Commit 8cd3274
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
Update github/gh-aw action to v0.67.0 (TryGhost#26567)
> ℹ️ **Note**
>
> This PR body was truncated due to platform limits.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [github/gh-aw](https://redirect.github.com/github/gh-aw) | action |
minor | `v0.51.5` → `v0.67.0` |
| [github/gh-aw](https://redirect.github.com/github/gh-aw) | action |
minor | `v0.49.4` → `v0.67.0` |
---
### Release Notes
<details>
<summary>github/gh-aw (github/gh-aw)</summary>
###
[`v0.67.0`](https://redirect.github.com/github/gh-aw/releases/tag/v0.67.0)
[Compare
Source](https://redirect.github.com/github/gh-aw/compare/v0.66.1...v0.67.0)
##### 🌟 Release Highlights
This release delivers a major observability milestone with full OTLP
trace export support, resolves critical GitHub MCP App token
authentication bugs, expands the environment variable reference
documentation, and addresses a wave of community-reported issues across
self-hosted runners, cross-repo workflows, and the Codex engine.
##### ✨ What's New
##### 📡 OTLP Trace Export (`observability.otlp`)
Workflows can now export structured OpenTelemetry spans to any
OTLP-compatible backend (e.g. Honeycomb, Grafana Tempo, Sentry) with a
single frontmatter block:
```yaml
observability:
otlp:
endpoint: $\{\{ secrets.GH_AW_OTEL_ENDPOINT }}
headers: $\{\{ secrets.GH_AW_OTEL_HEADERS }}
```
Every job emits setup and conclusion spans with rich attributes
(`gh-aw.job.name`, `gh-aw.workflow.name`, `gh-aw.engine.id`, token
usage, and more). Cross-job trace correlation is wired automatically —
all jobs in a run share a single trace ID originating from the
activation job. Dispatched child workflows inherit the parent's trace
context via `aw_context`, giving you end-to-end visibility across
composite workflow chains. When a static endpoint URL is provided, its
hostname is automatically added to the AWF firewall allowlist.
##### 📚 Environment Variable Reference
A new comprehensive [Environment
Variables](https://github.github.com/gh-aw/reference/environment-variables/)
reference section covers CLI configuration (`DEBUG`, `GH_AW_FEATURES`,
…), per-phase model override variables (`GH_AW_MODEL_AGENT_*`), and
guard policy fallback variables (`GH_AW_GITHUB_BLOCKED_USERS`,
`GH_AW_GITHUB_TRUSTED_USERS`) — previously discoverable only by reading
source code.
##### 🐛 Bug Fixes & Improvements
- **GitHub MCP App token always empty** —
`actions/create-github-app-token` masks its output token and GitHub
Actions runner v2.308+ silently drops masked values from job outputs,
causing `github_mcp_app_token` to always arrive empty in the agent job
(GitHub MCP server ran unauthenticated). The token is now minted
directly in the agent job to avoid the cross-job output masking issue.
*(closes
[#​24569](https://redirect.github.com/github/gh-aw/issues/24569))*
- **Duplicate "Generate GitHub App token" step** — when multiple
`checkout:` entries fell back to the top-level `github-app:`, the
compiler produced steps with the same name, causing a duplicate-step
validation error. Each step is now uniquely named. *(closes
[#​24573](https://redirect.github.com/github/gh-aw/issues/24573))*
- **Tavily MCP docs and `mcp inspect` missing servers** — the web-search
guide referenced the wrong npm package (`@tavily/mcp-server` →
`@tavily/mcp`) and a dead GitHub URL. Additionally, `gh aw mcp inspect`
now correctly reports MCP servers defined in imported workflows and
handles `on: issues` string triggers. *(closes
[#​24567](https://redirect.github.com/github/gh-aw/issues/24567))*
- **`repo-memory` file-glob patterns silently skipping files** —
documentation and several built-in workflow templates incorrectly
instructed agents to prefix `file-glob` patterns with the branch path
(e.g. `memory/branch-name/*.json`). Patterns are matched against
relative paths from the artifact directory, so bare extension patterns
(`*.json`) are correct. All affected workflows and the reference docs
have been fixed.
- **Remote workflow calls** — fixed a regression that broke
`workflow_call` triggers in cross-repository setups. *(closes
[#​24422](https://redirect.github.com/github/gh-aw/issues/24422))*
- **`workflow_call` missing `ref:` in cross-repo checkout** — activation
job now correctly passes `ref:` when checking out a target repository
for `workflow_call` triggers. *(closes
[#​20508](https://redirect.github.com/github/gh-aw/issues/20508))*
- **`setup.sh` `create_dir()` fails on self-hosted Linux runners** —
`create_dir()` now uses `sudo` when the runner user lacks write access
to `/opt/`. *(closes
[#​20283](https://redirect.github.com/github/gh-aw/issues/20283))*
- **Codex engine on self-hosted runners** — the vendored
`codex-x86_64-unknown-linux-musl` binary now correctly supports
`--dangerously-bypass-approvals-and-sandbox`. *(closes
[#​20157](https://redirect.github.com/github/gh-aw/issues/20157))*
- **`GH_AW_SAFE_OUTPUTS_CONFIG_PATH` / `GH_AW_SAFE_OUTPUTS_TOOLS_PATH`
not available as env vars** — these paths are now written to both
`GITHUB_OUTPUT` and `GITHUB_ENV` so downstream jobs can reference them
as environment variables. *(closes
[#​23092](https://redirect.github.com/github/gh-aw/issues/23092))*
- **`agent_version: latest` causes 400 Bad Request with Gemini models**
— version resolution now correctly handles `latest` for model/version
combinations that do not support it. *(closes
[#​20833](https://redirect.github.com/github/gh-aw/issues/20833))*
- **Runtime parameterization of frontmatter fields** — compile-time
frontmatter fields can now be overridden at runtime via `$\{\{ vars.*
}}` or `$\{\{ secrets.* }}` expressions in supported fields. *(closes
[#​23724](https://redirect.github.com/github/gh-aw/issues/23724))*
##### 🔧 Internal
- Shared OTLP observability config extracted into
`shared/observability-otlp.md`, adopted by 54 workflows (30% of the
repo).
- `hourly-ci-cleaner` switched to the Claude engine with `max-turns:
20`, scoped `make recompile` to only when `.md` files changed, and added
exit guardrails to eliminate the previous \~43% failure rate.
