π Release Highlights
This release focuses on reliability and correctness across the engine.env compilation pipeline, the security check layer, and the Claude engine β with five community-reported issues resolved.
π Bug Fixes & Improvements
-
Claude engine stability β Workflows using the
claudeengine no longer crash mid-session with "Fast mode unavailable".CLAUDE_CODE_DISABLE_FAST_MODE=1is now set automatically to suppress an incompatible server-side flag introduced in Claude Code 2.1.120+. -
engine.envmulti-line values β Block-scalarengine.envvalues (written with>-and extra-indented continuation lines) previously compiled to broken YAML with embedded newlines. These now compile correctly into valid multi-lineenv:entries. (Reported by@jeffhandleyin #30204) -
engine.envneedsexpressions β Custom job references inengine.envvalues (e.g.${{ needs.my_job.outputs.value }}) were silently dropped from the agent job'sneedslist, causing those expressions to evaluate to empty strings at runtime. The compiler now correctly wires these dependencies. (Reported by@jeffhandleyin #30232) -
gh aw upgradefalse BYOK warning βgh aw upgradewas incorrectly warning "Remove unsafe secrets from engine.env" forCOPILOT_PROVIDER_API_KEYandCOPILOT_PROVIDER_BEARER_TOKEN, silently stripping legitimate BYOK configuration.gh aw upgradenow matchesgh aw compilein allowing these keys. (Reported by@MauroDruwelin #30178) -
pull_request_reviewactivation signal β Workflows triggered bypull_request_reviewevents no longer silently skip the π reaction andrun-startedcomment. ThebuildReactionLikeConditionallowlist now includes this event type. (Reported by@mason-timin #30336) -
Confused-deputy false positive for bot-menu patterns β The security check introduced in v0.71.4 was blocking the legitimate pattern where a bot posts a checkbox-menu comment and a human maintainer edits it to tick a box (
issue_comment:edited). The check now automatically detects[bot]-authored comments and skips the guard for that path, while keeping all otherissue_comment:createdpaths fully protected. (Reported by@theletterfin #30327)
β¨ What's New
-
allow-bot-authored-trigger-commentfrontmatter option β For bots that don't follow the standard[bot]naming convention, you can now opt into the confused-deputy bypass explicitly:on: issue_comment: types: [edited] allow-bot-authored-trigger-comment: true
-
MCP progress notifications β The
logs,audit, andaudit-diffMCP tools now stream real-time progress updates to AI clients (Copilot, Claude) during long-running operations, eliminating silent 30+ second waits. -
MCP Gateway bump to v0.3.6 β The embedded MCP gateway has been updated to
ghcr.io/github/gh-aw-mcpg:v0.3.6with pinned digest for supply-chain safety.
π Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
@jeffhandley
- Agent 'needs' does not incorporate jobs in engine.env expressions (direct issue)
- Multi-line expressions unsupported in
engine.envvalues (direct issue)
@mason-tim
- Activation comment / reaction not posted for
pull_request_reviewtriggers βbuildReactionLikeConditionallowlist is incomplete (direct issue)
@MauroDruwel
- gh aw upgrade: still warns 'Remove unsafe secrets from engine.env' despite fix in #29378 for compile (direct issue)
@theletterf
For complete details, see CHANGELOG.
