintenance workflow by @Copilot in #37440
• Surface jobs.<job>.setup-steps in .github/aw syntax docs and clarify setup vs pre hook semantics by @Copilot in #37436
• feat(max-ai-credits): allow -1 to disable budget enforcement and steering by @dsyme in #37437
• Target effective-token terminology updates to AI credits in instruction docs by @Copilot in #37432
• Safe-outputs: add schema-driven synonym mapping (incl. camelCase aliases), keep synonym metadata internal to MCP/CLI prompts, and enforce strict unknown-parameter errors; clarify schema constraints by @Copilot in #37421
• Reject setup-steps on activation and pre-activation jobs by @Copilot in #37441
• Improve forecast maintenance diagnostics and timeout behavior by @Copilot in #37447
• Pin Daily Documentation Healer to explicit Claude model variants by @Copilot in #37445
• Include detection AIC in no-op comment footer totals by @Copilot in #37446
• Fix Copilot SDK sample driver BYOK session configuration in Daily Model Inventory workflow by @Copilot in #37454
• Refactor import...

v0.78.3

🌟 Release Highlights

v0.78.3 centers on the AI Credits (AIC) budget system replacing legacy effective-token fields, significant Copilot SDK reliability improvements, and new workflow authoring capabilities including per-job setup steps and a new CLI flag.

⚠️ Breaking Changes

• max-effective-tokens default removed — The implicit 25M effective-token fallback has been removed. Workflows that relied on the default must now set an explicit budget. Use max-ai-credits going forward and run gh aw fix --write to migrate automatically (#37235, #37246). See the Cost Management reference for details.

✨ What's New

• max-ai-credits budget support — Set AI credit spending limits directly in workflow frontmatter and AWF config. Failure reporting and token-usage step summaries now surface AIC context, giving you full visibility into agent spend (#37235, #37374).
• jobs.<job>.setup-steps — A new workflow field that injects custom steps before the compiler setup and App token minting phases. Use it to pre-install tools or bootstrap environments without modifying the compiled output (#37368).
• gh aw compile --gh-aw-ref — A new convenience flag pins compilation to a specific ref, improving reproducibility in CI pipelines (#37313).
• Copilot SDK max-tool-denials guardrail — Agents can no longer spin indefinitely when tools are repeatedly denied; the new guardrail caps runaway denial loops and surfaces the failure clearly (#37161, #37363).
• Centralized cap-exceeded failure tracking — Cap-exceeded failures now roll up into a single tracking issue (cap raised to 50/24h), reducing noise and improving operational observability (#37273).

🐛 Bug Fixes & Improvements

• Copilot driver startup fixed — Removed a runtime minimatch dependency that caused driver startup failures in daily workflows (#37373).
• Piped bash commands through permission checker — The Copilot SDK permission checker now correctly handles piped bash commands, preventing false denials on valid multi-command pipelines (#37369).
• safe-outputs: MCP git hang prevention — The safe-outputs MCP server no longer hangs on git operations; base-branch and checkout manifest support added for resilient execution (#37225, #37299).
• copilot/ provider prefix in AIC lookups — Model AI credit lookups now correctly resolve the copilot/ provider prefix, fixing incorrect cost attribution (#37340).
• SARIF actions: read for private repos — Generated SARIF upload jobs now include the required actions: read permission so code-scanning uploads succeed in private repositories (#37367).
• Workflow timeout propagated to Copilot SDK sessions — SDK driver sessions now inherit the workflow-level timeout, preventing sessions from outliving their parent workflow (#37262).

📚 Documentation

• Safe-output type catalog converted from bullet lists to tables for improved scanability (#37362).
• max-effective-tokens → max-ai-credits migration snippet added to the Cost Management reference (#37387).

