v0.74.9

🌟 Release Highlights

This release brings powerful new safe-output controls, enhanced token usage visibility, and important bug fixes including two community-reported issues.

✨ What's New

Safe Output Controls

• Branch protection for PRs - Enforce allowed-branches when creating pull requests to prevent accidental changes to protected branches (#33610)
• Patch size limits - Configure max-patch-size and max-patch-files to control PR complexity and prevent overwhelming reviews (#33650)
• Label and title filters - Add required-labels and required-title-prefix filters to all safe-output operations for better workflow control (#33350)
• Suppress closing comments - Use body-allowed: false with close-discussion and close-issue to prevent duplicate comments (#33639)

Token Usage Visibility

• Per-tool token deltas - Agent logs now show effective token usage per MCP tool call, making it easier to identify expensive operations (#33629)
• Turn-by-turn breakdowns - Step summaries display token usage with ΔET (delta effective tokens) and compounded totals for each turn (#33628)

Quality & Validation

• OTLP data quality validator - New workflow performs end-to-end telemetry integrity checks to ensure observability data is complete and accurate (#33623)
• Runtime triage rules - PR triage agent now reads customer triage rules from .github/triage.md at runtime for flexible, repository-specific triage logic (#33657)
• Regex compilation linter - New regexp-compile-in-function linter catches expensive regex compilation in hot paths (#33608)

🐛 Bug Fixes & Improvements

Bug Fixes

• Fixed workflow_install_note.md ENOENT crash when PRs touch workflow files (#33654)
• Prevented placeholder-only bodies in create_discussion safe-output (#33595)
• Fixed /review command to properly dispatch all pull_request_reviewer workflows (#33562)
• Set proper token budgets and narrowed file-glob patterns in meta-orchestrators to prevent resource exhaustion (#33625)

Improvements

• Contribution-check now offloads report formatting to small-model sub-agents for faster processing (#33655)
• Softened empty MCP RPC telemetry handling in gateway log parsing to reduce noise (#33647)
• Normalized report formatting guidelines across 7 agentic workflows for consistency (#33596)
• Strengthened MCP add integration tests with testify assertions and table-driven coverage (#33626)
• Hardened Agentic Maintenance compile-workflows by removing Docker-only image validation (#33573)

📚 Documentation

• Consolidated error documentation into tables for easier scanning (#33599)
• Enforced consistent short-description punctuation rules across the full CLI command tree (#33627)
• Completed x-deprecation-message coverage for all deprecated schema fields (#33645)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• Bug: workflow_install_note.md ENOENT in safe_outputs when PR touches workflow files (direct issue)
• Add body-allowed: false (or equivalent) to close-discussion and close-issue safe-outputs (direct issue)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 3.4M

---

What's Changed

• Harden Agentic Maintenance compile-workflows by removing Docker-only image validation by @Copilot in #33573
• Normalize report formatting guidelines across 7 agentic workflows by @Copilot in #33596
• [docs] docs: unbloat errors.md by consolidating into tables by @github-actions[bot] in #33599
• feat(safe-outputs): add required-labels/required-title-prefix filters to all operations; standardize merge-pull-request and add-reviewer field names by @Copilot in #33350
• Add OTLP data quality validator workflow for end-to-end telemetry integrity checks by @Copilot in #33623
• [linter-miner] feat(linters): add regexp-compile-in-function linter by @github-actions[bot] in #33608
• fix: dispatch all pull_request_reviewer workflows from /review by @Copilot in #33562
• fix: guard create_discussion against PLACEHOLDER-only bodies by @Copilot in #33595
• Close daily SPDD spec gaps across MCP Scripts, Effective Tokens, Forecast, Frontmatter Hash, and Fuzzy Schedule by @Copilot in #33591
• Strengthen MCP add integration tests with testify assertions, table-driven coverage, and success-path validation by @Copilot in #33626
• Support allowed-branches enforcement for create-pull-request safe output by @Copilot in #33610
• feat(token-usage): per-turn rows with ΔET and compounded ET in step summary by @Copilot in #33628
• Enforce short-description punctuation rules across the full CLI command tree by @Copilot in #33627
• feat: show effective-token delta per MCP tool call in agent log by @Copilot in #33629
• fix: set per-workflow token budgets and narrow file-glob patterns in meta-orchestrators by @Copilot in #33625
• Sync lock files with MinDiscussionBodyLength schema change; confirm formatting guidelines already present by @Copilot in #33646
• Soften empty MCP RPC telemetry handling in gateway log parsing by @Copilot in #33647
• feat: complete x-deprecation-message coverage for all deprecated schema fields by @Copilot in #33645
• feat: PR triage agent reads customer triage rules from .github/triage.md at runtime by @Copilot in #33657
• contribution-check: offload report formatting and comment routing to small-model sub-agents by @Copilot in #33655
• Add body-allowed: false to close-discussion and close-issue safe-outputs by @Copilot in #33639
• fix: resolve workflow_install_note.md ENOENT in safe_outputs job by @Copilot in #33654
• Support max-patch-size / max-patch-files under safe-outputs.create-pull-request by @Copilot in #33650

Full Changelog: v0.74.8...v0.74.9

v0.74.8

🌟 Release Highlights

This release strengthens reliability, developer experience, and observability with daily automated reviews, improved error messages, and enhanced telemetry instrumentation.

✨ What's New

🔍 Daily Reliability Review — A new scheduled workflow automatically detects and reports gh-aw reliability issues using Sentry observability data, querying for failures, timeouts, cancellations, and token truncations. The workflow creates prioritized findings with actionable recommendations, helping maintainers catch issues early. (#33493)

💡 Fuzzy "Did You Mean?" Suggestions — Validation errors now include helpful suggestions when you mistype engine names, events, permissions, or MCP types (e.g., invalid engine: copiliot → Did you mean: copilot?). The feature uses Levenshtein distance matching to catch common typos during compilation. (#33467)

📍 File/Line Context in Validation Errors — Validation errors now show file:line:col: positioning so IDE tooling can jump directly to the problematic field, eliminating manual searches through workflow files. (#33466)

💭 Reasoning Message Rendering — Reasoning content (Claude extended thinking blocks, Codex thinking sections, Copilot reasoning_text) now renders with a distinct ◯ open circle icon and italic styling, making agent thought processes visible and distinguishable from regular output. (#33464)

🐛 Bug Fixes & Improvements

Telemetry Instrumentation — Fixed four critical OTLP gaps: service.version fallback to GITHUB_SHA, gen_ai.response.finish_reasons always emitted, timeouts distinguished from failures, and gen_ai.usage.total_tokens now tracked. (#33528, #33510)