Generated by Release Β· β 1.7M
What's Changed
- [spec-enforcer] Enforce specifications for cli by @github-actions[bot] in #30141
- [docs] Update documentation for features from 2026-05-04 by @github-actions[bot] in #30136
- [docs] Update glossary - weekly full scan by @github-actions[bot] in #30133
- feat: auto-allow playwright-cli bash command when playwright cli mode is enabled by @Copilot in #30126
- Add mattpocock-skills-reviewer agentic workflow by @Copilot in #30122
- [architecture] Update architecture diagram - 2026-05-04 by @github-actions[bot] in #30117
- [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #30112
- [specs] Update layout specification - 2026-05-04 by @github-actions[bot] in #30105
- Fix stale
$INSTRUCTIONassertion inTestEngineArgsIntegrationCodexby @Copilot in #30100 - [schema-coverage] feat: Add schema coverage demo for
metadatafield by @github-actions[bot] in #30099 - [schema-coverage] feat: Add schema coverage demo for
labelsfield by @github-actions[bot] in #30098 - [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #30074
- [log] add debug logging to 5 Go packages by @github-actions[bot] in #30061
- Add GitHub Copilot billing multipliers collection to daily-model-inventory workflow by @Copilot in #30060
- Fix missing safe-output calls in Schema Consistency Checker and Multi-Device Docs Tester by @Copilot in #30109
- fix: resolve 3 claude-engine workflow failures (safe-output misses + blocked commands) by @Copilot in #30110
- chore: reduce per-engine boilerplate in domains.go public API by @Copilot in #30072
- [dead-code] chore: remove dead functions β 4 functions removed by @github-actions[bot] in #30167
- [docs] Consolidate developer specifications v9.0 β tone fix and engine domain registry docs by @github-actions[bot] in #30157
- docs: fix spec audit β add Public API, Usage Examples, and Dependencies to 17 packages by @Copilot in #30155
- fix(workflow): normalize report formatting in copilot-pr-nlp-analysis by @Copilot in #30160
- deps: update github.com/modelcontextprotocol/go-sdk v1.5.0 β v1.6.0 by @Copilot in #30164
- fix: 4 CLI consistency issues in mcp, logs, and init commands by @Copilot in #30158
- feat: Add daily Grafana OTel Instrumentation workflow by @mnkiefer in #30190
- fix: replace hardcoded mcpToolParams() with reflection-based extraction by @Copilot in #30166
- [jsweep] Clean add_reaction_and_edit_comment.cjs by @github-actions[bot] in #30062
- fix: add
actions: readpermission to smoke-water.yml (#investigate-smoke-water-failure) by @Copilot in #30197 - fix: format Go code with go fmt by @Copilot in #30199
- feat: delegate Phase 6 & 7 of daily-security-red-team to haiku inline sub-agents by @Copilot in #30195
- Add service.version to setup job spans via compiler env injection by @Copilot in #30198
- fix: gh aw upgrade strips BYOK credentials from engine.env by @Copilot in #30194
- fix: add missing noop calls to 4 workflows causing silent failures by @Copilot in #30210
- feat: merge all OTLP endpoints from shared agentic workflow imports by @Copilot in #30209
- fix: remove empty parent block after last child is removed by codemod by @Copilot in #30216
- perf: fix ~28% BenchmarkYAMLGeneration regression by eliminating reflection hot path by @Copilot in #30208
- fix(otlp): add standard resource attributes to logSpan tool spans by @Copilot in #30215
- feat: model alias inventory update 2026-05-05 by @Copilot in #30238
- Bump firewall to v0.25.38 and mcpg to v0.3.6 by @Copilot in #30230
- test(parser): improve import_cache_test.go quality per testify-expert criteria by @Copilot in #30218
- Fix
mcp list-toolstab completion offering completions for second positional arg by @Copilot in #30221 - chore(deps): update fsnotify v1.9.0 β v1.10.0 by @Copilot in #30222
- Add MCP server unit tests using InMemoryTransport (no subprocess) by @Copilot in #30223
- refactor: eliminate near-duplicate string utilities, promote general-purpose helpers to pkg/stringutil by @Copilot in #30249
- fix: set CLAUDE_CODE_DISABLE_FAST_MODE=1 to prevent mid-session crash in Claude engine by @Copilot in #30255
- fix: add chatgpt.com to CodexDefaultDomains and recompile all workflows by @Copilot in #30207
- Add MCP progress notifications to logs, audit, and audit-diff tools by @Copilot in #30247
- fix: handle multi-line engine.env values as YAML literal block scalars by @Copilot in #30240