Generated by 🚀 Release · 77.2 AIC · ⊞ 28.4K ambient context

---

What's Changed

• Add Copilot SDK max-tool-denials guardrail to stop runaway tool-denied loops by @Copilot in #37161
• Normalize discussion-body heading levels in copilot-pr-nlp-analysis workflow by @Copilot in #37198
• Refactor safe-outputs config: extract handlerRegistry into dedicated file by @Copilot in #37197
• [awf] Bump firewall to v0.25.65 and mcpg to v0.3.23 by @Copilot in #37201
• chore: bump default Claude/Copilot/Codex CLI pins by @Copilot in #37097
• Add smoke-copilot-aoai-apikey workflow for Azure OpenAI BYOK by @Copilot in #37174
• [safeoutputs] Clarify flat MCP arguments and add SafeOutputMCP wrapped-argument fallback by @Copilot in #37208
• refactor: consolidate triplicated import-path resolution, extract engine parse* helpers, inline redundant YAML wrapper by @Copilot in #37162
• test(ci): fix pre-existing failures on main (otlp env, MCP target repo, wasm goldens) by @dsyme in #37226
• fix(safe-outputs): prevent MCP server git hangs; add base-branch + checkout manifest by @dsyme in #37225
• feat: derive heredoc separators from content hash for build stability by @Copilot in #37224
• fix(setup): include safe_outputs_mcp_arguments in safe-outputs copy list by @Copilot in #37229
• Compact AIC labels in generated footers by @Copilot in #37234
• Add max-ai-credits budget support across frontmatter, AWF config, imports, and failure reporting, and remove default max-effective-tokens 25M fallback by @Copilot in #37235
• Add //nolint suppression parity to all CI-enforced custom linters by @Copilot in #37237
• Prune non-schema entries from SharedWorkflowForbiddenFields by @Copilot in #37236
• Align docs-server step names across docs testing workflows by @Copilot in #37238
• fix: wire GH_AW_COPILOT_SDK_SERVER_ARGS into SDK driver permission config by @Copilot in #37240
• Require mandatory Copilot SDK permission handler and codify config-driven behavior by @Copilot in #37245
• Increase per-category failure issue cap from 5 to 25 per day by @Copilot in #37248
• Merge main into feature branch and recompile generated/setup artifacts by @Copilot in #37249
• Deprecate legacy effective-token budget fields and add codemod migration to AI credits by @Copilot in #37246
• Add //nolint suppression support to seenmapbool and tolowerequalfold by @Copilot in #37255
• Enforce tolowerequalfold by converting case-insensitive comparisons to strings.EqualFold by @Copilot in #37256
• Parse Copilot SDK tool-denial logs in permission issue extraction by @Copilot in #37261
• Propagate workflow timeout to Copilot SDK driver sessions by @Copilot in #37262
• Align SafeOutputsConfig YAML tag for create-code-scanning-alert with schema/handler key by @Copilot in #37258
• fix(safe-outputs): re-derive patch/bundle paths and stop double-writing infrastructure fields by @dsyme in #37299
• Prevent stale-base signed replay from synthesizing unrelated changes; enforce policy on GraphQL payload by @Copilot in #36937
• feat(cli): add --gh-aw-ref convenience flag to compile by @dsyme in #37313
• Prevent safe-outputs startup regressions in daily workflows by @Copilot in #37272
• fix(code-simplifier): eliminate python3 bash-policy failures, fix jq split bug, add guardrails by @Copilot in #37268
• [docs] Consolidate developer specifications into instructions file (v9.16) by @github-actions[bot] in #37318
• Increase per-run AI budget for Agentic Token Optimizer to prevent ET cap aborts by @Copilot in #37269
• Replace test set-style map[string]bool usage with map[string]struct{} by @Copilot in #37257
• [aw] Make spec-librarian reliably emit a safe output by @Copilot in #37321
• Update safe-output health failure messaging to AI Credits by @Copilot in #37265
• Fix Copilot SDK headless auth/driver path and tool-permission denials in daily workflows by @Copilot in #37322
• [aw] Pin Daily Go Function Namer experiment to concrete Claude models by @Copilot in #37325
• Add prompt_style A/B experiment to smoke-project workflow by @Copilot in #37326
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #37331
• [WIP] Normalize report formatting for non-compliant workf...

v0.78.2

🌟 Release Highlights

This release marks the full transition from Effective Tokens to AI Credits (AIC) as the primary cost metric, while hardening the Copilot SDK driver, tightening safe-outputs contracts, and cleaning up long-deprecated schema fields.

⚠️ Breaking Changes

Several deprecated fields have been removed in this release. Update your workflows before upgrading:

• rate-limit frontmatter field removed — use user-rate-limit instead
• inline-sub-agents and features.inline-agents fields removed — migrate to the sub-agents configuration
• disable-model-invocation removed from the workflow schema
• max-daily-effective-tokens removed — use max-daily-ai-credits instead (see cost management docs)
• models frontmatter field deprecated — compilation warnings will be emitted
• Premium Requests (PRU) support removed
• Copilot SDK driver inlined mode removed — only standalone driver mode is supported

✨ What's New

AI Credits (AIC) — New Cost Accounting Standard

AI Credits (AIC) is now the primary cost metric across gh-aw, replacing Effective Tokens:

• max-daily-ai-credits is a new frontmatter guardrail (docs)
• ΔAIC and AIC columns added to token usage step summary tables for clear cost attribution
• AIC reported in generated footers, OTLP spans, and gh aw forecast output
• A W3C-style AI Credits specification documents the calculation methodology and models.json format
• Model catalog now sourced from models.dev with native cost fields; pricing updated automatically

Copilot SDK Driver Enhancements

• Multi-language driver support: SDK drivers can now be written in any language or use arbitrary commands (docs)
• engine.copilot-sdk-driver field added to override the default driver script
• engine.copilot-sdk is now auto-inferred from engine.copilot-sdk-driver when present
• SDK driver events are now streamed to stderr as JSONL for real-time observability
• Default SDK log level set to all in harness mode for richer debugging

Safe Outputs Improvements

• close-older-pull-requests option added to create-pull-request safe output
• Multi-repo wildcard target-repo now supported in safe-outputs jobs
• REST comment IDs accepted in hide_comment (auto-resolved to GraphQL node IDs)
• add_comment wildcard target misses are now non-fatal
• safe-outputs.mentions.allowed now honored during NDJSON collection
• add_comment with target: "*" now requires an explicit item_number

New Tooling & Workflows

• designer-drift-audit workflow detects when the agentic workflow designer drifts from its spec
• Daily Ambient Context Optimizer workflow automatically reduces prompt overhead in high-traffic daily workflows
• workflow-step-summaries and prompt-token-efficiency skills added to the skills library
• model_size experiment added to 5 daily workflows with a new small-agent alias
• API-proxy steering event counts now surfaced in gh aw logs, gh aw audit, and OTLP spans
• 100M/100K notation now accepted for templatable token-limit fields