Network Access — Added patch-diff.githubusercontent.com to the GitHub domain ecosystem, allowing workflows using network.allowed: [github] to fetch PR diffs without blocking. (#33543)

Linter Improvements — Enhanced analyzer ergonomics with ctxbackground autofix, consistent test-file handling, and range-based diagnostics for better IDE integration. (#33541)

Code Quality — Resolved 12 lint violations including functions exceeding parameter limits (refactored to options structs), context.Background() calls in functions already receiving ctx, and os.Exit() calls in library packages. (#33452)

📚 Documentation

Developer Specifications — Consolidated developer documentation with 7 tone fixes across 4 spec files, removing marketing language and subjective phrasing. (#33566)

Reference Updates — Added Gemini 3.5 Flash model configuration, documented footer-install template behavior, and specified JSON workflow field mapping for Copilot automation API imports. (#33522)

Glossary Expansion — Daily glossary scan added terms for tools.github.allowed-repos, repository access restrictions, and other workflow configuration options. (#33519)

🔧 Internal

MCP Refactoring — Extracted duplicated MCP wrapper logic into renderDefaultJSONMCPConfig helper, eliminating 10-12 line code blocks across four JSON engines. (#33482)

Chaos Testing — Updated Chaos PR Bundle Fuzzer to allow modifications to tests/chaos/** in safe-output PR creation. (#33553)

Workflow Cleanup — Removed centralized pull_request_reviewer dispatching from agentic_commands.yml, simplifying workflow routing. (#33542)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 3.9M

---

What's Changed

• feat: render reasoning/thinking messages with ◯ icon and italic styling by @Copilot in #33464
• fix: resolve 12 lint violations — excess params, context.Background, os.Exit by @Copilot in #33452
• chore: update otlp.md with xml docs by @mnkiefer in #33468
• feat: add daily reliability review via sentry by @mnkiefer in #33493
• Strengthen shared Sentry prompts for grounded reliability triage by @Copilot in #33499
• fix(otlp): service.version fallback, timeout vs failure, finish_reasons, total_tokens by @Copilot in #33510
• Improve Daily Reliability Review readability with progressive disclosure by @Copilot in #33523
• [spec-enforcer] Enforce specifications for errorutil, syncutil, jsonutil by @github-actions[bot] in #33527
• [docs] Update documentation for features from 2026-05-20 by @github-actions[bot] in #33522
• [docs] Update glossary - daily scan by @github-actions[bot] in #33519
• feat: add file/line context to validation errors by @Copilot in #33466
• [plan] Migrate high-impact validation paths to NewValidationError with actionable YAML guidance by @Copilot in #33491
• refactor: extract renderDefaultJSONMCPConfig to eliminate duplicated MCP wrapper logic by @Copilot in #33482
• fix(otlp): always emit gen_ai.response.finish_reasons; use GITHUB_SHA as service.version fallback by @Copilot in #33528
• Add sub_agent_strategy A/B experiment to smoke-gemini workflow by @Copilot in #33540
• Allow patch-diff.githubusercontent.com in the GitHub domain ecosystem by @Copilot in #33543
• Remove centralized pull_request_reviewer dispatching from agentic_commands.yml by @Copilot in #33542
• Improve linter analyzer ergonomics: ctxbackground autofix, test-file parity, and range diagnostics by @Copilot in #33541
• Allow Chaos PR Bundle Fuzzer to modify tests/chaos/** in safe-output PR creation by @Copilot in #33553
• [docs] Consolidate developer specifications v9.12: 7 tone fixes across 4 files by @github-actions[bot] in #33566
• feat: fuzzy "Did you mean?" suggestions for engine, event, permission, and MCP type typos by @Copilot in #33467
• Update Daily OTel Advisor to use shared Sentry/Grafana OTEL MCP imports by @Copilot in #33570
• [blog] Agent of the Day – 2026-05-20 by @github-actions[bot] in #33568

Full Changelog: v0.74.7...v0.74.8

v0.74.7

🌟 Release Highlights

A focused maintenance release that strengthens workflow activation handling and improves code maintainability.

🐛 Bug Fixes & Improvements

Workflow Activation & Routing

• Fixed pull request review activation - Resolved hybrid routing conflicts where pull_request_review events were incorrectly processed, ensuring reviewer lifecycle events bypass slash-command gating for smoother automated reviews
• Improved reaction handling - The add_reaction safe-output now correctly processes pull_request_review activation events
• Stabilized secret replacement - Eliminated non-deterministic behavior in workflows using shared fallback expressions, making secret handling more reliable

Code Quality

• Simplified schedule parser - Refactored complex functions into focused helpers for better maintainability and readability
• Cleaned up semantic clustering - Deduplicated linter helpers, removed stub files, and improved naming consistency across the codebase

Developer Experience

• Enhanced safe-output guidance - Strengthened anti-probing documentation for add_comment and create_issue to prevent common workflow authoring mistakes

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 2.9M

---

What's Changed

• [community] Update community contributions in README by @github-actions[bot] in #33439
• Fix non-deterministic secret replacement in workflows with shared fallback expressions by @Copilot in #33441
• Bypass slash-command gating for pull_request reviewer lifecycle events by @Copilot in #33447
• [safeoutputs] Strengthen anti-probing guidance for add_comment and create_issue by @Copilot in #33433
• Handle pull_request_review activation reactions in add_reaction by @Copilot in #33449
• [log] Add namespace loggers to three workflow files by @github-actions[bot] in #33453
• Refactor schedule parser long functions into focused helpers by @Copilot in #33448
• [WIP] Fix failing GitHub Actions job JS Tests (shard 2/4) by @Copilot in #33455
• refactor: semantic function clustering — dedup linter helpers, drop stub files, rename outliers by @Copilot in #33434
• Remove pull_request_review from on.pull_request_reviewer hybrid routing by @Copilot in #33461

Full Changelog: v0.74.6...v0.74.7

v0.74.6

🌟 Release Highlights

This maintenance release focuses on workflow import UX improvements, MCP security hardening, and critical bug fixes across safe outputs and workflow triggers.