- Fix agent job needs not populated from engine.env needs expressions by @Copilot in #30239
- Remove APM testing from smoke-claude by @Copilot in #30257
- fix: two-checkpoint pre-flight validation + PR closure reason labeling by @Copilot in #30253
- [log] Add debug logging to five pkg/ files by @github-actions[bot] in #30266
- [docs] fix: correct spelling errors in docs (American English conventions) by @github-actions[bot] in #30265
- fix: remove duplicate repoConfigLog declaration breaking wasm build by @Copilot in #30268
- docs: generate model alias & multiplier reference tables from JSON data by @Copilot in #30256
- docs: add FAQ entry on forwarding agent/detection artifacts post-conclusion by @Copilot in #30278
- feat: emit gh-aw.detection.conclusion and gh-aw.detection.reason as OTLP span attributes by @Copilot in #30273
- [jsweep] Clean expired_entity_cleanup_helpers.cjs by @github-actions[bot] in #30271
- feat: handle local directory arguments in compile command by @Copilot in #30295
- Bump AWF firewall version to v0.25.39 by @Copilot in #30263
- Auto-switch push_to_pull_request_branch to bundle transport when merge commits are detected by @Copilot in #30287
- [docs] Update glossary - daily scan by @github-actions[bot] in #30334
- [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @github-actions[bot] in #30318
- build(deps): Bump github.com/fsnotify/fsnotify from 1.10.0 to 1.10.1 by @dependabot[bot] in #30329
- Add stale-pr-cleanup workflow to triage 30+ day PR backlog by @Copilot in #30317
- [architecture] Update architecture diagram - 2026-05-05 by @github-actions[bot] in #30323
- feat: enable checksum validation by default in install-gh-aw.sh by @Copilot in #29223
- chore: remove dead parameters from findIncludesInContent and findPreviousSuccessfulWorkflowRuns by @Copilot in #30311
- Change architecture diagram workflow from daily to weekly by @Copilot in #30349
- feat: split github-agentic-workflows.md into focused sub-files and update instructions-janitor by @Copilot in #30351
- chore: centralize BUG panic for invalid model in domain computation by @Copilot in #30310
- fix(otel): eliminate gen_ai.usage.* double-counting and gen_ai.request.model duplicate on agent span by @Copilot in #30350
- [instructions] Sync instruction files β fix cli-proxy and reduce safe-outputs.md by @github-actions[bot] in #30359
- fix: explicitly default sandbox.agent to awf in strict mode when id is not specified by @Copilot in #30355
- Normalize report formatting in approach-validator, agent-performance-analyzer, and q workflows by @Copilot in #30362
- feat: add elseif handler syntax support in template expression rendering (#elseif, #else-if, #else_if variants) by @Copilot in #30358
- fix: include pull_request_review in reaction/status-comment conditions by @Copilot in #30354
- Move dictation prompt to root DICTATION.md by @Copilot in #30366
- fix: allow bot-posted-menu / user-checks-box pattern to bypass confused-deputy check by @Copilot in #30352
- fix: emit model aliases under
apiProxy.modelsinstead of top-levelconfig.modelsby @Copilot in #30367 - build(deps-dev): Bump @actions/github from 9.1.0 to 9.1.1 in /actions/setup/js by @dependabot[bot] in #30331
- docs: add Autoloop callout to landing page by @Copilot in #30399
- fix: reduce contribution-check token usage via truncation, concurrency, and turn cap by @Copilot in #30387
- [docs] Update Astro dependencies - 2026-05-05 by @github-actions[bot] in #30388
- Add
agentic-opsworkflows by @mnkiefer in #30379 - Add redirect from shared/apm.md to microsoft/apm upstream and update docs by @Copilot in #30397
- fix: use require.Error for error assertion in compile_args_test.go by @Copilot in #30394
- feat: Update OTel instrumentation workflow to support multiple endpoints by @mnkiefer in #30309
- chore: update source reference in token optimizer workflows by @mnkiefer in #30420
- Rename
MustBeWithinβValidatePathWithinBaseinpkg/fileutilby @Copilot in #30421 - Add MCP Gateway v0.3.6 container pin to lock data and embedded pin maps by @Copilot in #30408
- Fix js-typecheck failure in
template_branch.cjsnull-else branch typing by @Copilot in #30424 - Fix CJS shard failures caused by
template_branch.cjsintegration gaps by @Copilot in #30425 - Bump default AWF firewall image set to v0.25.40 by @Copilot in #30406
Full Changelog: v0.71.4...v0.71.5