🐛 Bug Fixes & Improvements

• Security: Fixed a safe-outputs file-protection bypass via patch-parser differential (#36752)
• Security: Fixed patch/bundle desynchronization in safe-outputs (#36762)
• Fixed YAML corruption in safe-outputs when OTLP header masking is enabled
• Fixed close_pull_request target-repo propagation for cross-repo operations
• Fixed Copilot SDK custom provider resolution in standalone driver main()
• Fixed empty step summary preview for Copilot SDK session events
• Slash command parser now performs precise name matching with dash support
• tolowerequalfold linter avoids false positives on ToLower(x) == x idioms
• gh aw upgrade now verifies the post-upgrade version before reporting success

📚 Documentation

• Renamed assign-to-copilot → copilot-cloud-agent across all guides
• Copilot SDK support, driver configuration, and specification guidance added (docs)
• Cost management page expanded with token-reduction tips and AIC migration guidance (docs)
• Specification docs moved into a dedicated collapsed Specs section for better navigation
• Linter reference expanded to cover all 21 analyzers
• Self-hosted runner compatibility guidance added to workflow constraints

Generated by 🚀 Release · 122 AIC

---

What's Changed

• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #36545
• [docs] Self-healing documentation fixes from issue analysis - 2026-06-03 by @github-actions[bot] in #36551
• [model-inventory] Update aliases and multipliers for 2026-06-03 inventory by @Copilot in #36555
• [avenger] Update wasm golden files for 2026-06-03 model inventory by @github-actions[bot] in #36560
• Remove compiler-generated GitHub App token invalidation steps and refresh compiled workflow locks by @Copilot in #36556
• Improve slog adapter tests to run in CI and cover handler behavior by @Copilot in #36569
• [community] Update community contributions in README by @github-actions[bot] in #36562
• Add target field support to submit_pull_request_review safe-output by @Copilot in #36546
• [log] Add debug logging to token-limit parser, engine config dir, and inline section helpers by @github-actions[bot] in #36571
• Code Simplifier: allow required validation commands in sandbox tool permissions by @Copilot in #36573
• Refine Copilot SDK-mode tool permission scoping from engine config by @Copilot in #36538
• [jsweep] Clean update_pr_description_helpers.cjs by @github-actions[bot] in #36575
• Add license string support in aw.yml manifest parsing and schema by @Copilot in #36583
• [instructions] Sync instruction files with release v0.78.1 by @github-actions[bot] in #36600
• Refactor copilot SDK driver into self-contained Node program by @Copilot in #36549
• Enforce safe-output completion contract in Daily MCP Tool Concurrency Analysis by @Copilot in #36618
• Slash command parser: precise name matching with dash support by @Copilot in #36622
• Refactor duplicated markdown body/footer assembly into shared helper by @Copilot in #36587
• Ignore disabled workflows in centralized slash/label dispatch routing by @Copilot in #36621
• Reduce first-invocation ambient context; shift detailed guidance to lazy-loaded skills by @Copilot in #36628
• [docs] Update glossary - daily scan by @github-actions[bot] in #36629
• Fix Daily Semgrep Scan: allowlist semgrep.dev and disable telemetry egress by @Copilot in #36631
• [docs] Update documentation for features from 2026-06-03 by @github-actions[bot] in #36635
• [spec-enforcer] Enforce specifications for syncutil, testutil, timeutil by @github-actions[bot] in #36639
• Add Daily Ambient Context Optimizer workflow by @Copilot in #36642
• Add Copilot SDK Driver standalone reference specification by @Copilot in #36632
• [WIP] Fix failing GitHub Actions job test by @Copilot in #36647
• Tighten ET computation details layout and compact model aliases by @Copilot in #36634
• Verify post-upgrade version before reporting gh aw upgrade success by @Copilot in #36648
• fix: add missing target/target-repo/allowed-repos to safe output schemas by @dsyme in #36636
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #36658
• Detect runtime for copilot-sdk installs from engine.copilot.command via runtime manager by @Copilot in #36653
• Add self-hosted runner compatibility guidance to workflow constraints by @salmanmkc in #36620
• Align pkg/linters spec dependencies with current analyzer surface by @Copilot in #36660
• Add engine.copilot-sdk-driver to override Copilot SDK driver script by @Copilot in #36662
• Normalize report-formatting guidance in daily MCP concurrency and news workflows by @Copilot in #36665
• Refactor parser config-field extraction into composable helpers to satisfy largefunc limits by @Copilot in #36664
• Remove copilot SDK dri...

v0.78.1

🌟 Release Highlights

This release focuses on Copilot SDK hardening — smarter timeout management and better authentication flow — plus improvements to slash_command routing and safe-outputs configuration.

✨ What's New

• slash_command support across smoke workflows — All smoke agentic workflows now have centralized slash_command handling, making it easier to trigger them consistently via slash commands. (#36522)

• Smarter Copilot SDK session timeouts — The Copilot SDK session timeout is now automatically derived from the agent step timeout (minus 30 seconds), eliminating manual coordination and reducing timeout-related failures. (#36505)

• COPILOT_CONNECTION_TOKEN in headless harness — The Copilot SDK headless harness flow now correctly generates and wires COPILOT_CONNECTION_TOKEN, unblocking authentication in headless execution environments. (#36506)

• deduplicate-by-title for create-issue safe-outputs — The deduplicate-by-title option is now wired into the compiled safe-outputs config for create-issue, preventing duplicate issues from being filed by agents. (#36527)

🐛 Bug Fixes & Improvements

• Copilot CLI Deep Research bash allowlist — Aligned the bash allowlist with the survey commands actually used by the Deep Research prompt, fixing permission errors during research runs. (#36531)

📚 Documentation

• Cost management: max-turns guidance — Added documentation on using max-turns as a cost control mechanism. Learn more (#36529)