✨ What's New

Enhanced Workflow Import Experience

• JSON workflow imports now preserve meaningful workflow names instead of GUID-like identifiers (#33432, #33421)
• Cleaner import output - removed noisy API metadata and refined import messages for better readability (#33420, #33424)
• Copilot workflow imports now support authenticated fetching from api.githubcopilot.com (#33402)

New Synthetic Trigger: pull_request_reviewer

• Added on.pull_request_reviewer: slash_command for PR reviewer lifecycle dispatch with reviewer-aware concurrency (#33273)
• Migrated ready-for-review workflows to the new trigger (#33412)

Model Support

• Added gemini-3.5-flash to model inventory with ET multiplier 14.0 (#33430)

🐛 Bug Fixes & Improvements

Safe Outputs & Review Handling

• Fixed submit_pull_request_review to gracefully skip when PR review context is unavailable (e.g., workflow_dispatch on main) (#33435)
• Fixed dispatchWorkflow API version header - now correctly passed as top-level header instead of nested params (#33419)

MCP Telemetry & Observability

• Zero-byte rpc-messages.jsonl files (MCP server crash/startup failures) now correctly reported as telemetry failures instead of silently passing (#33358)

Trigger & Event Handling

• Fixed activation steps attempting to add reactions/comments on unsupported pull_request_review events (#33418)

📚 Documentation

• Updated Astro dependencies to latest and applied Starlight 0.39 sidebar config migration (#33431)
• Hardened shared MCP allowlists for high-risk servers and documented wildcard policy (#33384)
• Self-healing documentation fixes from automated issue analysis (#33414)

🔧 Internal

• Dependency updates: vite 8.0.12→8.0.13, @types/node 25.7.0→25.9.1 (#33410, #33407)
• Optimized instruction verbosity in workflow-health runbook and report generation (#33393)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 2.4M

---

What's Changed

• Add on.pull_request_reviewer: slash_command synthetic trigger and reviewer lifecycle routing by @Copilot in #33273
• [caveman] Optimize instruction verbosity — workflow-health, report (2026-05-19) by @github-actions[bot] in #33393
• Treat zero-byte rpc-messages.jsonl as an MCP telemetry failure by @Copilot in #33358
• Migrate ready-for-review agentic workflows to pull_request_reviewer by @Copilot in #33412
• Harden shared MCP allowlists for high-risk servers and document wildcard policy by @Copilot in #33384
• Allow add URL importer auth for api.githubcopilot.com by @Copilot in #33402
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-20 by @github-actions[bot] in #33414
• fix: pass X-GitHub-Api-Version as top-level header in dispatchWorkflow by @Copilot in #33419
• Skip unsupported pull_request_review events in activation reaction/status conditions by @Copilot in #33418
• Drop non-config JSON metadata during add/add-wizard import by @Copilot in #33420
• Prefer JSON title/name for URL imports when derived workflow name is GUID-like by @Copilot in #33421
• Polish JSON-import UX for add/add-wizard output by @Copilot in #33424
• Preserve JSON-imported workflow names in add/add-wizard resolution by @Copilot in #33432
• Add missing gemini-3.5-flash ET multiplier to model inventory by @Copilot in #33430
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #33429
• [docs] Update Astro dependencies and apply Starlight 0.39 sidebar migration by @Copilot in #33431
• Soft-skip submit_pull_request_review when no PR review context is available by @Copilot in #33435
• chore(deps-dev): bump @types/node from 25.7.0 to 25.9.1 in /actions/setup/js by @dependabot[bot] in #33407
• chore(deps-dev): bump vite from 8.0.12 to 8.0.13 in /actions/setup/js by @dependabot[bot] in #33410

Full Changelog: v0.74.5...v0.74.6

v0.74.5

🌟 Release Highlights

This release delivers 125 improvements focused on quality, stability, and developer experience. Key themes include enhanced observability with OpenTelemetry integration, improved CLI tooling with JSON workflow import capabilities, and significant bug fixes addressing authentication, safe-output handling, and workflow compilation edge cases.

✨ What's New

OpenTelemetry Observability & Multi-Backend Support

• Comprehensive OTel documentation and specification (#33380)
• Support for Datadog, Grafana, and Sentry backends with modular shared imports (#33202, #33023)
• Enhanced span attributes including resolved runtime models (gen_ai.response.model) and AWF/AWMG versions (#33275, #33030)

JSON Workflow Import

• New CLI capability to import workflows from JSON format with automatic trigger, tool, and permissions mapping (#33376)
• Support for importing from arbitrary HTTP(S) URLs (#33164)

Enhanced Error Handling & Developer Experience

• Actionable error message standards with custom linter enforcement (#33336)
• Prioritized compilation errors with recovery guidance in gh aw compile (#33337)
• Deprecated frontmatter field warnings via generic schema walker (#33362)
• Aggregate validation errors (report all issues together) with --fail-fast flag for legacy behavior

AI Engine & Model Improvements

• Per-engine default model aliases with Sonnet-sized agent defaults (#33182)
• Model inventory updates including raptor-mini alias coverage and GPT-5 search multipliers (#33177)
• Prompt compression A/B experiments and caveman prompt variant (#33296, #33162)

Safe Outputs Enhancements

• Field-name divergence warnings for add_labels, remove_labels, and update_pull_request (#33170)
• Preserved inline review analysis in 422 body-only fallback (#33361)
• Prevention of safe-output PR probing from creating stray downstream PRs (#33044)
• Support for tools.github.allowed-repos: current for repo-scoped MCP guard policies (#33041)

CLI & Tooling Improvements

• run_id alias support for audit MCP tool parameters (#33250)
• Lipgloss tree rendering for MCP hierarchy and status dependencies (#33276)
• Idempotent setup-gh-aw install when gh-aw is already available (#33240)

🐛 Bug Fixes & Improvements

Authentication & Credential Handling

• Fixed Copilot/Claude/Codex retry loops after authentication failure (stopped futile retries) (#33093)
• Restored authenticated ls-remote in signed commit push path (#33178)
• Hardened MCP gh-aw binary discovery for Q dev install paths (#33321, #33168)
• GitHub App token minting guarded across workflow paths with missing-key ignore mode (#33033)

Safe Outputs & Git Operations

• Fixed create_pull_request git am fallback and unrelated safe output cancellation (#33295)
• Resolved temporary ID substitution in bundle-based signed commit replay (#33181)
• Branch rename support when recreate-ref deleteRef is blocked by protection rules (#33163)
• Self-healing cache-memory git setup when restored metadata is corrupt (#33249)

Workflow Compilation & Validation

• Validation of required workflows: field on workflow_run trigger (#33191)
• Compile-time rejection of queue: max with cancel-in-progress: true (#33353)
• Fixed compound || expressions in prompt markdown never substituting at runtime (#33129)
• Prevention of compile panic when workflow directory contains only shared components (#33029)
• Fixed OTLP shared import in UK AI operational resilience workflow (#33036)