- Token optimizer data loading moved to deterministic pre-agentic steps,
removing dependency on the unreliable `agentic-workflows` MCP container.
***
<details>
<summary>🌍 Community Contributions — A huge thank you to the community
members who reported issues that were resolved in this
release!</summary>
##### `@bbonafed`
- [Ask: Runtime Parameterization of Compile-Time Frontmatter
Fields](https://redirect.github.com/github/gh-aw/issues/23724) *(direct
issue)*
##### `@Esomoire-consultancy-Company`
- [✨ Set up Copilot
instructions](https://redirect.github.com/github/gh-aw/issues/20207)
*(direct issue)*
##### `@glitch-ux`
- [docs: add CLI and operator environment variable
reference](https://redirect.github.com/github/gh-aw/issues/24403)
*(direct issue)*
##### `@grahame-white`
- [BUG: Downstream 'GH\_AW\_SAFE\_OUTPUTS\_CONFIG\_PATH' and
'GH\_AW\_SAFE\_OUTPUTS\_TOOLS\_PATH' variables not available as env vars
due to GITHUB\_OUTPUT-only
write](https://redirect.github.com/github/gh-aw/issues/23092) *(direct
issue)*
##### `@jaroslawgajewski`
- [feat: OTLP trace export from agent
runtime](https://redirect.github.com/github/gh-aw/issues/24373) *(direct
issue)*
##### `@johnwilliams-12`
- [Activation job missing `ref:` in cross-repo checkout for
workflow\_call
triggers](https://redirect.github.com/github/gh-aw/issues/20508)
*(direct issue)*
##### `@MattSkala`
- [Invalid tavily MCP search link and config in
docs](https://redirect.github.com/github/gh-aw/issues/24567) *(direct
issue)*
##### `@microsasa`
- [agent\_version: latest causes 400 Bad Request with
gemini-3-pro-preview
model](https://redirect.github.com/github/gh-aw/issues/20833) *(direct
issue)*
##### `@Rubyj`
- [setup.sh: create\_dir() does not use sudo on Linux, breaks
self-hosted runners where runner user lacks write access to
/opt/](https://redirect.github.com/github/gh-aw/issues/20283) *(direct
issue)*
##### `@straub`
- [Bug: `github_mcp_app_token` activation output silently skipped —
regression introduced in
#​24251](https://redirect.github.com/github/gh-aw/issues/24569)
*(direct issue)*
##### `@strawgate`
- [Remote workflow call still
broken](https://redirect.github.com/github/gh-aw/issues/24422) *(direct
issue)*
##### `@tomasmed`
- [Codex engine fails on self-hosted runner: vendored
codex-x86\_64-unknown-linux-musl binary does not support
--dangerously-bypass-approvals-and-sandbox](https://redirect.github.com/github/gh-aw/issues/20157)
*(direct issue)*
##### `@yskopets`
- [Bug: duplicate 'Generate GitHub App token' step in activation job
when checkout + tools.github used with top-level
github-app](https://redirect.github.com/github/gh-aw/issues/24573)
*(direct issue)*
</details>
***
For complete details, see
[CHANGELOG](https://redirect.github.com/github/gh-aw/blob/main/CHANGELOG.md).
> Generated by
[Release](https://redirect.github.com/github/gh-aw/actions/runs/23992831754/agentic_workflow)
· ● 2.5M
<!-- gh-aw-agentic-workflow: Release, engine: copilot, model: auto, id:
23992831754, workflow_id: release, run:
https://github.com/github/gh-aw/actions/runs/23992831754 -->
***
##### What's Changed
- fix: handle null token\_usage in optimizer jq aggregations by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24400](https://redirect.github.com/github/gh-aw/pull/24400)
- feat: create shared/token-logs-24h.md to ensure log cache reuse across
token workflows by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24417](https://redirect.github.com/github/gh-aw/pull/24417)
- docs: add CLI and operator environment variable reference by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24407](https://redirect.github.com/github/gh-aw/pull/24407)
- fix: strip surrounding quotes from --allow-domains value in agent log
firewall parsing by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24409](https://redirect.github.com/github/gh-aw/pull/24409)
- chore: update drain3 default log pattern weights by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24423](https://redirect.github.com/github/gh-aw/pull/24423)
- feat(logs): query GitHub API rate limit before each batch iteration by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24424](https://redirect.github.com/github/gh-aw/pull/24424)
- feat: show dedicated message for cyber\_policy\_violation engine
failures by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24428](https://redirect.github.com/github/gh-aw/pull/24428)
- feat: add missing OpenAI GPT model multipliers by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24430](https://redirect.github.com/github/gh-aw/pull/24430)
- Comment out `stale-check` in generated lock.yml by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24435](https://redirect.github.com/github/gh-aw/pull/24435)
- feat: add Python trending charts to Copilot Token Usage Analyzer by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24434](https://redirect.github.com/github/gh-aw/pull/24434)
- fix: install gh-aw CLI in shared token-logs-24h before fallback
download by [@​lpcox](https://redirect.github.com/lpcox) in
[#​24438](https://redirect.github.com/github/gh-aw/pull/24438)
- Fix stale lock check to resolve callee repo for cross-repo reusable
workflows by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24433](https://redirect.github.com/github/gh-aw/pull/24433)
- \[docs] Remove redundant Safe Output Operations section from
project-tracking by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24432](https://redirect.github.com/github/gh-aw/pull/24432)
- Update Token Usage step summary and convert to JavaScript by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24436](https://redirect.github.com/github/gh-aw/pull/24436)
- fix: add rate limit and error logging to shared token-logs step by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24444](https://redirect.github.com/github/gh-aw/pull/24444)
- fix: guard gh-aw-logs commands against set -e errexit by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24447](https://redirect.github.com/github/gh-aw/pull/24447)
- chore: update drain3 default log pattern weights by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24446](https://redirect.github.com/github/gh-aw/pull/24446)
- \[code-simplifier] refactor: extract duplicate GitHub repo path regex
to named constant by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24449](https://redirect.github.com/github/gh-aw/pull/24449)
- chore: remove token usage analyzers, optimizers, and shared deps by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24448](https://redirect.github.com/github/gh-aw/pull/24448)
- docs: enhance existing pages with audit cross-references and glossary
entries by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24453](https://redirect.github.com/github/gh-aw/pull/24453)
- chore(deps): bump defu from 6.1.4 to 6.1.6 in /docs in the
npm\_and\_yarn group across 1 directory by
[@​dependabot](https://redirect.github.com/dependabot)\[bot] in
[#​24455](https://redirect.github.com/github/gh-aw/pull/24455)
- Improve test quality: pkg/cli/awinfo\_steps\_test.go by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24452](https://redirect.github.com/github/gh-aw/pull/24452)
- Add compiler check disallowing secrets expressions in custom steps by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24450](https://redirect.github.com/github/gh-aw/pull/24450)
- \[docs] docs: document secrets-in-custom-steps compiler check (dev.md
v5.2) by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24466](https://redirect.github.com/github/gh-aw/pull/24466)
- \[instructions] Sync github-agentic-workflows.md with v0.66.1 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24463](https://redirect.github.com/github/gh-aw/pull/24463)
- \[architecture] Update architecture diagram - 2026-04-04 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24459](https://redirect.github.com/github/gh-aw/pull/24459)
- \[community] Update community contributions in README by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24464](https://redirect.github.com/github/gh-aw/pull/24464)
- test(agentdrain): rewrite anomaly\_test.go with testify and
table-driven tests by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24470](https://redirect.github.com/github/gh-aw/pull/24470)
- \[dead-code] chore: remove dead functions — 6 functions removed by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24476](https://redirect.github.com/github/gh-aw/pull/24476)