Generated by 🚀 Release · sonnet46 972.1K

---

What's Changed

• Stabilize BenchmarkYAMLGeneration by removing safe-update overhead by @Copilot in #36514
• [cli-consistency] Standardize e.g., punctuation across CLI help text by @Copilot in #36513
• Derive Copilot SDK session timeout from agent step timeout (minus 30s) by @Copilot in #36505
• Align max-turns integration test with current frontmatter schema semantics by @Copilot in #36521
• [safe-output-integrator] Add missing safe-output test workflow and compiler test for create-check-run by @github-actions[bot] in #36520
• Generate and wire COPILOT_CONNECTION_TOKEN in Copilot SDK headless harness flow by @Copilot in #36506
• docs: add max-turns to cost management page by @Copilot in #36529
• feat: add slash_command centralized support to all smoke agentic workflows by @Copilot in #36522
• Align Copilot CLI Deep Research bash allowlist with its prompt-driven survey commands by @Copilot in #36531
• Wire create-issue deduplicate-by-title into compiled safe-outputs config by @Copilot in #36527
• Latest slides by @pelikhan in #36541

Full Changelog: v0.78.0...v0.78.1

v0.78.0

🌟 Release Highlights

This release focuses on Copilot SDK 1.0.0 integration, token cost controls, and a round of reliability fixes across agentic engines.

✨ What's New

• Copilot SDK 1.0.0 — Updated to the stable Copilot SDK 1.0.0 and enabled it on 50% of Copilot-backed agentic workflows, with harness fixes for stdin wiring, SDK resolution, and custom-provider setup. (#36495, #36455, #36358)

• max-turns support — All agentic engines now support a top-level max-turns frontmatter field, giving you finer control over agent session length. (#36451)

• Short-form effective-token limits — Token budget fields now accept human-readable shorthand like 100M or 500K in addition to raw integers, across schema, parsers, and docs. (#36496)

• Daily ET guardrail enabled by default — The effective-token guardrail now runs by default on all supported workflows; opt out by setting the limit to -1. (#36392)

• On-demand token audit workflow — A new agentic-token-trend-audit workflow accepts a date-range dispatch input for historical token usage analysis, and now emits daily trend charts. (#36412, #36432)

🐛 Bug Fixes & Improvements

• Fixed the daily ET guardrail step that never failed the activation job; improved conclusion reporting. (#36497)
• Corrected the GraphQL mutation name to markPullRequestReadyForReview. (#36494)
• Added id-token: write permission to the detection job for GitHub OIDC auth. (#36461)
• Fixed the pull-request-target-checkout-false codemod to skip when checkout is a mapping node. (#36453)
• Clarified Copilot 401 errors from the gh-aw API proxy with actionable messages. (#36454)
• Preserved OTEL resource attribution and normalized agent token counters. (#36450)

⚠️ Breaking Changes

• Removed deprecated run-install-scripts frontmatter field — This top-level field has been removed. Migrate to the supported install section if you use it. (#36387)

📚 Documentation

• New Cost Management guide covers the max-daily-effective-tokens guardrail and environment variable configuration. (#36468)

Generated by 🚀 Release · sonnet46 774.4K

---

What's Changed

• Remove estimated cost from audit-workflows report by @Copilot in #36356
• AOAI endpoint smoke test by @davidslater in #36384
• Remove deprecated top-level run-install-scripts frontmatter field by @Copilot in #36387
• Reduce Chaos PR Bundle Fuzzer cadence to weekly by @Copilot in #36386
• Update 2026-06-02 model inventory: add missing Gemini preview multipliers by @Copilot in #36388
• Add sub_agent_strategy A/B experiment to daily AgentRx trace optimizer by @Copilot in #36389
• Keep safe-output token placeholders out of runtime config.json by @Copilot in #36353
• Emit daily ET guardrail by default; disable only on explicit -1 by @Copilot in #36392
• [community] Update community contributions in README by @github-actions[bot] in #36393
• Update agentic-ops workflows by @mnkiefer in #36397
• Align aw.yml install ref resolution with single-workflow latest-release behavior by @Copilot in #36396
• [log] Add debug logging to 5 sparsely-logged Go files by @github-actions[bot] in #36403
• [docs] docs: replace remaining British spelling "behaviour" → "behavior" in docs references by @github-actions[bot] in #36399
• Fix copilot-sdk harness stdin wiring, SDK installation/resolution, custom-provider setup from /reflect, and remove duplicate harness timestamps by @Copilot in #36358
• Add on-demand token audit workflow with date-range dispatch input by @Copilot in #36412
• [instructions] Sync instruction files with release v0.77.5 by @github-actions[bot] in #36430
• Add daily token trend chart output to agentic-token-trend-audit report contract by @Copilot in #36432
• Enable Copilot SDK on 50% of Copilot-backed agentic workflows by @Copilot in #36455
• fix(daily-rendering-scripts-verifier): add missing bash permissions for npx, make, and mkdir by @Copilot in #36449
• [rendering-scripts] fix(copilot-parser): render inline cached token footer (Copilot CLI 1.0.55) by @github-actions[bot] in #36428
• [jsweep] Clean validate_memory_files.cjs by @github-actions[bot] in #36404
• Refactor harness permission-denied handling into shared helper module by @Copilot in #36415
• fix(codemod): skip pull-request-target-checkout-false when checkout is a mapping by @Copilot in #36453
• Allow Python network access in token audit workflows by @Copilot in #36452
• Preserve mini-tier GPT labels in PR Sous Chef footers by @Copilot in #36467
• Refresh package README dependency specs for cli, workflow, and types by @Copilot in #36463
• Clarify Copilot 401 errors from the gh-aw API proxy by @Copilot in #36454
• Recompute effective tokens from raw usage with current weights/multipliers by @Copilot in #36421
• [blog] Agent of the Day – 2026-06-02 by @github-actions[bot] in #36472
• fix: add id-token: write to detection job permissions for github-oidc auth by @Copilot in #36461
• docs: add max-daily-effective-tokens guardrail and env var guidance to Cost Management by @Copilot in #36468
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #36471
• Preserve OTEL resource attribution and normalize agent token counters by @Copilot in #36450
• Update bundled Copilot SDK to 1.0.0 and recompile lockfiles by @Copilot in #36495
• SPDD 2026-06-02: spec sync, guard-policy decisions, deprecation notices, integration tests by @Copilot in #36499
• Add top-level max-turns support across agentic engines by @Copilot in #36451
• [docs] docs: unbloat ResearchPlanAssignOps pattern (21% reduction) by @github-actions[bot] in #36503
• fix: correct GraphQL mutation name to markPullRequestReadyForReview by @Copilot in #36494
• fix: daily ET guardrail step never fails activation job; improve conclusion reporting by @Copilot in #36497
• Token trend audit: recompute effective tokens from raw usage by @Copilot in #36504
• Support short-form effective-token limits (100M, 100K) across schema, parsers, and docs by @Copilot in #36496
• [linter-miner] feat(linters): add tolowerequalfold linter by @github-actions[bot] in #36507
• Generate init/upgrade dispatcher file lists from github/gh-aw with embedded fallback by @Copilot in #36493