Error Context & Reporting

• Rendered report_incomplete reasons in agent failure comments and issue templates (#33087)
• Agent failure issue matching by stored metadata instead of title alone (#33089)
• Preserved inline review analysis in 422 body-only fallback (#33361)
• Derived gh-aw.run.status and status.code from output errors when conclusion env var is absent (#33037)

Network & Permissions

• Added pypi.org and files.pythonhosted.org to daily-semgrep-scan allowlist (#33035)
• Exposed reusable workflow network allowlist as opt-in workflow_call input (#33200)

Dependencies & Build

• Bumped default AWF firewall to v0.25.49 and MCP gateway versions (#33124, #32913)
• Updated GitHub Actions versions (2026-05-19) (#33238)
• Charmbracelet golden pseudo-version bump to 920740d613be (#33281)

⚡ Performance

• Reduced CLI Consistency Checker token usage via pre-agent help capture and prompt/frontmatter trimming (#33363)
• Optimized CLI Consistency Checker via inline small-model sub-agents (#33179)
• Reduced Step Name Alignment agent turns via deterministic pre-agent manifest (#33247)
• Optimized instruction verbosity for adr-writer, developer.instructions, agentic-chat (#33162)
• Trimmed token spend in Matt Pocock skills reviewer workflow (#33085)

📚 Documentation

• Unbloated documentation for correction-ops.md and integrity reference (#33375, #33110)
• Consolidated developer specifications into instructions file v9.11 (#33323)
• Added pkg/syncutil README and registered dependency in cli/workflow specs (#33325)
• Strengthened SPDD safeguards and OTel norms across 5 spec files (#33096)
• Daily/weekly glossary updates and feature documentation (#33278, #33283, #33021, #33018)
• Normalized report-formatting guidance across reporting workflows (#33335, #33220)
• Self-healing documentation fixes from issue analysis (#32915)
• Architecture diagram updates (2026-05-18) (#33006)
• Added FAQ guidance for using skills with agentic workflows (#33034)

🔧 Internal Improvements

• Refactored current-repository lookup caches to shared syncutil.OnceLoader (#33180)
• Replaced raw log.Print* usage in library packages with package-scoped logger instances (#33272)
• Refactored parser engine-include tests to table-driven testify assertions (#33241)
• Extracted resolveSafeOutputIssueTarget to eliminate boilerplate (#33231)
• Refactored create- config parsing* to shared helper (#33242)
• Added panic recovery to mcp inspect background goroutines (#33217)
• Refactored pkg mutex sites to use deferred unlocks consistently (#33038)
• JavaScript cleanup via jsweep for add_labels.cjs and add_comment.cjs (#33208, #32949)
• Centralized 403/410 error classification via errstringmatch linter enforcement (#33216, #33117)
• Schema coverage demos for multiple frontmatter fields (pre-steps, models, inline-sub-agents, github-app, environment, dependencies, container, check-for-updates) (#32985, #32984, #32983, #32981, #32980, #32978, #32977, #32976)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@Calidus

• bug: gh aw compile should validate required workflows: field on workflow_run trigger

@IEvangelist

• create_pull_request: git am fallback also fails and cancels unrelated safe outputs — needs stronger retry
• Copilot CLI retry loop in copilot_driver.cjs is futile after entrypoint unsets COPILOT_GITHUB_TOKEN between attempts
• report_incomplete context silently dropped: {report_incomplete_context} placeholder missing from agent_failure_comment.md and agent_failure_issue.md
• Failure-issue handler matches by title alone, turning one issue into an unbounded multi-PR / multi-cause / post-expiry comment magnet
• Agent step probes the runtime instead of relying solely on safe-outputs (leaves stray test PRs behind)

@mason-tim

• push_repo_memory broken on signed-commit rulesets: ls-remote missing gitAuthEnv (regression from #31478)
• Compound || expressions in prompt markdown body never substitute at runtime (compiler/runtime env-var naming mismatch)

@norrietaylor

• Expose network.allowed as a workflow_call input for reusable workflows

@polmichel

• conclusion job's App-token mint step fails hard when GH_AW_APP_ID isn't available and previous step are canceled

@samuelkahessay

• Generated locks emit secret-shaped dummy COPILOT_API_KEY value
• tools.github.allowed-repos cannot express current repository for generated workflows

@wtgodbe

• Bundle-based push path skips temporary ID substitution in file contents

---

Full Details: For complete commit-by-commit changes, see CHANGELOG.

What's Next: We're continuing to improve observability, enhance AI engine capabilities, and refine developer tooling. Stay tuned for more updates!

Generated by 🚀 Release · ● 4.1M

---

What's Changed

• Reject removed tools.serena in parser and align with schema by @Copilot in #32909
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-18 by @github-actions[bot] in #32915
• Bump default AWF firewall to v0.25.48 and MCP gateway to v0.3.11 by @Copilot in #32913
• fix(model-inventory): enrich /reflect null models via mod...

v0.74.4

🌟 Release Highlights

This release delivers significant improvements to safe-outputs reliability, submodule checkout support, enhanced agent failure reporting, stronger security hardening against integer overflow, and a wave of community-requested fixes across MCP, protected-files, repo-memory, and lockdown checks.

✨ What's New

• Submodule-safe credential cleanup — New checkout.clean-git-credentials option prevents credential leaks when workflows use submodules, resolving a long-standing issue with persist-credentials: false in compiled lock files. (#32819)
• Automatic pull-requests: read permission inference — The compiler now infers pull-requests: read for activation jobs that include Vale pre-steps using gh pr diff, eliminating a common silent permission gap. (#32849)
• Larger repo-memory file cap — Default MaxFileSize raised from 10 KB to 100 KB, unblocking analysis of real-world source files. (#32826)
• Denied-command surfacing in failure reports — Agent failure reports now surface denied commands and include improved prompts for actionable debugging. (#32759)
• ctxbackground linter — New Go linter flags context.Background() calls when a ctx parameter already exists, enforcing consistent context propagation. (#32865)

🐛 Bug Fixes & Improvements

• Mentions policy respected in add_comment — Allowed mentions were being escaped due to a missing config pass-through; now correctly applied. (#32805)
• update_pull_request.update_branch permission failures non-fatal — Workflow-permission errors from branch-update calls are now treated as warnings rather than hard failures. (#32900)
• CLI not-found detection unified — Lowercase "not found" errors were previously missed; detection is now case-insensitive and centralized. (#32888)
• Cache-memory artifact upload path fixed — Threat-detection workflows were generating invalid artifact paths; upload now succeeds reliably. (#32733)
• Integer overflow guards — MergeUnique allocation sizing and the run-step sanitizer are both hardened against allocation-size overflow (addresses CodeQL finding #592). (#32842, #32841)
• create_pull_request chaos fallback — Prevents a spurious fallback when the branch already exists. (#32770)