- \[docs] Self-healing documentation fixes from issue analysis -
2026-04-04 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24493](https://redirect.github.com/github/gh-aw/pull/24493)
- docs: add guide for consuming audit reports with agents by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24454](https://redirect.github.com/github/gh-aw/pull/24454)
- fix: correct invalid anchor hash in glossary link to audit reference
by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24494](https://redirect.github.com/github/gh-aw/pull/24494)
- fix: fail-open on API rate limit in check\_skip\_if\_check\_failing;
sudo for AWF binary verification on GPU runners by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24482](https://redirect.github.com/github/gh-aw/pull/24482)
- feat: list secrets & custom actions in lock file header; move
gh-aw-metadata to first line by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24495](https://redirect.github.com/github/gh-aw/pull/24495)
- refactor: remove dead code, thin wrappers, and duplicate logic
identified in semantic clustering analysis by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24497](https://redirect.github.com/github/gh-aw/pull/24497)
- fix: remove bold tags from details/summary sections by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24502](https://redirect.github.com/github/gh-aw/pull/24502)
- fix: filter aw\_context from user-facing workflow inputs by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24521](https://redirect.github.com/github/gh-aw/pull/24521)
- Fix repo-root-relative import path resolution in `ResolveIncludePath`
by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24501](https://redirect.github.com/github/gh-aw/pull/24501)
- feat: add copilot-token-audit and copilot-token-optimizer workflows by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24528](https://redirect.github.com/github/gh-aw/pull/24528)
- fix: use gh aw --version to check CLI availability by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24535](https://redirect.github.com/github/gh-aw/pull/24535)
- fix: recompile token audit and optimizer lock files by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24543](https://redirect.github.com/github/gh-aw/pull/24543)
- docs: document import path resolution modes (relative,
repo-root-relative, cross-repo) by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24536](https://redirect.github.com/github/gh-aw/pull/24536)
- fix: spinner consumes stdin causing double-Enter required in
add-wizard by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24523](https://redirect.github.com/github/gh-aw/pull/24523)
- fix: reduce token audit scope to last 24 hours by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24547](https://redirect.github.com/github/gh-aw/pull/24547)
- fix: skip `engine: copilot` in add/add-wizard; add blank line
separator before source by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24539](https://redirect.github.com/github/gh-aw/pull/24539)
- feat: support token usage diff and multiple comparison runs in audit
diff command by [@​Copilot](https://redirect.github.com/Copilot)
in [#​24544](https://redirect.github.com/github/gh-aw/pull/24544)
- \[ca] test: add missing exportVariable and setOutput mocks to
parse\_mcp\_gateway\_log test by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24559](https://redirect.github.com/github/gh-aw/pull/24559)
- Improve action log step summary: 2-line tool previews and nicer agent
messages by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24558](https://redirect.github.com/github/gh-aw/pull/24558)
- Add `DefaultEngine` constant and replace semantic-default uses of
`CopilotEngine` by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24554](https://redirect.github.com/github/gh-aw/pull/24554)
- fix: handle partial results from gh aw logs on rate limit by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24571](https://redirect.github.com/github/gh-aw/pull/24571)
- \[docs] Update documentation for features from 2026-04-04 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24574](https://redirect.github.com/github/gh-aw/pull/24574)
- fix(step-names): align Fetch step names and capitalize Write Gemini
Settings by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24578](https://redirect.github.com/github/gh-aw/pull/24578)
- fix: replace broken gh-aw install step in token audit workflow by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24590](https://redirect.github.com/github/gh-aw/pull/24590)
- \[log] add debug logging to agentdrain and parser packages by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24586](https://redirect.github.com/github/gh-aw/pull/24586)
- fix: mint GitHub MCP App token in agent job, not activation job by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24585](https://redirect.github.com/github/gh-aw/pull/24585)
- feat: OTLP trace export via observability.otlp frontmatter config by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24441](https://redirect.github.com/github/gh-aw/pull/24441)
- fix: replace broken gh-aw install step in token optimizer workflow by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24598](https://redirect.github.com/github/gh-aw/pull/24598)
- cleanup: remove legacy daily-copilot-token-report workflow by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24599](https://redirect.github.com/github/gh-aw/pull/24599)
- fix: revert minting tokens for mcp-servers github-app from activation
job back to agent job by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24600](https://redirect.github.com/github/gh-aw/pull/24600)
- fix: change token optimizer output from discussion to issue by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24605](https://redirect.github.com/github/gh-aw/pull/24605)
- feat: extend MCP gateway specification with optional OpenTelemetry
configuration (v1.11.0) by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24602](https://redirect.github.com/github/gh-aw/pull/24602)
- feat: propagate pre-activation trace-id to activation job and reduce
setup.sh verbosity by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24604](https://redirect.github.com/github/gh-aw/pull/24604)
- fix: remove branch-name prefix from repo-memory glob filter by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24613](https://redirect.github.com/github/gh-aw/pull/24613)
- fix: unique step names for checkout GitHub App token minting steps by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24609](https://redirect.github.com/github/gh-aw/pull/24609)
- fix: update stale anchor in glossary for `gh aw audit diff` by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24620](https://redirect.github.com/github/gh-aw/pull/24620)
- fix: correct file-glob pattern docs and workflows for repo-memory by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24621](https://redirect.github.com/github/gh-aw/pull/24621)
- fix: move optimizer data loading to pre-agentic steps by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24625](https://redirect.github.com/github/gh-aw/pull/24625)
- fix: token optimizer step ordering — move selection to agent by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24637](https://redirect.github.com/github/gh-aw/pull/24637)
- refactor: extract shared OTLP observability config, import in 30% of
workflows by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24626](https://redirect.github.com/github/gh-aw/pull/24626)
- Fix invalid Tavily MCP package name/link in docs and mcp inspect
missing servers bug by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24610](https://redirect.github.com/github/gh-aw/pull/24610)
- ci-cleaner: switch to Claude with max-turns, scope recompile, add exit
guardrails by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24623](https://redirect.github.com/github/gh-aw/pull/24623)
**Full Changelog**:
<https://github.com/github/gh-aw/compare/v0.66.1...v0.67.0>
###
[`v0.66.1`](https://redirect.github.com/github/gh-aw/releases/tag/v0.66.1)
[Compare
Source](https://redirect.github.com/github/gh-aw/compare/v0.66.0...v0.66.1)
##### 🌟 Release Highlights
This release focuses on **richer observability from `gh aw logs`** —
flat classification fields, per-tool-call metrics, and consolidated
security reporting — along with several community-driven bug fixes and
feature additions.