Full Changelog: v0.77.6...v0.78.0

v0.77.6

🌟 Release Highlights

This release brings native Copilot SDK integration, templatable job timeouts, stricter workflow privacy enforcement, and a wave of bug fixes and internal quality improvements.

✨ What's New

• Copilot SDK harness (#36307): Workflows with copilot-sdk: true now drive Copilot directly via @github/copilot-sdk, enabling tighter, more reliable agent control compared to the CLI harness.
• Templatable timeout-minutes (#36314): Job and step timeout-minutes values now support template expressions (e.g., ${{ inputs.timeout }}), giving workflows dynamic control over timeouts without hardcoding values.
• Private workflow enforcement (#36227): Workflows that declare private: true are now rejected at the manifest level, preventing accidental publication of internal-only workflows to the registry.
• step-summary command dispatching (#36346): The agentic_commands dispatcher now recognises and routes step-summary commands, making agent step summaries consistently available downstream.
• Git credential absence warning (#36269): Agents are now explicitly warned when git credentials are absent after a checkout, reducing confusing authentication failures during push operations.

🐛 Bug Fixes & Improvements

• Cross-repo PR creation (#36250): Fixed false post-create repository validation in cross-repo create_pull_request workflows that caused spurious errors after a PR was successfully opened.
• Sparse-checkout / partial-clone hygiene (#36259, #36260): Cleared lingering partial-clone state after sparse checkouts, and removed partial-clone blob filtering from safe-outputs ref fetches, eliminating a class of fetch failures.
• CI lint fixes (#36295): Resolved copyloopvar, errorlint, modernize, and testifylint lint failures that were blocking the CI pipeline.
• DependaBot ignore pattern (#36222): Fixed the DependaBot ignore pattern for gh-aw-actions to use the exact repository name, preventing unintended dependency suppression.
• applyTo allowlist cleanup (#36309): Removed a vestigial applyTo key from the parser's validFields allowlist that could cause misleading schema validation errors.

📚 Documentation

• Frontmatter reference streamlined (#36300, #36285): Removed outdated permissions.copilot-requests: write recommendation and unbloated the frontmatter reference page for faster scanning.
• push_to_pull_request_branch clarification (#36238): Documented expected behaviour for multi-checkout workflows, reducing confusion when working across repository boundaries.
• Docs updated for 2026-06-01 features (#36235): Reference pages refreshed to reflect features shipped in this cycle.

🔧 Internal

• Compiler orchestrators refactored to respect 60-line function-length limits (#36177).
• Inline skill and sub-agent extraction moved to shared parser helpers (#36247, #36248).
• Code Simplifier and Failure Investigator workflows optimised for lower token usage (#36311, #36286).
• fmt.Errorf calls without verb arguments converted to errors.New across host and WASM targets (#36224).
• golang.org/x/tools linter modernised to use Cursor API and direct assertions (#36221).
• gosec bumped to v2.27.0 (#36220).