📚 Documentation

• Multi-engine guidance in README — Explicit signal added to help users choose the right engine for their workflow. (#32889)
• LLM discoverability — llms.md and llms-full.txt added for LLM tool configuration and GEO discoverability. (#32744, #32867)
• Broken links fixed — Pattern links in patterns.md and engine link in engines.md repaired. (#32804, #32743)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@askpaisa

• Can GitHub Copilot Agent (Jira integration) use a branch specified in the Jira issue description? (direct issue)

@clementbolin

• MCP gateway fails on ARC self-hosted runners with dind sidecar — "Invalid container ID format" + "Docker socket not found" (direct issue)

@cogni-ai-ee

• docs: Non-existing patterns (direct issue)
• engines.md: Fix broken link to crush repo (direct issue)

@corygehr

• Feature request: first-class file attachments in safe-outputs comments (direct issue)

@IEvangelist

• Raise / unblock default 100-file cap in create_pull_request safe-output for generated-content workflows (direct issue)

@jaroslawgajewski

• Compiled lock files use persist-credentials: false on checkout steps — fails on repos with submodules (direct issue)
• Workflow-Specific OTEL Service Names (direct issue)

@JamesNK

• Replace repo-memory patch size limit with a rate limit over time (direct issue)

@jfomhover

• conclusion job uses static concurrency group, causing random cancellations in batch dispatches (direct issue)

@kaovilai

• protected-files fallback-to-issue: handler attempts git push before short-circuiting, produces inferior fallback issue (direct issue)
• protected-files fallback-to-issue: include Closes #N in pre-filled compare URL so merging auto-closes the issue (direct issue)
• Feature: title-based deduplication for create-issue safe-output handler (direct issue)
• Bundle apply fails due to shallow clone (fetch-depth: 1) in safe_outputs job (direct issue)

@lpcox

• feat: Model fallback when configured model is unavailable (direct issue)

@MH0386

• Custom API Endpoints doesn't work (direct issue)

@norrietaylor

• Lockdown check fails on private cross-repo workflow_call: Contents API uses caller's GITHUB_TOKEN, not callee-accessible token (direct issue)

@sg650

• Agent sandbox PATH puts wrong Ruby first; bundle exec fails until agent manually re-prepends toolcache bin (direct issue)

@theletterf

• Compiler omits pull-requests: read from activation job despite Vale pre-step using gh pr diff (direct issue)
• APM cache key collides across reusable workflows when called from a downstream repo (direct issue)

@yskopets

• SideRepoOps: creating a PR against a non-default branch generates E003 without a custom DEFAULT_BRANCH override (direct issue)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 3.1M

---

What's Changed

• [caveman] Optimize instruction verbosity — token-optimization.md (2026-05-15) by @github-actions[bot] in #32478
• [testify-expert] Standardize pkg/stringutil tests on testify assertions by @Copilot in #32468
• Replace threat-detection XML marker token across JS and spec by @Copilot in #32458
• ci: reduce retention for debugging artifacts in ci.yml and cgo.yml by @Copilot in #32451
• [linter-miner] feat(linters): add osexitinlibrary linter by @github-actions[bot] in #32448
• Make centralized slash-command workflows emit non-required workflow_dispatch inputs by @Copilot in #32480
• [WIP] Fix failing GitHub Actions job Integration: CLI Audit Logs & Firewall by @Copilot in #32483
• Fix docs link-validator failures from stale experiments page URLs by @Copilot in #32490
• Preserve @copilot in add-comment mention filtering by @Copilot in #32487
• Refactor safe-output dispatch logic to use a canonical handler descriptor table by @Copilot in #32489
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-16 by @github-actions[bot] in #32496
• Make OTEL service names workflow-specific in compiled OTLP workflows by @Copilot in #32488
• Raise Daily Observability workflow ET budget to prevent proxy-enforced exhaustion by @Copilot in #32506
• Stabilize Daily Model Inventory Copilot startup by removing fragile quoted jq allow-tool by @Copilot in #32505
• Refactor workflow config parser helpers and shared mount validation by @Copilot in #32507
• Prevent Linter Miner runs from completing without a terminal safe output by @Copilot in #32531
• Add output_format A/B experiment to daily-code-metrics workflow by @Copilot in #32535
• [compiler-threat-spec] spec: add CTR-017 Secret Leakage via Env Vars a...

v0.74.3

🌟 Release Highlights

This release brings significant improvements to safe outputs, observability, agent compatibility, and workflow reliability — with a strong focus on fixing community-reported issues including GPT-5.4 compatibility, signed-commit regressions, and bundle-apply race conditions.

✨ What's New

• Glob pattern support in add-labels safe outputs — The allowed list for add-labels now accepts glob patterns, making label rule configuration far more flexible. (#32022)
• Issue Fields Support in Safe Outputs — Safe outputs can now read and write GitHub issue fields, expanding what agentic workflows can do with issues. (#30846)
• slash_command and label_command triggers are now stable — Experimental warnings removed; these triggers are production-ready. (#32348)
• aw-compat codemods — New automatic codemods for run-expression hoisting, engine latest pinning, and toolset permission synthesis keep your workflows compatible as the platform evolves. (#32341)
• Warn-mode threat guardrails for safe outputs — Runtime enforcement of warn-mode threat-failure policies across all safe output types improves security posture. (#32399)
• Agent compatibility matrix and validation — Workflows can now declare and validate agent compatibility constraints. (#32396)
• Enhanced observability and proxy support — Improved OTel spans (gen_ai.system on setup/conclusion), Grafana MCP config shared component, and better proxy header handling. (#32425, #32340)
• excessivefuncparams linter — A new Go analyzer flags high-arity function declarations to encourage cleaner APIs. (#32402)
• experiments.* now valid in runtime-import expressions — Experiment flags can now be referenced in runtime-import validation contexts. (#32375)