##### ⚠️ Breaking Changes
**`gh aw audit report` has been removed.** Cross-run security reports
are now generated directly by `gh aw logs --format`:
```bash
# Before
gh aw audit report --workflow "agent-task" --last 10
gh aw audit report --format pretty
gh aw audit report --last 5 --json
# After
gh aw logs agent-task --format markdown --count 10
gh aw logs --format pretty
gh aw logs --format markdown --last 5 --json
```
The new `--last` flag is available as an alias for `--count` to ease
migration. All existing `--json` output continues to work.
##### ✨ What's New
- **Flat run classification in `gh aw logs --json`**: Each run now
carries a top-level `classification` string (`"risky"`, `"normal"`,
`"baseline"`, or `"unclassified"`), eliminating the need to null-guard
against deeply nested `comparison.classification.label`. Query it
directly:
```bash
gh aw logs --json | jq '.runs[] | {id: .database_id, classification}'
```
- **Per-tool-call metrics in logs**: Episode responses now include
granular tool-call metrics — token usage, failure counts, and latency
per tool — making it possible to identify which tools consume the most
resources or fail most frequently.
- **Discussion thread reply support**: The `add-comment` safe output now
accepts a `reply_to_id` field, enabling agents to post threaded replies
within GitHub Discussions.
- **`auth` field accepted in HTTP MCP server config**: Frontmatter
validation no longer rejects the `auth` field on HTTP MCP servers,
unblocking workflows that use authenticated remote MCP endpoints.
- **Fuzzy schedule no longer requires an `origin` remote**: Workflows
using fuzzy/relative schedules now work correctly in repositories
without a configured `origin` remote.
##### 🐛 Bug Fixes & Improvements
- **Token analysis workflows fixed**: All four token workflows
(Copilot/Claude analyzers and optimizers) now correctly parse `gh aw
logs --json` output — extracting `.runs[]` and using snake\_case field
names. A new shared `token-logs-fetch` workflow pre-fetches logs once
daily to avoid redundant API calls.
- **Null-safe jq aggregations**: Token optimizer workflows no longer
crash with a division-by-zero error when runs have zero token usage.
##### 📚 Documentation
- **Agent-assisted workflow import guide**: The [packaging and imports
guide](https://github.github.com/gh-aw/guides/packaging-imports/) now
includes a step-by-step walkthrough for using a coding agent to import
and adapt a workflow from another repository, with tabbed prompt
examples for common use cases.
##### 🌍 Community Contributions
<details>
<summary>A huge thank you to the community members who reported issues
that were resolved in this release!</summary>
##### `@bbonafed`
- [`auth` field on HTTP MCP servers rejected by frontmatter schema
validation](https://redirect.github.com/github/gh-aw/issues/24323)
*(direct issue)*
##### `@corygehr`
- [add-comment: support reply\_to\_id field in agent output for
discussion
threading](https://redirect.github.com/github/gh-aw/issues/24355)
*(direct issue)*
##### `@jaroslawgajewski`
- [feat(mcp): Add per-tool-call metrics to `logs`
response](https://redirect.github.com/github/gh-aw/issues/24372)
*(direct issue)*
- [feat(mcp): Include classification label in `logs` tool
response](https://redirect.github.com/github/gh-aw/issues/24371)
*(direct issue)*
##### `@jeffhandley`
- [Fuzzy schedule requires an 'origin'
remote](https://redirect.github.com/github/gh-aw/issues/24384) *(direct
issue)*
</details>
***
For complete details, see
[CHANGELOG](https://redirect.github.com/github/gh-aw/blob/main/CHANGELOG.md).