Generated by 🚀 Release · sonnet46 798.8K

---

What's Changed

• [log] Add debug logging to token/offset/input helpers by @github-actions[bot] in #36182
• Refactor compiler orchestrators to enforce 60-line largefunc limits (part 1) by @Copilot in #36177
• [instructions] Sync instruction files with release v0.77.5 by @github-actions[bot] in #36212
• [schema-coverage] feat: add schema coverage demo for runs-on-slim field by @github-actions[bot] in #36206
• [schema-coverage] feat: add schema coverage demo for run-name field by @github-actions[bot] in #36205
• [schema-coverage] feat: add schema coverage demo for resources field by @github-actions[bot] in #36203
• [schema-coverage] feat: add schema coverage demo for redirect field by @github-actions[bot] in #36202
• [schema-coverage] feat: add schema coverage demo for private field by @github-actions[bot] in #36200
• chore: update drain3 default log pattern weights by @github-actions[bot] in #36190
• chore(deps): bump github.com/securego/gosec/v2 v2.26.1 → v2.27.0 by @Copilot in #36220
• Add UTC timezone tests for expiration closing comments in issues and PRs by @Copilot in #36229
• [docs] Update documentation for features from 2026-06-01 by @github-actions[bot] in #36235
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #36230
• [model-inventory] Add Sonnet dot-notation alias coverage and missing 2026-06-01 multipliers by @Copilot in #36226
• fix: use exact repo name as DependaBot ignore pattern for gh-aw-actions by @Copilot in #36222
• Enforce manifest-level rejection of workflows that declare private: true by @Copilot in #36227
• Enforce fmterrorfnoverbs: convert no-verb fmt.Errorf → errors.New (2 host + 14 wasm sites) by @Copilot in #36224
• linters: modernize golang.org/x/tools usage — Cursor API, direct assertions, golden fix test by @Copilot in #36221
• Clear partial-clone state after sparse checkouts when filter: '' is intended by @Copilot in #36259
• Remove partial-clone blob filtering from safe-outputs ref fetches by @Copilot in #36260
• Clarify push_to_pull_request_branch behavior for multi-checkout workflows by @Copilot in #36238
• Fix false post-create repo validation in cross-repo create_pull_request workflows by @Copilot in #36250
• [blog] Agent of the Day – 2026-06-01 by @github-actions[bot] in #36272
• Warn agents that git credentials are absent after checkout by @Copilot in #36269
• Remove permissions.copilot-requests: write recommendation from frontmatter reference by @Copilot in #36285
• Refactor workflow cache/action/validation paths by extracting focused helpers by @Copilot in #36248
• [aw] Failure Investigator: cut token overhead by removing redundant sub-agents and tightening prefetch/prompt scope by @Copilot in #36286
• Refactor inline skill/sub-agent extraction to shared parser helpers by @Copilot in #36247
• Fix lint-go CI failures: copyloopvar, errorlint, modernize, testifylint by @Copilot in #36295
• [spdd] Daily spec work plan - 2026-06-01: add Safeguards/Norms/Sync Notes to model-alias, pkg-manifest, and effective-tokens specs by @Copilot in #36293
• [docs] docs: unbloat frontmatter reference by @github-actions[bot] in #36300
• Remove bundled daily-subagent-optimizer workflow artifacts by @Copilot in #36299
• Remove stale CHANGELOG reference from generated release notes by @Copilot in #36302
• Optimize Code Simplifier workflow token footprint via deterministic preprocessing, inline skills, and small-model sub-agents by @Copilot in #36311
• Remove vestigial applyTo from parser validFields allowlist by @Copilot in #36309
• Fix validate-yaml failure by regenerating code-simplifier lock workflow with dev metadata by @Copilot in #36316
• [linter-miner] feat(linters): add seenmapbool linter — flag map[string]bool used as a set by @github-actions[bot] in #36313
• Make timeout-minutes a templatable integer in schema + custom job compilation by @Copilot in #36314
• copilot_harness: drive Copilot via @github/copilot-sdk when copilot-sdk: true by @Copilot in #36307
• Add step-summary command visibility to agentic_commands dispatcher by @Copilot in #36346
• Consolidate LintMonster function-length issues into one tracking workflow by @Copilot in #36347
• Refactor checks_command tests into table-driven suites and add formatter output coverage by @Copilot in #36327

Full Changelog: v0.77.5...v0.77.6

v0.77.5

🌟 Release Highlights

This release tightens the daily effective-workflow guardrail with smarter configuration gating, structured diagnostics, and a bug fix for artifact client setup — plus a project-level UTC offset feature for more accurate timestamps across timezones.

✨ What's New

• Project UTC offset for timestamps (#36142) — Rendered timestamps and expiration messages now respect a configured project UTC offset, so deadlines and expiry notices display correctly for teams in any timezone.
• Structured diagnostics in daily ET guardrail (#36164) — The daily effective-workflow guardrail now emits structured diagnostic output, making it easier to understand and debug guardrail evaluation results.
• close_discussion safe output in Daily Regulatory workflow (#36155) — The Daily Regulatory workflow can now close discussions as part of its safe-output actions, completing the full discussion lifecycle.
• New fmterrorfnoverbs linter (#36146) — A new Go linter enforces correct verb usage in fmt.Errorf calls, catching a common class of formatting mistakes at lint time.

🐛 Bug Fixes & Improvements

• Gate ET guardrail on explicit configuration (#36179) — The daily effective-workflow guardrail and its artifact client setup are now only activated when explicitly configured, preventing unnecessary overhead in workflows that do not use this feature.
• Fix @actions/artifact install for ET guardrail (#36153) — Resolved a missing dependency that caused failures when the daily-effective-workflow guardrail was enabled.
• Deploy command refactor (#36144) — Deploy command orchestration in pkg/cli was refactored to satisfy largefunc linter limits, improving maintainability without changing behavior.
• Parser test coverage (#36149) — Frontmatter extraction tests migrated to testify with additional coverage, strengthening the parser test suite.

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 659.7K

---

What's Changed

• Add project UTC offset support for rendered timestamps and expiration messages by @Copilot in #36142
• Fix: install @actions/artifact when daily-effective-workflow guardrail is configured by @Copilot in #36153
• [linter-miner] feat(linters): add fmterrorfnoverbs linter by @github-actions[bot] in #36146
• Refactor deploy command orchestration to satisfy largefunc limits in pkg/cli by @Copilot in #36144
• test(parser): migrate frontmatter_extraction_test.go to testify + add missing coverage by @Copilot in #36149
• Enable close_discussion safe output in Daily Regulatory workflow by @Copilot in #36155
• [blog] Agent of the Day – 2026-06-01 by @github-actions[bot] in #36158
• Add structured diagnostics to the daily workflow ET guardrail by @Copilot in #36164
• [blog] Weekly blog post – 2026-06-01 by @github-actions[bot] in #36178
• Gate daily ET guardrail and artifact client setup on explicit configuration by @Copilot in #36179

Full Changelog: v0.77.4...v0.77.5

v0.77.4

🌟 Release Highlights

This release delivers Anthropic WIF authentication, a new copilot-sdk engine, expanded aw.yml manifest capabilities, and a battery of reliability fixes across safe-outputs, threat-detection, and workflow compilation.

✨ What's New

• Anthropic WIF Authentication — Claude-engine workflows can now authenticate via Workload Identity Federation, eliminating long-lived API key secrets (#35939)
• copilot-sdk Engine — A new copilot-sdk frontmatter engine field gives workflows access to the Copilot SDK runtime directly (#35936)
• aw.yml Manifest: Includes, Skills & Agents — The repository manifest now supports includes, skills, and agents keys, making it easier to compose and share workflow components across repos (#35778)
• Per-Workflow 24-Hour Effective-Token Guardrail — A new configurable token guardrail prevents runaway agent costs with enterprise-grade defaults and ET shorthand support (#36042)
• search_commits in GitHub MCP Search Toolset — Commit search is now available to agents via the GitHub MCP search toolset (#36115)
• copilot-review Skill — A new skill guides agents through planning, addressing, and responding to PR review feedback (#36111)
• go-codemod Skill — Agents can now implement and test Go codemods for the gh aw fix command (#36034)
• Ruflo-Backed Agentic Task Workflow — New workflow for running agentic tasks via the Ruflo engine (#36046)

🐛 Bug Fixes & Improvements

• Activation comment fix — Activation comments no longer use the wrong repo/client or fire on empty commits (#35982)
• Safe-output target-repo — Safe output handlers now correctly respect the configured target-repo (#35901)
• Sparse-checkout filter — Agent checkout now emits filter: '' correctly when sparse-checkout is enabled (#35949)
• Protected-files fallback — create_pull_request now pushes the branch before creating a fallback issue (#35990)
• HEAD-only bundle handling — create_pull_request safe-output fallback handles HEAD-only bundles gracefully (#35989)
• Threat-detection hardening — Missing prompt artifacts no longer block safe-output execution (#36113)
• Reusable workflow timeout — timeout-minutes is now correctly passed through reusable workflow callers (#36107)
• on.needs YAML strip — Processed on.needs keys are stripped from emitted YAML, preventing invalid workflow syntax (#35965)
• Billing multiplier accuracy — billing.multiplier from Copilot reflect is now used as the primary ET multiplier source of truth (#36027)
• Prefer toolcache Copilot CLI — Workflows now prefer the Actions toolcache copy of the Copilot CLI before downloading a release, speeding up setup (#35992)
• Disable histexpand in shell wrappers — Bash history expansion is disabled in all generated shell wrappers to prevent unexpected ! expansion (#35991)

📚 Documentation

• Deprecated/migration callouts removed for a cleaner reference experience (#35923)
• OpenTelemetry reference slimmed down — duplicate config examples removed (#36143)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 994.4K

---

What's Changed

• Stabilize Step Name Alignment by removing legacy CLI-proxy path by @Copilot in #35804
• Enforce strconvparseignorederror in CI and remove 6 silent parse discards by @Copilot in #35805
• [deep-report] Raise Avenger max-turns to 50 to prevent max-turn exits by @Copilot in #35789
• chore: bump awf to v0.25.57, mcpg to v0.3.21 by @Copilot in #35782
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #35806
• Remove emoji from experiment assignment summary heading by @Copilot in #35815
• Align lipgloss compat detection with stderr output path by @Copilot in #35813
• Extend aw.yml to support includes, skills, and agents by @Copilot in #35778
• Fix context cancel lifecycle violations in workflow + MCP inspect paths by @Copilot in #35811
• refactor(workflow): decompose Claude allowed-tools assembly to reduce function complexity by @Copilot in #35812
• DDUw: catch not_planned docs-coverage/convention gaps (engine-example parity) by @Copilot in #35820
• Add missing Claude Opus multiplier aliases and correct GPT-5.5 multipliers for 2026-05-30 inventory by @Copilot in #35826
• Refactor Agentic Workflows routing: move dispatch index to skill, keep agent static, and update init generator by @Copilot in #35817
• [awf] Fix tool-cache mount handling, smoke-pi runtime config, and cache-memory git recovery by @Copilot in #35802
• [community] Update community contributions with Tier 3 findings by @github-actions[bot] in #35844
• Clarify Outcome Collector reference mapping to enforce exact Status-order link parity by @Copilot in #35852
• [log] Add debug logging to three previously-unlogged pkg/ files by @github-actions[bot] in #35857
• [docs] docs: apply American English spelling in content reference docs by @github-actions[bot] in #35853
• [code-simplifier] Simplify claude_tools.go: use getOrCreateToolMap and clearer isClaudeToolName by @github-actions[bot] in #35855
• fix: safe output handlers now respect target-repo config by @dsyme in #35901
• Share RUNNER_TEMP with agent step in compiled lock.yml by @Copilot in #35880
• [docs] Update editor preview screenshots – 2026-05-30 by @github-actions[bot] in #35890
• [instructions] Sync instruction files with release v0.76.1 by @github-actions[bot] in #35892
• docs: remove deprecated/migration callouts by @dsyme in #35923
• [spec-enforcer] Enforce specifications for typeutil, workflow, actionpins by @github-actions[bot] in #35910
• Remove markdown header from <repo-memory> default prompt section by @Copilot in #35920
• [docs] Consolidate developer specifications into instructions file by @github-actions[bot] in #35928
• Improve checkout prompt clarity: repo→path mapping and sparse-checkout visibility by @Copilot in #35927
• Remove nested Markdown headers from mcp-clis prompt section by @Copilot in #35922
• fix: add SEC-004 exemption to safe_output_execution_metadata.cjs by @Copilot in #35933
• Preserve agent and inlined-skill frontmatter during runtime imports so model selection is honored by @Copilot in #35938
• fix: emit filter:'' in agent checkout when sparse-checkout is enabled (#35947) by @dsyme in #35949
• Copy skills from aw.yml manifest first; copy skill folders recursively and safely by @Copilot in #35946
• Add safe-output failure guardrails and actionable PR-branch checkout errors by @Copilot in #35945
• Drop redundant --yolo from Pi engine invocations by @Copilot in #35950
• Route harness fallback diagnostics through safeoutputs CLI by @Copilot in #35934
• feat: Anthropic WIF support in EngineAuthConfig and ClaudeEngine by @Copilot in #35939
• Strip processed on.needs from emitted on: YAML to prevent invalid workflow syntax by @Copilot in #35965
• chore: bump firewall to v0.25.58 and gateway to v0.3.22 by @Copilot in #35973
• fix: activation comment uses wrong repo/client and fires on empty commits by @dsyme in #35982
• feat: add copilot-sdk engine front matter field by @Copilot in #35936
• Disable bash histexpand in all generated shell wrappers by @Copilot in https://github....

v0.77.3

🌟 Release Highlights

This release brings expanded sandbox configuration capabilities, improved workflow validation, and several reliability fixes across the compiler and setup infrastructure.

✨ What's New

• authHeader support in sandbox agent targets — Workflows using sandbox.agent.targets can now specify custom authentication headers directly in the frontmatter, enabling secure communication with authenticated agent endpoints. (#35694)

• gh aw init creates the Agentic Workflows custom agent — Running gh aw init now scaffolds a GitHub Copilot custom agent configuration for Agentic Workflows, giving you an AI-powered assistant right from project setup. (#35773)

• Stricter schema validation for workflow_call/workflow_dispatch inputs — Unknown keys in workflow_call and workflow_dispatch input definitions are now rejected at compile time, catching configuration errors early and preventing silent misconfiguration. (#35788)

🐛 Bug Fixes & Improvements

• Fixed false expression harvesting in bash comments — Expressions inside ${{ ... }} that appeared in bash # comment lines were incorrectly harvested. These are now properly ignored, preventing spurious validation errors in scripts with commented-out expressions. (#35777)

• Fixed bundle recovery on shallow/sparse checkouts — The --filter=blob:none git option is now only applied when the repository is a shallow or sparse checkout, resolving failures in standard full-clone environments. (#35766)

• Improved setup installer resilience — The setup installer now handles missing Antigravity checksums.txt gracefully, preventing installation failures when checksum files are unavailable. (#35747)

• Removed deprecated Copilot model aliases — Stale model aliases and multiplier registry entries (including gpt-5.3-codex) have been cleaned up. Workflows using these aliases should update to current model names. (#35786, #35765)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 840.1K

---

What's Changed

• Handle missing Antigravity checksums.txt in setup installer by @Copilot in #35747
• [WIP] Fix failing GitHub Actions job "lint-go" by @Copilot in #35743
• Harden Daily SPDD planner output contract to prevent placeholder issue bodies by @Copilot in #35752
• fix(bundle-recovery): gate --filter=blob:none on shallow or sparse checkouts by @dsyme in #35766
• Refine Outcome Collector executive report layout and shift cadence to 3-day runs by @Copilot in #35748
• feat: expose authHeader in sandbox.agent.targets frontmatter by @Copilot in #35694
• fix: use 1s benchtime for CLI helper benchmarks to eliminate false regressions by @Copilot in #35763
• Migrate smoke-copilot and daily-fact off deprecated gpt-5.3-codex → gpt-5.4 by @Copilot in #35765
• [linter-miner] feat(linters): add jsonmarshalignoredeerror linter to catch discarded json.Marshal/Unmarshal errors by @github-actions[bot] in #35767
• Add missing job timeouts to high-risk push/PR workflows by @Copilot in #35775
• Use testify assertions in pkg/errorutil/errors_test.go for consistent table-test failures by @Copilot in #35776
• Update gh aw init to create the Agentic Workflows custom agent by @Copilot in #35773
• Ignore ${{ ... }} in bash # comments during run-script expression harvesting by @Copilot in #35777
• Remove deprecated Copilot model aliases from built-in alias and multiplier registries by @Copilot in #35786
• Schema: reject unknown keys in workflow_call/dispatch input definitions by @Copilot in #35788
• workflow: replace deprecated empty AddCommentConfig with alias to AddCommentsConfig by @Copilot in #35787

Full Changelog: v0.77.2...v0.77.3