🐛 Bug Fixes & Improvements

• Fix gh aw logs/gh aw status ignoring --repo — These commands now correctly bypass the local filesystem when --repo is set. (#31660)
• Fix orphan-branch signed-commit regression — Orphan-branch first commits now correctly use signed pushes, resolving a regression of #29301. (#31489)
• Fix bundle-apply race condition — Git stderr is now captured to recover missing prerequisite commits, eliminating a race between agent and safe_outputs jobs. (#32310)
• Fix on: key quoting in compiled .lock.yml — The top-level on: key is now emitted unquoted, matching GitHub Actions expectations. (#32354)
• Fix runtime import deduplication — Inline runtime-imports in workflow bodies are no longer expanded twice during recursive self-import expansion. (#31650)
• Fix GPT-5.4 tool call type error — Resolved 400 Invalid type for 'messages[x].tool_calls[x].type' errors when using GPT-5.4 models. (#31695)
• Fix gpt-5.4-mini strict mode failures — GPT-5.4-mini now works correctly via /chat/completions in strict AWF mode. (#32197)
• Fix safe_outputs git fetch on checked-out branch — Bundle targets no longer fail when targeting the currently checked-out branch. (#32069)
• Fix BYOK Azure AI Foundry model resolution — External Azure AI Foundry deployments no longer return HTTP 404 from the proxy catalog. (#30356)
• Allow unsigned pushes when signed commits are disabled — PR branch pushes now correctly skip signature requirements when the repo has signed commits disabled. (#32271)
• Improved compiler diagnostics — Better error messages for YAML missing-colon syntax errors and engine ID typos. (#32343)

📚 Documentation

• Major documentation reorganization — A new Practices sidebar section, collapsed Experimental section, and restructured Reference pages make the docs more navigable. (#32450, #32445, #32441, #32431)
• GHE support documentation — Added documentation for GitHub Enterprise support. (#31701)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• BYOK with external Azure AI Foundry deployment — model not found in proxy catalog (HTTP 404) (direct issue)

@hermanho

• gpt-5.4-mini fails via /chat/completions in strict AWF mode (direct issue)

@IEvangelist

• Generated *.lock.yml files quote the top-level on: key (direct issue)

@labudis

• Implement Issue Fields Support in Safe Outputs (direct issue)

@mason-tim

• Regression of #29301: orphan-branch first commit pushes unsigned, fails on "Require signed commits" rulesets (direct issue)

@mrjf

• push_to_pull_request_branch: merge commits blocked by both signed and unsigned push paths (direct issue)
• safe_outputs: git fetch fails when bundle targets the currently checked-out branch (direct issue)

@NicolasRannou

• Documentation: GHE support (direct issue)

@norrietaylor

• Bundle-apply race: safe_outputs fetch-depth=1 loses ancestor commits between agent and safe_outputs jobs (direct issue)

@rabo-unumed

• Bug: gh aw logs and gh aw status ignore --repo and fail without local .github/workflows (direct issue)

@sg650

• Upstream workflows that shell out to gh aw should install the gh-aw CLI explicitly (direct issue)
• Upstream workflows should disable observability when GH_AW_OTEL_* secrets are unset (direct issue)

@tore-unumed

• Runtime import deduplication: inline runtime-imports in workflow body are expanded twice due to recursive self-import (direct issue)

@tsm-harmoney

• Edit tool fails with GPT-5.4: 400 Invalid type for 'messages[x].tool_calls[x].type' (direct issue)

@yskopets

• feat: support glob patterns in allowed for add-labels safe-outputs (direct issue)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · ● 4.1M

---

What's Changed

• docs: add DeepReport to DDUw cookie-issue sources by @Copilot in #32030
• Support glob patterns in allowed label filters for safe-outputs by @Copilot in #32027
• [WIP] Fix failing GitHub Actions job lint-js by @Copilot in #32036
• [WIP] Fix failing GitHub Actions job for CLI completion by @Copilot in #32041
• [WIP] Fix failing GitHub Actions job lint-js by @Copilot in #32042
• [ubuntu-image] docs: update Ubuntu Actions runner image analysis (2026-05-14) by @github-actions[bot] in #32050
• [compiler-threat-spec] feat: add CTR-015 compiler warning for bare * in safe-outputs allowed-labels by @github-actions[bot] in #32046
• Accept pr_number / pr aliases for PR safe-output targets by @Copilot in #32043
• Add compiler guardrail to reject ${{ ... }} in compiled run scripts by @Copilot in #32048
• [jsweep] Clean allowed_issue_fields.cjs by @github-actions[bot] in #32059
• [aw] Enforce mandatory safe-output noop in PR Sous Chef runs by @Copilot in #32064
• chore: Add smoke test workflow for otlp telemetry export validation by @mnkiefer in #32091
• Fix Claude MCP config path expansion for Safe Output Health Monitor by @Copilot in #32065
• fix: mask otlp headers by @Copilot in #32096
• feat(architecture-guardian): offload violation classification to small inline sub-agent by @Copilot in #32102
• refactor: consolidate duplicate SHA...

v0.74.2

🌟 Release Highlights

This release brings powerful new developer tooling — custom Go linters, new gh aw fix codemods, and a --staged compile flag — alongside key reliability fixes for signed commits and safe-output PR creation, improved self-hosted runner docs, and a raised max-runs default for larger workflows.

✨ What's New

• gh aw compile --staged — Force workflows into staged mode at compile time. (#31975)
• Custom Go analysis linters — pkg/linters ships a new largefunc linter sample. (#31958)
• gh aw fix codemods — Rewrites single-quoted tools.bash args and lowercases discussion trigger categories. (#31874, #31872)
• Decentralized label_command routing via agentic_commands.yml. (#31917)
• REST API for agent session task creation — More reliable than gh CLI. (#32028)
• Higher default max-runs — Raised from 100 to 500. (#31986)
• Runner and actor OTel attributes for cross-runner observability. (#31913)

🐛 Bug Fixes & Improvements

• Signed commits: refuse unsafe fallback — pushSignedCommits no longer silently falls back to unsigned git push. (#31876)
• create_pull_request bundle ref mismatch fixed in safe output. (#31955)
• ARC/DinD detection now matches any (redacted) DOCKER_HOST`. (#31996)
• on: subsection indentation parser bug fixed. (#31871)
• gh aw lint false positives fixed. (#31916)
• Early CI lint gate reduces lint-fix PR churn. (#31921)

📚 Documentation

• Self-hosted runner guide: GHES and ARC sections. (#31923)
• Claude Quick Start parity and engine-neutral architecture labels. (#32016)
• Frontmatter reference: inline-sub-agents and max-effective-tokens documented. (#32010)
• repository_dispatch FAQ and trigger reference. (#31979)

🌍 Community Contributions

@michen00

• pushSignedCommits silently falls back to unsigned git push on merge/symlink/submodule/exec-bit commits (direct issue)

@octatone

• create_pull_request safe output fails: bundle branch ref doesn't match JSONL-declared branch name (direct issue)

@tore-unumed

• Docs: pre-agent-steps missing from Allowed Import Fields list (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 4.9M