> Generated by
[Release](https://redirect.github.com/github/gh-aw/actions/runs/23965994010/agentic_workflow)
· ● 1.9M
<!-- gh-aw-agentic-workflow: Release, engine: copilot, model: auto, id:
23965994010, workflow_id: release, run:
https://github.com/github/gh-aw/actions/runs/23965994010 -->
***
##### What's Changed
- \[log] Add debug logging to agentdrain package by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24383](https://redirect.github.com/github/gh-aw/pull/24383)
- Wrap token usage step summary in a details section by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24375](https://redirect.github.com/github/gh-aw/pull/24375)
- fix: add `auth` field to `http_mcp_tool` frontmatter schema by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24369](https://redirect.github.com/github/gh-aw/pull/24369)
- \[actions] Update GitHub Actions versions - 2026-04-03 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24378](https://redirect.github.com/github/gh-aw/pull/24378)
- Proactively ignore .dockerbuild artifacts in logs download by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24386](https://redirect.github.com/github/gh-aw/pull/24386)
- feat(add-comment): support reply\_to\_id for discussion threading from
any trigger by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24367](https://redirect.github.com/github/gh-aw/pull/24367)
- fix: reduce API rate limit pressure in train-drain3-weights workflow
by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24392](https://redirect.github.com/github/gh-aw/pull/24392)
- feat(mcp): Surface repository and organization in logs tool response
by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24391](https://redirect.github.com/github/gh-aw/pull/24391)
- fix: fuzzy schedule scattering works with non-`origin` remote names by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24390](https://redirect.github.com/github/gh-aw/pull/24390)
- feat(logs): add top-level `classification` field to `RunData` in logs
response by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24394](https://redirect.github.com/github/gh-aw/pull/24394)
- feat(mcp): Add per-tool-call metrics to `logs` episode response by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24389](https://redirect.github.com/github/gh-aw/pull/24389)
- docs: add agent-assisted import & adapt section to packaging-imports
guide by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24397](https://redirect.github.com/github/gh-aw/pull/24397)
- feat: merge `gh aw audit report` into `gh aw logs --format` by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24396](https://redirect.github.com/github/gh-aw/pull/24396)
- fix: align token workflows with gh-aw logs --json schema and add
shared log caching by [@​lpcox](https://redirect.github.com/lpcox)
in [#​24395](https://redirect.github.com/github/gh-aw/pull/24395)
**Full Changelog**:
<https://github.com/github/gh-aw/compare/v0.66.0...v0.66.1>
###
[`v0.66.0`](https://redirect.github.com/github/gh-aw/releases/tag/v0.66.0)
[Compare
Source](https://redirect.github.com/github/gh-aw/compare/v0.65.7...v0.66.0)
##### 🌟 Release Highlights
This release focuses on **AI observability**, **workflow reliability**,
and **threat detection extensibility** — making it easier to monitor
agent token usage, debug anomalies, and customize security
pre/post-steps.
##### ✨ What's New
- **Token Usage Artifact**
([#​24315](https://redirect.github.com/github/gh-aw/pull/24315)) —
Agent token counts are now bundled as an `agent_usage.json` artifact
alongside each run, enabling third-party tooling and dashboards to
consume structured token data without parsing step summaries.
- **Log Pattern Mining in Audit & Logs**
([#​24328](https://redirect.github.com/github/gh-aw/pull/24328)) —
`gh aw audit report` now includes an **Agent Event Pattern Analysis**
section powered by Drain3 log template mining. Use the new `gh aw logs
--train` flag to train weights from your own run history, improving
anomaly detection accuracy over time.
- **Threat Detection Pre-Steps & Post-Steps**
([#​24250](https://redirect.github.com/github/gh-aw/pull/24250)) —
The threat detection job now supports custom `pre-steps` and
`post-steps`, giving security teams the ability to run custom checks
before and after detection without modifying the compiled workflow.
- **`create_labels` Maintenance Operation**
([#​24341](https://redirect.github.com/github/gh-aw/pull/24341)) —
A new `agentics-maintenance.yml` operation automatically creates any
missing repository labels referenced in safe-outputs. Also, `compile
--json` now includes a `labels` field per `ValidationResult` and exposes
a `--no-emit` option.
- **GitHub App Token Minting Moved to Activation Job**
([#​24251](https://redirect.github.com/github/gh-aw/pull/24251)) —
GitHub App token minting now happens in the activation job, improving
security posture and reducing token lifetime exposure in downstream
jobs.
##### 🐛 Bug Fixes & Improvements
- **GH\_HOST regression fixed**
([#​24321](https://redirect.github.com/github/gh-aw/pull/24321)) —
The `Install GitHub Copilot CLI` step no longer silently drops the
`GH_HOST: github.com` environment pin introduced in v0.65.6, restoring
CLI functionality for users behind proxy configurations.
- **SARIF upload overhauled**
([#​24322](https://redirect.github.com/github/gh-aw/pull/24322)) —
Code scanning SARIF uploads now use a dedicated job with proper artifact
transfer, direct checkout token computation, and GitHub App checkout
support — resolving failures that required additional git commit
references.
- **`push_repo_memory` guarded against failed/skipped agents**
([#​24363](https://redirect.github.com/github/gh-aw/pull/24363)) —
The repo-memory push job now requires `needs.agent.result == 'success'`,
preventing stale or incomplete memory from being written when the agent
fails or is skipped.
- **Pipefail SIGPIPE fixes in token optimizer workflows**
([#​24350](https://redirect.github.com/github/gh-aw/pull/24350),
[#​24354](https://redirect.github.com/github/gh-aw/pull/24354)) —
Token analyzer and optimizer workflows were silently aborting artifact
download loops due to SIGPIPE (exit 141) under `set -euo pipefail`.
Replaced piped `while read` patterns with temp-file approaches.
- **Bundle transport fix for HEAD commits**
([#​24317](https://redirect.github.com/github/gh-aw/pull/24317)) —
Fixed a bug where the bundle transport failed when the agent committed
directly to HEAD instead of a named branch.
- **Compiler error formatting**
([#​24316](https://redirect.github.com/github/gh-aw/pull/24316)) —
Eliminated spurious `file:1:1:` prefix from double-wrapped compiler
errors, making diagnostics cleaner.
- **Daily Issues Report Generator restored**
([#​24349](https://redirect.github.com/github/gh-aw/pull/24349)) —
Fixed 11 consecutive days of failures caused by PATH issues on GPU
runners and a proxy-related `gh issue list` crash, with graceful
fallback to an empty dataset.
##### 📚 Documentation
- Updated CLI reference with `--train` flag docs, `--no-emit` option,
`labels` JSON field, Agent Event Pattern Analysis, and
`agent_usage.json` artifact table entry
([#​24377](https://redirect.github.com/github/gh-aw/pull/24377)).
- Expanded the Manual Maintenance Operations guide with a full table of
available operations including the new `create_labels` entry
([#​24377](https://redirect.github.com/github/gh-aw/pull/24377)).
##### 🌍 Community Contributions
<details>
<summary>A huge thank you to the community members who reported issues
that were resolved in this release!</summary>
##### `@adamhenson`
- [feat: expose compiled token data as job outputs or artifact (not just
step summary)](https://redirect.github.com/github/gh-aw/issues/24282)
*(direct issue)*
##### `@chrisfregly`
- [Missing Threat Detection Custom
Pre-Steps](https://redirect.github.com/github/gh-aw/issues/23963)
*(direct issue)*
##### `@jaroslawgajewski`
- [Suspected regression in v0.65.6: `Install GitHub Copilot CLI` no
longer emits `GH_HOST:
github.com`](https://redirect.github.com/github/gh-aw/issues/24259)
*(direct issue)*
##### `@kbreit-insight`
- [SARIF upload requires additional git commit
references](https://redirect.github.com/github/gh-aw/issues/23940)
*(direct issue)*
</details>
***
For complete details, see
[CHANGELOG](https://redirect.github.com/github/gh-aw/blob/main/CHANGELOG.md).
> Generated by
[Release](https://redirect.github.com/github/gh-aw/actions/runs/23962529811/agentic_workflow)
· ● 1.2M
<!-- gh-aw-agentic-workflow: Release, engine: copilot, model: auto, id:
23962529811, workflow_id: release, run:
https://github.com/github/gh-aw/actions/runs/23962529811 -->
***
##### What's Changed
- \[dead-code] chore: remove dead functions — 4 functions removed by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24288](https://redirect.github.com/github/gh-aw/pull/24288)
- \[docs] docs: consolidate dev.md to v5.1 — add 3 previously uncovered
spec files by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24275](https://redirect.github.com/github/gh-aw/pull/24275)
- \[instructions] Sync github-agentic-workflows.md with release v0.65.6
by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24273](https://redirect.github.com/github/gh-aw/pull/24273)
- \[docs] Update glossary - daily scan (imports and import-schema) by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24267](https://redirect.github.com/github/gh-aw/pull/24267)
- \[community] Update community contributions in README by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24271](https://redirect.github.com/github/gh-aw/pull/24271)
- \[architecture] Update architecture diagram - 2026-04-03 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24264](https://redirect.github.com/github/gh-aw/pull/24264)
- Rename `isEmptyDiff` → `isEmptyFirewallDiff` for consistency by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24277](https://redirect.github.com/github/gh-aw/pull/24277)
- fix: remove stale `action-tag: v0` from daily-fact.md and recompile by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24310](https://redirect.github.com/github/gh-aw/pull/24310)
- refactor: eliminate duplicated AWF injection, secret validation, and
MCP secret collection across engine implementations by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24283](https://redirect.github.com/github/gh-aw/pull/24283)
- \[q] fix: show effective tokens (ET) in discussion footer by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24320](https://redirect.github.com/github/gh-aw/pull/24320)
- ci: skip `go mod download` on cache hit for 9 jobs by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24319](https://redirect.github.com/github/gh-aw/pull/24319)
- perf: eliminate repeated O(n) action pin scans and redundant
permissions parsing in MCP workflow compilation by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24256](https://redirect.github.com/github/gh-aw/pull/24256)
- feat: add pre-steps and post-steps to threat detection job by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24250](https://redirect.github.com/github/gh-aw/pull/24250)
- Fix double-wrapped compiler errors emitting spurious `file:1:1:`
prefix by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24316](https://redirect.github.com/github/gh-aw/pull/24316)
- fix: restore `GH_HOST: github.com` pin on Install GitHub Copilot CLI
step by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24321](https://redirect.github.com/github/gh-aw/pull/24321)
- Move github-app token minting to activation job by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24251](https://redirect.github.com/github/gh-aw/pull/24251)
- fix: bundle transport fails when agent commits to HEAD instead of
named branch by [@​Copilot](https://redirect.github.com/Copilot)
in [#​24317](https://redirect.github.com/github/gh-aw/pull/24317)
- feat: bundle token usage as agent artifact by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24315](https://redirect.github.com/github/gh-aw/pull/24315)
- fix: update wasm golden files to include GH\_HOST env var in Copilot
CLI install step by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24330](https://redirect.github.com/github/gh-aw/pull/24330)
- fix: install gh-aw CLI extension in workflow pre-steps by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24335](https://redirect.github.com/github/gh-aw/pull/24335)
- Fix workflow network allowlist gaps from 2026-04-03 firewall report by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24332](https://redirect.github.com/github/gh-aw/pull/24332)
- Upgrade charmbracelet/huh to charm.land/huh/v2 v2.0.3 by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24331](https://redirect.github.com/github/gh-aw/pull/24331)
- Migrate HuhTheme to huh v2 ThemeFunc API by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24343](https://redirect.github.com/github/gh-aw/pull/24343)
- feat: integrate log template mining into audit report and logs by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24328](https://redirect.github.com/github/gh-aw/pull/24328)
- fix: replace piped while loops with temp files to avoid pipefail
SIGPIPE by [@​lpcox](https://redirect.github.com/lpcox) in
[#​24350](https://redirect.github.com/github/gh-aw/pull/24350)
- Add create-labels maintenance operation and compile --json label
reporting by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24341](https://redirect.github.com/github/gh-aw/pull/24341)
- fix: eliminate piped while loops in token optimizer workflows by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24354](https://redirect.github.com/github/gh-aw/pull/24354)
- fix: restore Daily Issues Report Generator — AWF binary install +
issues data fetch resilience by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24349](https://redirect.github.com/github/gh-aw/pull/24349)
- Fix copy dictation instructions button on agentic-authoring page by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24362](https://redirect.github.com/github/gh-aw/pull/24362)
- fix: push\_repo\_memory should not run when agent job is skipped or
failed by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24363](https://redirect.github.com/github/gh-aw/pull/24363)
- fix: dedicated upload\_code\_scanning\_sarif job with SARIF artifact
transfer, direct checkout token computation, and github-app checkout
support by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24322](https://redirect.github.com/github/gh-aw/pull/24322)
- ci: skip GitHub API-heavy jobs on non-main branches by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24370](https://redirect.github.com/github/gh-aw/pull/24370)
- \[docs] Update documentation for features from 2026-04-03 by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24377](https://redirect.github.com/github/gh-aw/pull/24377)
- chore: update drain3 default log pattern weights by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24381](https://redirect.github.com/github/gh-aw/pull/24381)
**Full Changelog**:
<https://github.com/github/gh-aw/compare/v0.65.7...v0.66.0>
###
[`v0.65.7`](https://redirect.github.com/github/gh-aw/releases/tag/v0.65.7)
[Compare
Source](https://redirect.github.com/github/gh-aw/compare/v0.65.6...v0.65.7)
##### 🌟 Release Highlights
This release focuses on **cross-repo workflow reliability**,
**safe-outputs improvements**, and new **token optimization tooling** —
along with a handful of highly-requested community fixes.