---

What's Changed

• Fix S1011 staticcheck lint failure in central_slash_command_workflow.go by @Copilot in #31858
• Fix failing "Integration: Workflow Misc Part 2" tests by @Copilot in #31860
• [jsweep] Clean action_conclusion_otlp.cjs by @github-actions[bot] in #31868
• Fix on: subsection indentation handling causing test workflow failures by @Copilot in #31871
• chore: streamline outcome collection by @mnkiefer in #31888
• fix(push-signed-commits): refuse unsigned git push fallback for structurally unsignable commits by @Copilot in #31876
• [actions] Update GitHub Actions versions - 2026-05-13 by @github-actions[bot] in #31893
• fix(duplicate-code-detector): allow github.com and api.github.com through firewall by @Copilot in #31904
• Add gh aw fix codemod to rewrite single-quoted tools.bash args safely by @Copilot in #31874
• feat: implement outcome telemetry export by @mnkiefer in #31897
• Refactor update workflow call chain to use a shared options struct by @Copilot in #31886
• Refactor duplicated on-trigger section entry/reset logic in YAML on-section extraction by @Copilot in #31881
• Add GH_TOKEN to dev-mode gh-aw runtime install step generation by @Copilot in #31898
• Refactor permission-scope string conversion to validated inventory lookup by @Copilot in #31899
• Docs UX: Convert “Getting Help” run-on guidance into prioritized numbered steps by @Copilot in #31900
• Add default gh aw fix codemod to lowercase discussion trigger categories in frontmatter by @Copilot in #31872
• Docs/tests: include pre-agent-steps and post-steps in shared import allowlist by @Copilot in #31912
• Centralize filesystem permission policy and remove raw octal modes from production callsites by @Copilot in #31915
• Add runner and actor_id OTel resource attributes for cross-runner observability by @Copilot in #31913
• Add scheduled pr-sous-chef workflow to advance open PRs toward maintainer review by @Copilot in #31911
• Align strict-mode compatibility: allow Playwright MCP warnings and honor workflow-level strict opt-out for pull_request_target by @Copilot in #31914
• [docs] Update glossary - daily scan by @github-actions[bot] in #31924
• chore: update outcome collector by @mnkiefer in #31936
• [spec-enforcer] Enforce specifications for logger, parser, repoutil by @github-actions[bot] in #31935
• Refactor audit command hot-spots to use a shared AuditOptions API by @Copilot in #31920
• Fix gh aw lint false positives breaking make lint-lock by @Copilot in #31916
• Fix Issue Arborist Repo Mind Light token by @szabta89 in #31942
• Add detail_level A/B experiment to daily architecture diagram workflow output by @Copilot in #31927
• [function-namer] Improve internal helper naming in pkg/workflow for agent discoverability by @Copilot in #31951
• Enforce pre-submission lint hygiene and add an early CI lint gate to reduce lint-fix PR churn by @Copilot in #31921
• [docs] Consolidate developer specifications into instructions file (v9.6) by @github-actions[bot] in #31957
• fix(otel): emit gh-aw.engine.id on setup spans via shared resolveEngineId helper by @Copilot in #31956
• chore: enhance outcome evaluation process by @mnkiefer in #31938
• Fix Issue Arborist pre-agent issue fetch by @szabta89 in #31954
• Document pkg/testutil dependency on pkg/constants in package spec by @Copilot in #31950
• feat: add pkg/linters with custom Go analysis linters (largefunc sample) by @Copilot in #31958
• docs: add runner environment requirements, GHES, and ARC sections to self-hosted guide by @salmanmkc in #31923
• Handle bundle ref mismatch in create_pull_request safe output by @Copilot in #31955
• [docs] Update documentation for features from 2026-05-13 by @github-actions[bot] in #31928
• Add --staged flag to compile for forced staged workflows by @Copilot in #31975
• Fix gh-aw extension setup collisions in generated workflows by @Copilot in #31952
• Creating a dynamic agent of the day blog entry by @Copilot in #31981
• Add patterns router prompt and wire dispatcher routing by @Copilot in #31985
• Close SPDD gaps for forecast discovery, frontmatter hash limits, and related specs by @Copilot in #31984
• Increase default max-runs from 100 to 500 across compiler, schema, and docs by @Copilot in #31986
• docs: add repository_dispatch FAQ and trigger reference for external system integrations by @Copilot in #31979
• daily-experiment-report: install numpy/matplotlib when running on PyPy by @Copilot in #31992
• Add decentralized label_command routing via agentic_commands.yml by @Copilot in #31917
• Strengthen create-pull-request safe output guardrails: always recommend allowed-files by @Copilot in #31999
• restrict create-pull-request to docs/** files in blog-writer workflow by @Copilot in #31998
• [WIP] Fix failing GitHub Actions job Lint Gate by @Copilot in #32004
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #32003
• [caveman] Optimize instruction verbosity — agentic-chat, campaign, cli-commands, context (2026-05-13) by @github-actions[bot] in #32019
• [deep-report] Add missing top-level inline-sub-agents and max-effective-tokens to canonical frontmatter references by @Copilot in #32010
• fix: broaden ARC/DinD detection to match any tcp:// DOCKER_HOST by @salmanmkc in htt...

v0.74.1

🌟 Release Highlights

This release brings new workflow control features, security hardening, improved observability, and resolves several community-reported issues including ARC/DinD runner support and lockfile consistency fixes.

✨ What's New

• Pre-activation author gating — New on.skip-author-associations field lets you gate workflow activation by the triggering user's repository association (e.g. allow only MEMBER or OWNER), reducing unnecessary agent runs. (#31836)
• Concurrency queue support — concurrency.queue field and queue-aware conclusion job defaults give fine-grained control over concurrent workflow execution. (#31764)
• Immediate command reactions — Centralized slash-command workflows now post emoji reactions immediately upon receipt and propagate the desired reaction context throughout the run. (#31847)
• Outcome evaluation for safe outputs — Safe output jobs can now declare pass/fail outcomes, enabling automated evaluation of agent results. (#31776)
• Token steering compiler support — firewall.effective-token-steering is now parsed and rendered in the agent and gateway JS parsers. (#31796, #31823)
• Improved OTel accuracy — The gh-aw.agent span now captures the true Execute-Agent-CLI start time, excluding pre-agent overhead from telemetry. (#31808)
• Stricter schema validation — Unused top-level command keys in main workflow frontmatter now produce a clear validation error. (#31750)

🐛 Bug Fixes & Improvements

• Fixed dispatch-workflow validation incorrectly rejecting workflows in target repos under the Side Repo Ops pattern. (#31835, resolves #31831)
• Fixed redirect-only workflows being misidentified as shared workflow components. (#31800, resolves #31689)
• Fixed lockfile differences between fork contributor checkouts and upstream CI. (#31613, resolves #31612)
• Fixed bundle transport failures in shallow checkouts where git fetch rejected bundle prerequisites. (#31603, resolves #31600)
• Fixed plan context substitution failures (/plan) for slash-command runs. (#31849)
• Fixed double quotes in experiment comparison expressions that broke evaluation. (#31770)
• Fixed centralized slash_command reaction and status-comment gating. (#31775)
• Clarified npm and pip package name validation error messages. (#31822)
• Normalized non-release agentic_commands.yml compiler metadata to dev. (#31829)

🔒 Security

• URL protocol sanitizer switched to an allowlist model, closing a potential bypass via non-://-scheme URLs. (#31715)
• stripDangerousAttributes now strips title= and data-* attributes, closing a hidden injection channel. (#31707)

🏗️ ARC / DinD Runner Support

Two long-standing community requests for ARC (Actions Runner Controller) support are resolved:

• First-class ARC runner support for AWF-backed workflows. (#31614, resolves #30840)
• AWF chroot mode now supports ARC/DinD Docker daemon filesystems without manual staging. (resolves #30838)

📚 Documentation

• Troubleshooting / common-issues page trimmed by ~27% for faster scanning. (#31756)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bmerkle

• regression in gh aw version v0.72.1 with daily-repo-status.md (direct issue)

@mrjf

• Bundle transport still fails in shallow checkout: git fetch rejects bundle prerequisites (direct issue)

@rhardouin

• [ARC-DinD] GAW should provide first-class ARC runner support for AWF-backed workflows (direct issue)
• [ARC-DinD] AWF chroot mode should support ARC/DinD Docker daemon filesystems without manual staging (direct issue)

@trask

• gh aw compile produces different lockfiles for fork contributors vs the upstream CI checkout, with no in-repo way to make them match (direct issue)

@yskopets

• dispatch-workflow validation fails for workflows in target repo (Side Repo Ops pattern) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 3.8M

---

What's Changed

• docs: extend memory.md with built-in GitHub graph and git history strategies by @Copilot in #31594
• Reduce ParseWorkflow regression by optimizing frontmatter delimiter parsing by @Copilot in #31583
• perf(workflow): cache manifest baseline lookup in CompileWorkflow path by @Copilot in #31584
• Stabilize DIFC proxy integration check by replacing flaky /rate_limit assertion by @Copilot in #31595
• [q] fix(weekly-blog-post-writer): dedupe Agent of the Week using published blog history by @Copilot in #31593
• Align audit/trial help text and update docs for update --cool-down by @Copilot in #31597
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-12 by @github-actions[bot] in #31604
• build(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #31601
• fix: link default footers to workflow run URL instead of agentic_workflow subpage by @Copilot in #31611
• Reduce ExtractWorkflowNameFromFile overhead in the title-scan path by @Copilot in #31598
• Fix bundle transport in shallow checkouts by @Copilot in #31603
• fix(engines): normalize wildcard bash commands to canonical tool permission syntax by @Copilot in #31599
• Address review feedback: dedupe normalized Claude Bash tools and tighten release bash permissions by @Copilot in #31615
• Prefer upstream remote for gh aw compile schedule seed in fork checkouts by @Copilot in #31613
• Auto-detect ARC/DinD and emit AWF --docker-host-path-prefix in generated workflows by @Copilot in #31614
• [code-simplifier] refactor: extract awfVersionAtLeast helper to deduplicate version-check functions by @github-actions[bot] in #31627
• Enable OTLP export for Agentic Portfolio Yield by @Copilot in #31647
• Add optional payload input to dependabot-worker reusable workflow by @mnkiefer in #31679
• [instructions] Sync instruction files with release v0.72.1 by @github-actions[bot] in #31661
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #31669
• [docs] Update glossary - daily scan 2026-05-12 by @github-actions[bot] in #31672
• [docs] Update documentation for features from 2026-05-12 by @github-actions[bot] in #31676
• [spec-enforcer] Enforce specifications for fileutil, gitutil, jsonutil by @github-actions[bot] in #31683
• Refactor workflow feature gates to use a shared version-threshold helper by @Copilot in #31642
• Classify repeated permission-denied failures as missing tool/permission issues in Copilot/Claude/Codex harnesses by @Copilot in #31629
• Treat gh aw as a first-class runtime with release setup-cli injection, dev source build, and firewall domains by @Copilot in #31622
• fix: propagate DOCKER_HOST to MCP gateway for ARC/dind runners by @salmanmkc in #31670
• Fix build-wasm CI failure by updating stale wasm compile fixture goldens by @Copilot in #31698
• fix: apply gofmt to runtime_definitions.go by @Copilot in #31700
• feat: add GHES-compatible artifact action versions via feature flag by @salmanmkc in #31664
• fix: decode named invisible-char HTML entities in decodeHtmlEntities to close @mention bypass by @Copilot in #31703
• fix: strip title= and data-* attributes in stripDangerousAttributes to close hidden injection channel by @Copilot in #31707
• test: parity regression guard for alias-branch template delimiter neutralization by @Copilot in #31712
• fix(sanitize): switch sanitizeUrlProtocols to allowlist for ://-scheme URLs by @Copilot in #31715
• build(deps-dev): bump @playwright/test from 1.59.1 to 1.60.0 in /docs by @dependabot[bot] in #31743
• build(deps-dev): bump @types/node from 25.6.0 to 25.7.0 in /actions/setup/js by @dependabot[bot] in #31742
• build(deps-dev): bump @vitest/ui from 4.1.5 to 4.1.6 in /actions/setup/js by @dependabot[bot] in #31744
• build(deps-dev): bump vitest from 4.1.5 to 4.1.6 in /actions/setup/js by @dependabot[bot] in https://github.com/gith...

v0.74.0

test

Generated by Release · ● 66.9M

---

What's Changed

• fix: set_issue_field skips gracefully when repo has no issue fields by @Copilot in #31576
• Integrate Repo Mind Light into Issue Arborist workflow by @Copilot in #31510
• optimize: reduce token usage in three high-consumption workflows by @Copilot in #31582
• Reduce Daily Syntax Error Quality workflow token churn without changing cadence by @Copilot in #31586
• Fix firewall token usage reporting to preserve raw counts and remove cache-rate transforms by @Copilot in #31581
• Fix golangci-lint failures in codemod and miner test files by @Copilot in #31590
• Auto-bump version when release tag already exists by @Copilot in #31592

Full Changelog: v0.72.2...v0.74.0