##### ✨ What's New
- **MCP Gateway keepalive configuration** — Expose `keepalive-interval`
as a first-class frontmatter option under `sandbox.mcp`, preventing
session expiry during long-running agent tasks. [Learn
more](https://github.github.com/gh-aw/reference/mcp-gateway/)
- **Dynamic `github-token` expressions** — `github-token` fields in
safe-outputs now accept `$\{\{ needs.JOB.outputs.OUTPUT }}` expressions,
enabling short-lived tokens minted by upstream jobs (e.g., via
`actions/create-github-app-token` or Octo STS) to be used seamlessly
with built-in safe outputs. [Learn
more](https://github.github.com/gh-aw/reference/safe-outputs/)
- **Daily token usage analysis workflows** — New
`daily-token-usage-analysis` and `daily-safe-output-optimizer` workflows
help you identify unused tools and reduce per-turn token costs — the
same pattern that has already produced concrete savings in
gh-aw-firewall.
- **Agent failure footers now include effective token count** — The
token consumption of each run is now surfaced directly in agent failure
issue/comment footers, making cost investigation faster.
##### 🐛 Bug Fixes & Improvements
- **Cross-repo `workflow_call` integrity check fixed** —
`GITHUB_WORKFLOW_REF` env var always reflects the top-level caller, not
the callee. The integrity check now correctly uses `github.workflow_ref`
(the Actions context expression) to resolve the called workflow's
source. Fixes long-standing failures for reusable remote workflows.
[Learn
more](https://github.github.com/gh-aw/reference/cross-repository/)
- **Stale `GH_HOST` and false fork-PR detection resolved** —
`configure_gh_for_ghe.sh` returned early for `github.com` without
clearing a previously-set `GH_HOST`, causing `gh pr checkout` and
related commands to fail against the wrong host. A secondary
false-positive fork detection was also removed. Closes
[#​24208](https://redirect.github.com/github/gh-aw/issues/24208),
[#​24217](https://redirect.github.com/github/gh-aw/issues/24217),
[#​24218](https://redirect.github.com/github/gh-aw/issues/24218).
- **Detection gate wired for imported safe-outputs** — Workflows that
declare no `safe-outputs:` in their own frontmatter but pull it in via
`imports:` were compiled without a `detection` job gate. This is now
correctly enforced.
- **CI Cleaner always produces safe outputs** — The CI Cleaner agent now
has a mandatory exit protocol ensuring at least one safe-output tool is
called before it exits, preventing silent "no safe outputs generated"
failures.
##### 📚 Documentation
- **Frontmatter hash clarified** — Documentation now accurately
describes the frontmatter hash as a *stale-lock detection* mechanism,
not a tamper-protection or security boundary, to avoid misleading
security assumptions. [See
reference](https://github.github.com/gh-aw/reference/frontmatter-hash-specification/)
- **Copilot Agent Files reference page** reduced from 167 → 125 lines
(25% leaner) while preserving all essential information.
##### 🔧 Maintenance
- Playwright Browser bumped to **v1.59.1** (Windows regression fix)
- MCP Gateway bumped to **v0.2.12**
- AWF Firewall bumped to **v0.25.13**
- 6 GitHub Actions updated to latest SHA-pinned releases
***
##### 🌍 Community Contributions
<details>
<summary>A huge thank you to the community members who reported issues
that were resolved in this release!</summary>
##### `@ferryhinardi`
- [Threat detection compile path ignores workflow network.allowed
domains](https://redirect.github.com/github/gh-aw/issues/24128) *(direct
issue)*
##### `@salekseev`
- [Support expression-based safe-outputs github-token from auth job
outputs](https://redirect.github.com/github/gh-aw/issues/24135) *(direct
issue)*
##### `@strawgate`
- [Remote workflow\_call appears
broken](https://redirect.github.com/github/gh-aw/issues/24199) *(direct
issue)*
- [Integrity check fails for cross-repo workflow\_call:
GITHUB\_WORKFLOW\_REF points to caller, not
callee](https://redirect.github.com/github/gh-aw/issues/23935) *(direct
issue)*
##### `@virenpepper`
- [engine: claude — squid proxy rejects chroot localhost connections
(transaction-end-before-headers)](https://redirect.github.com/github/gh-aw/issues/23765)
*(direct issue)*
</details>
***
For complete details, see
[CHANGELOG](https://redirect.github.com/github/gh-aw/blob/main/CHANGELOG.md).
> Generated by
[Release](https://redirect.github.com/github/gh-aw/actions/runs/23935051638/agentic_workflow)
· ● 716.4K
<!-- gh-aw-agentic-workflow: Release, engine: copilot, model: auto, id:
23935051638, workflow_id: release, run:
https://github.com/github/gh-aw/actions/runs/23935051638 -->
***
##### What's Changed
- \[docs] Update documentation for 2026-04-02 features by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24170](https://redirect.github.com/github/gh-aw/pull/24170)
- fix: wire detection gate for safe-outputs assembled entirely from
imports by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24155](https://redirect.github.com/github/gh-aw/pull/24155)
- fix(ci-cleaner): add mandatory exit protocol to always produce safe
outputs by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24182](https://redirect.github.com/github/gh-aw/pull/24182)
- \[actions] Update GitHub Actions versions - 2026-04-02 by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24181](https://redirect.github.com/github/gh-aw/pull/24181)
- \[log] Add debug logging to 4 Go files by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24180](https://redirect.github.com/github/gh-aw/pull/24180)
- chore: Bump AWF firewall version to v0.25.13 by
[@​lpcox](https://redirect.github.com/lpcox) in
[#​24185](https://redirect.github.com/github/gh-aw/pull/24185)
- feat: Add daily token usage analysis and optimization workflows by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24192](https://redirect.github.com/github/gh-aw/pull/24192)
- Include effective token count in agent failure issue/comment footer by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24196](https://redirect.github.com/github/gh-aw/pull/24196)
- fix(workflows): normalize report headers to h3+ and add progressive
disclosure by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24201](https://redirect.github.com/github/gh-aw/pull/24201)
- docs: clarify frontmatter hash is stale-lock detection, not tamper
protection by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24198](https://redirect.github.com/github/gh-aw/pull/24198)
- fix: Clear stale GH\_HOST and remove false fork PR detection
([#​24208](https://redirect.github.com/github/gh-aw/issues/24208))
by [@​lpcox](https://redirect.github.com/lpcox) in
[#​24221](https://redirect.github.com/github/gh-aw/pull/24221)
- feat: Expose MCP gateway keepalive-interval in workflow config schema
by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24220](https://redirect.github.com/github/gh-aw/pull/24220)
- \[docs] docs: reduce bloat in Copilot Agent Files reference page by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24223](https://redirect.github.com/github/gh-aw/pull/24223)
- fix: unset stale GH\_HOST when configuring gh for github.com by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24222](https://redirect.github.com/github/gh-aw/pull/24222)
- feat: Allow `${{ needs.JOB.outputs.OUTPUT }}` expressions in
`github-token` fields by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24215](https://redirect.github.com/github/gh-aw/pull/24215)
- Fix cross-repo workflow\_call integrity check: use
github.workflow\_ref instead of GITHUB\_WORKFLOW\_REF by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24200](https://redirect.github.com/github/gh-aw/pull/24200)
- \[jsweep] Clean add\_reaction\_and\_edit\_comment.cjs by
[@​github-actions](https://redirect.github.com/github-actions)\[bot]
in [#​24228](https://redirect.github.com/github/gh-aw/pull/24228)
- Use details/summary for progressive disclosure of failure reporting
tip by [@​Copilot](https://redirect.github.com/Copilot) in
[#​24229](https://redirect.github.com/github/gh-aw/pull/24229)
- chore: update Playwright Browser v1.59.1, MCP Gateway v0.2.12 by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​24226](https://redirect.github.com/github/gh-aw/pull/24226)
**Full Changelog**:
<https://github.com/github/gh-aw/compare/v0.65.6...v0.65.7>
###
[`v0.65.6`](https://redirect.github.com/github/gh-aw/releases/tag/v0.65.6)
[Compare
Source](https://redirect.github.com/github/gh-aw/compare/v0.65.5...v0.65.6)
##### 🌟 Release Highlights
This release centers on **Effective Tokens** — a new end-to-end feature
that tracks and surfaces AI token usage across workflow runs — alongside
five community-reported bug fixes and a set of reliability improvements.
##### ✨ What's New
- **Effective Tokens visibility** — Token usage is now tracked from the
MCP gateway log through the agent job outputs and surfaced directly in
workflow footer comments. Footer templates gain three new variables:
`{effective_tokens}` (raw integer), `{effective_tokens_formatted}`
(compact string like `1.2K`), and `{effective_tokens_suffix}` (a
ready-to-use suffix like ` · ● 1.2K`). All built-in footer templates
have been updated to include `{effective_tokens_suffix}` by default.
([#​24150](https://redirect.github.com/github/gh-aw/pull/24150),
[#​24132](https://redirect.github.com/github/gh-aw/pull/24132),
[#​24122](https://redirect.github.com/github/gh-aw/pull/24122),
[#​24029](https://redirect.github.com/github/gh-aw/pull/24029))
- **Custom model token weights** — The `engine` frontmatter now supports
custom token weight overrides per model, enabling more accurate
effective-token calculations for non-default deployments.
([#​24134](https://redirect.github.com/github/gh-aw/pull/24134))
- **Native web-fetch for Codex and Gemini** — The `mcp/fetch` fallback
has been removed; Codex and Gemini workflows now use native web-fetch,
reducing latency and eliminating an unnecessary MCP dependency.
([#​24017](https://redirect.github.com/github/gh-aw/pull/24017))
- **Staggered cron schedules** — Approximately 30 workflows previously
fired simultaneously at the top of each hour, exhausting the GitHub App
rate limit. The compiler now hashes each workflow's identity to scatter
execution within ±30 minutes, eliminating rate-limit bursts.
([#​24144](https://redirect.github.com/github/gh-aw/pull/24144))
##### 🐛 Bug Fixes & Improvements
- **Safe outputs MCP server now receives `GH_AW_SAFE_OUTPUTS`** — The
environment variable was not passed to the safe-outputs MCP HTTP server
startup step, causing `outputs.jsonl` to appear empty even on success.
([#​24126](https://redirect.github.com/github/gh-aw/pull/24126))
- **Discussion reply threading fixed** — `add-comment` now correctly
threads replies when the triggering comment is itself a reply inside a
discussion thread.
([#​24031](https://redirect.github.com/github/gh-aw/pull/24031))
- **Lenient temporary ID validation** — Invalid temporary IDs (e.g.
containing underscores) now emit a warning instead of failing PR
creation.
([#​24030](https://redirect.github.com/github/gh-aw/pull/24030))
- **Conclusion job concurrency now customizable** — A
`concurrency.job-discriminator` field can be applied to the `conclusion`
job, allowing users to control grouping independently of the agent job.
([#​24043](https://redirect.github.com/github/gh-aw/pull/24043))
- **Lock file integrity check works across organizations** — Reusable
workflow lock files are now resolved from the source repository rather
than the calling repository, fixing cross-org integrity validation.
([#​24057](https://redirect.github.com/github/gh-aw/pull/24057))
- **`add_comment` no longer fails on scheduled runs** — When no
triggering context is available (e.g. a `schedule` trigger), the
`add_comment` handler now silently skips instead of erroring.
([#​24131](https://redirect.github.com/github/gh-aw/pull/24131),
[#​24098](https://redirect.github.com/github/gh-aw/pull/24098))
- **MCP gateway tool allowlist enforced at gateway layer** — Tool
allow/deny lists are now enforced at the gateway itself with restricted
config file permissions, improving security posture.
([#​23933](https://redirect.github.com/github/gh-aw/p
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - Only on Sunday and Saturday ( * * * * 0,6 ), Between 12:00
AM and 12:59 PM, only on Monday ( * 0-12 * * 1 ) in timezone Etc/UTC.
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/TryGhost/Ghost).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMi4wIiwidXBkYXRlZEluVmVyIjoiNDMuMTAyLjExIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 82378cd commit 8cd3274
2 files changed
Lines changed: 6 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
| 24 | + | |
25 | 25 | | |
26 | 26 | | |
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments