v0.81.6

🌟 Release Highlights

This release focuses on stability and observability — restoring broken fleet-wide token tracking, hardening CI quality gates, and adding release traceability for merged PRs.

✨ What's New

• Release PR notifications — A new post-agent release job now automatically comments on every PR included in each release, making it easy to trace which release shipped your changes (#41834).
• Loop engineering playbook — .github/aw/loop.md codifies patterns from autoloop, goal, and crane into a unified reference for building robust agentic loops (#41833).
• Benchstat regression gate — The CI bench job now compares against a stored baseline using benchstat, preventing silent performance regressions from merging (#41813).

🐛 Bug Fixes & Improvements

• Restored fleet-wide token usage collection — TokenUsage had been reporting 0 across the entire fleet since June 20 due to two co-conspirating bugs in the conclusion job. Both are fixed, restoring accurate AI credit tracking (#41823).
• Security: pinned govulncheck to go.mod version — CI vulnerability scans now use the exact version declared in go.mod and produce reproducible SARIF reports. A local make vuln-sarif target is also available (#41815).
• Hardened BYOK Ollama startup — The daily BYOK Ollama test now gates on explicit model and API readiness before proceeding, eliminating pre-agent failures from incomplete startup (#41838).
• Stabilized Go Logger Enhancement compile — Fixed exit code 126 caused by unsafe shell glob expansion in the workflow tool allowlist (#41840).
• Enforced safe output completion in quality workflow — The daily compiler quality workflow now requires an explicit safe output call, preventing silent no-op runs (#41841).

🔧 Internal

• Refactored 5 extreme function-length hotspots (145–650 lines) in pkg/workflow and pkg/cli into focused, testable units (#41800).
• SortedKeys sweep and deduplication logic consolidation across the codebase (#41829).

Generated by 🚀 Release · 32.9 AIC · ⊞ 8.3K

---

What's Changed

• refactor: split 5 extreme function-length hotspots in pkg/workflow and pkg/cli by @pelikhan with @Copilot in #41800
• fix(security): pin govulncheck to go.mod version in CI, add local SARIF target by @pelikhan with @Copilot in #41815
• Add benchstat regression gate to CI bench job by @pelikhan with @Copilot in #41813
• fix(token-usage): restore fleet-wide TokenUsage collection via non-empty copy guard and correct priority order by @pelikhan with @Copilot in #41823
• Add post-agent release job to comment on PRs included in each release by @pelikhan with @Copilot in #41834
• [community] Update community contributions in README by @github-actions[bot] in #41836
• Require explicit safe output completion in daily compiler quality workflow by @pelikhan with @Copilot in #41841
• Harden Daily BYOK Ollama startup path with explicit model/API readiness gating by @pelikhan with @Copilot in #41838
• [aw] Stabilize Go Logger Enhancement compile invocation by @pelikhan with @Copilot in #41840
• refactor: SortedKeys sweep, deduplicate dedup logic, redistribute misplaced helpers by @pelikhan with @Copilot in #41829
• Add .github/aw/loop.md playbook synthesizing loop-engineering patterns from autoloop/goal/crane by @pelikhan with @Copilot in #41833

Full Changelog: v0.81.5...v0.81.6

v0.81.5

🌟 Release Highlights

This release focuses on org-mode maturity, performance optimizations, and sandbox hardening — making gh aw update/upgrade --org more robust and production-ready while delivering meaningful speed improvements across the compiler and validator.

✨ What's New

• Action-pin mapping in aw.json (#41579) — Define action-pin overrides directly in your aw.json configuration, giving you centralized control over pinned action versions.

• manifest-version now optional in aw.yml (#41687) — Reduces boilerplate in new workflow files; the field is inferred when omitted.

• Non-TTY fallback for gh aw add wizard (#41717) — The interactive add wizard now gracefully falls back to text prompts in non-interactive environments (CI, scripts), unblocking automation pipelines.

• Org-mode improvements for update/upgrade --org (#41617, #41627, #41719) — Workflow-targeted updates, repo prefiltering, version-tag display, unified repo discovery, and per-repo confirmation prompts (with --yes for CI). The --org flag is now significantly more useful for managing fleets of repositories.

• Sandbox hardening at 50% baseline (#41786) — Half of all eligible agentic workflows now run with sandbox.agent.sudo: false, reducing the blast radius of runaway agent steps.

• Daily detection analysis report workflow (#41802) — New built-in workflow that generates automated detection analysis reports.

⚡ Performance

• Lazy-loaded embedded JSON datasets (#41587) — Embedded compile-time JSON is no longer loaded at startup, reducing memory footprint for CLI commands that do not compile.
• Lazy-loaded GitHub toolset permissions (#41755) — Loaded via sync.Once so permission data is only read when needed.
• Cached regexp in applySanitizePattern (#41762) — Eliminates repeated regex compilation on hot code paths.
• Faster ParseWorkflow (#41772) — Model-alias cycle detection overhead reduced.

🐛 Bug Fixes & Improvements

• Secret double-escape fix (#41801) — Custom MCP server env/header secrets are no longer double-escaped in generated lock files.
• Agent-supplied branch accepted in push_to_pull_request_branch (#41654) — Fixes a regression where agent-provided branch names were rejected.
• MODEL_NOT_SUPPORTED detection extended (#41792) — The pattern now catches 404 "Model not found" responses, improving resilience for unsupported model errors.
• Bundle manifest path resolution (#41790) — .github/ paths are now resolved as repo-root-relative in nested bundle manifests.
• MCP post-completion relaunch is non-fatal (#41713) — A failed MCP server relaunch after job completion no longer fails the workflow.
• PR Sous Chef cooldown (#41759) — Prevents back-to-back comments by enforcing a 30-minute cooldown.
• Harness exits cleanly (#41675) — Exits with code 0 when expected safe-outputs were already produced, even when subsequent steps encounter permission-denied errors.
• GH_AW_POLICY_STRICT enforced at runtime (#41682) — Non-strict compiled workflows now properly respect the strict policy flag at runtime.

📚 Documentation

• Blog: Custom Linters, Sergo, Linter Miner & LintMonster (#41663) — A new blog post walking through the custom linter ecosystem. Read it →
• gh aw env governance guide (#41758) — New documentation covering defaults and scope inheritance for environment configuration.

Generated by 🚀 Release · 41.2 AIC · ⊞ 8.3K

---

What's Changed

• Add action-pin mapping support in aw.json by @pelikhan with @Copilot in #41579
• pkg/workflow: lazy-load embedded JSON datasets used only at compile-time paths by @pelikhan with @Copilot in #41587
• feat: add XML markers, deduplication, labels, and release links to org runner PRs/issues by @pelikhan with @Copilot in #41580
• fix: resource lifecycle and context propagation (lint-monster) by @pelikhan with @Copilot in #41589
• Replace lint-monster path literals with repository constants in CLI/workflow codepaths by @pelikhan with @Copilot in #41611
• [UX] Professionalize Architecture Guardian safe-output status messages by @pelikhan with @Copilot in #41612
• [jsweep] Clean update_context_helpers.cjs by @github-actions[bot] in #41608
• fix: accept agent-supplied branch in push_to_pull_request_branch (fixes #41643) by @dsyme in #41654
• fix: replace deprecated gpt-5-mini with gpt-5.4-mini in daily-model-resolution workflow by @pelikhan with @Copilot in #41625
• Enable sandbox.agent.sudo: false on 20 agentic workflows by @pelikhan with @Copilot in #41628
• [docs] Update glossary - daily scan by @github-actions[bot] in #41657
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #41653
• [code-scanning-fix] Fix js/http-to-file-access: validate Content-Type and size for LFS PDF download by @github-actions[bot] in #41635
• Update gh aw update --org to support workflow-targeted updates and repo prefiltering by @pelikhan with @Copilot in #41617
• panicinlibrarycode: enforce FuncLit boundaries for init/doc panic exemptions by @pelikhan with @Copilot in #41631
• [instructions] Sync instruction files with release 0.81.4 by @github-actions[bot] in #41644
• Replace AWF runtime Python patch with shared JavaScript helper by @pelikhan with @Copilot in #41623
• Add blog post on custom linters, Sergo, Linter Miner, and LintMonster by @pelikhan with @Copilot in #41663
• reduce instructions-janitor max lines target from 500 to 400 by @pelikhan with @Copilot in #41673
• Retry one completed Copilot BYOK proxy auth failure as a fresh run by @pelikhan with @Copilot in #41629
• Make manifest-version optional in aw.yml by @pelikhan with @Copilot in #41687
• Harden API consumption log collection against continuation timeouts by @pelikhan with @Copilot in #41676
• [spec-enforcer] Enforce specifications for setutil by @github-actions[bot] in #41684
• Refactor duplicated key sorting, engine env assembly, and engine max-* codemods by @pelikhan with @Copilot in #41674
• fix(harness): exit 0 when expected safe-outputs already produced despite numerous permission-denied by @pelikhan with @Copilot in #41675
• improve update/upgrade --org: version tags, current version display, unified repo discovery by @pelikhan with @Copilot in #41627
• Fix go-logger preflight manifest generation failing on jq filter quoting by @pelikhan with @Copilot in #41695
• fix(USE-001): add standardized error codes to pr_review_buffer and set_issue_type handlers by @pelikhan with @Copilot in #41692
• Enforce GH_AW_POLICY_STRICT at runtime for non-strict compiled workflows by @pelikhan with @Copilot in #41682
• parser: add schema validation tests for sandbox.agent.sudo (regression guard for #41679) by @dsyme with @Copilot in #41681
• logs: populate message field with actionable guidance when no runs found by @pelikhan with @Copilot in #41693
• docs: resolve spec audit — pkg/intent spec, actionpins Mappings field, linters 4 new subpackages by @pelikhan with @Copilot in #41723
• fix: post-completion MCP relaunch failure is non-fatal; audit-diff surfaces removed denied domains by @pelikhan with @Copilot in #41713
• Normalize report-format guidance across non-compliant agentic workflows by @pelikhan with @Copilot in #41728
• Harden Super Linter workflow against generated-summary linting and log art...

v0.81.4

🌟 Release Highlights

This release focuses on reliability, performance, and new operational capabilities — fixing silent failures across the compiler and agent harnesses, reducing wasted credits on hot paths, and adding important new tooling.

✨ What's New

• --org flag for upgrade command (#41335) — The upgrade command now supports --org and --repos flags, matching the org-wide mode already available in update. Bulk-preview or open upgrade PRs across an entire organization with a single command.

• Daily YAML Lint Fixer workflow (#41574) — A new agentic workflow automatically fixes yamllint violations in generated *.lock.yml files, keeping CI lint checks clean without manual intervention.

• AWF Firewall startup failure detection (#41472) — Firewall proxy startup failures (e.g., DNS not yet resolving at probe time) are now detected and surfaced in the agent failure issue — making previously silent infra failures immediately actionable.

• Spec-driven engine.env allowlist (#41465) — The engine environment variable allowlist is now derived from GetSupportedEnvVarKeys rather than a fragile runtime heuristic, enabling strict: false to be safely removed from smoke workflows.

• Copilot engine launched from ${GITHUB_WORKSPACE} (#41459) — The Copilot engine now starts from the workspace root, enabling APM skill discovery for context-aware agent behaviour.

🐛 Bug Fixes & Improvements

• Silent YAML parse errors fixed (#41577) — Five yaml.Unmarshal call sites in workflow_builder.go were silently discarding errors, producing empty step lists on malformed YAML with no diagnostic. All errors now propagate correctly.

• Copilot SDK hang bounded by idle watchdog (#41572) — After an agent's final tool result, sendAndWait could hang indefinitely until the step timeout killed the runner. A post-completion idle watchdog now bounds this wait, preventing wasted runner minutes.

• Codex harness no longer drains tokens on rate-limit reconnects (#41385) — When Codex hit a TPM rate limit and exhausted reconnect retries, the harness kept retrying unnecessarily. It now recognises exhausted-reconnect exits and stops, preserving credits.

• Claude harness stops retrying on max_runs_exceeded (#41361) — Fresh-run fallbacks no longer burn the full quota when a session has already hit its 20-invocation limit.

• Issue Monster false-positive 429 detection eliminated (#41471) — Rate-limit false positives no longer trigger spurious failure handling.

• assign_to_agent no longer posts error comments on PRs (#41475) — Error comments are now only posted to issues, matching expected behaviour.

• Daily schedule runs restored (#41362) — Daily schedule runs broken since June 5 are now fixed.

• workflow_call permissions use union of caller + worker (#41387) — Imported workflow_call permissions in generated call jobs are now correctly annotated.

⚡ Performance

• YAML generation is faster (#41333) — Duplicate run-script scans in the skip-validation fast path collapsed to a single pass, restoring compilation performance.

• Design Decision Gate costs reduced (#41332) — Now defaults to Sonnet instead of Opus and skips issue lookups on no-op paths, meaningfully reducing AI credit consumption per run.

🔒 Security

• Safe-output detection hardened (#41547) — Detection stays in warn mode on parser/agent failures, ensuring non-reviewable safe outputs are blocked rather than passed through silently.

• Pi threat-detection model normalisation (#41545) — Pi threat-detection models are now normalised before Copilot fallback, preventing misclassification due to model name variance.

🔧 Internal

• Bumped gh-aw-firewall to v0.27.11 and regenerated pinned workflow artifacts (#41555)
• Bumped Codex 0.142.1 and Copilot SDK 1.0.4 (#41430)
• Extracted shared org-wide runner for update and upgrade commands (#41553)

Generated by 🚀 Release · 44.1 AIC · ⊞ 8.3K

---

What's Changed

• [community] Update community contributions in README by @github-actions[bot] in #41359
• Lower Design Decision Gate runtime cost with Sonnet default and conditional issue lookups by @pelikhan with @Copilot in #41332
• Add GitHub lockdown guard-policy warning and sync security specs by @pelikhan with @Copilot in #41331
• Reduce YAMLGeneration time by collapsing duplicate run-script scans by @pelikhan with @Copilot in #41333
• fix(go-logger): restore daily schedule runs broken since June 5 by @pelikhan with @Copilot in #41362
• feat: add --org to upgrade command by @pelikhan with @Copilot in #41335
• Surface assign-to-agent auth/availability failures in agent failure issues/comments by @pelikhan with @Copilot in #41336
• chore: set sandbox.agent.sudo: false on 30% of agentic workflows by @pelikhan with @Copilot in #41380
• [ubuntu-image] research: update Ubuntu runner image analysis for 20260622.220.1 by @github-actions[bot] in #41373
• [code-scanning-fix] Fix workflow-graphql-static-concat: extract GraphQL query to named constant by @github-actions[bot] in #41357
• fix(manualmutexunlock): distinguish struct instances sharing a mutex field by @pelikhan with @Copilot in #41383
• Add nolint parity to non-enforced context-family linters by @pelikhan with @Copilot in #41382
• Fix stale frontmatter hash in design-decision-gate.lock.yml by @pelikhan with @Copilot in #41390
• Enable Copilot assignment permissions in Issue Monster workflow by @pelikhan with @Copilot in #41389
• [jsweep] Clean upload_assets.cjs by @github-actions[bot] in #41371
• fix: improve agent assignment failure issue reports by @pelikhan with @Copilot in #41392
• [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @github-actions[bot] in #41414
• fix: stop codex harness retry loop draining tokens on exhausted rate-limit reconnects by @pelikhan with @Copilot in #41385
• refactor: consolidate triplicate merge helpers and add sliceutil.SortedKeys by @pelikhan with @Copilot in #41388
• fix: use union of caller + worker permissions for call-workflow jobs by @pelikhan with @Copilot in #41387
• fix: revert sandbox.agent.sudo to true in glossary-maintainer workflow by @pelikhan with @Copilot in #41426
• Handle known Windows ConPTY runner failure in daily CLI integration by @pelikhan with @Copilot in #41428
• fix(firewall): skip non-Squid diagnostic lines in generate_usage_activity_summary by @pelikhan with @Copilot in #41429
• chore: bump Codex 0.142.1, Copilot SDK 1.0.4 by @pelikhan with @Copilot in #41430
• Send GraphQL-Features header for issue intent mutations when issue_intents runtime feature is enabled by @pelikhan with @Copilot in #41425
• Issue Monster: eliminate false-positive 429 rate-limit detection by @pelikhan with @Copilot in #41471
• Standardize CLI help section order and GHE note wording by @pelikhan with @Copilot in #41461
• feat: spec-driven engine.env allowlist via GetSupportedEnvVarKeys; remove strict: false from smoke workflows by @pelikhan with @Copilot in #41465
• Annotate imported workflow_call permissions in generated call jobs by @pelikhan with @Copilot in #41464
• fix: prevent assign_to_agent from posting error comments on PRs by @pelikhan with @Copilot in #41475
• Reduce sandbox.agent.sudo: false usage to policy target across agentic workflows by @pelikhan with @Copilot in #41463
• Update existing MCP configs with required gh-aw server fields by @pelikhan with @Copilot in #41462
• feat: detect AWF firewall startup failures and surface them in the agent failure issue by @pelikhan with @Copilot in #4...

v0.81.3

🌟 Release Highlights

This release focuses on expanded automation reach with org-wide update management, greater expressiveness through GitHub Actions expression support in more places, and a round of critical fixes across Windows, rootless installs, and assignee resolution.

⚠️ Breaking Changes

sandbox.agent.network-isolation renamed to sandbox.agent.default-route

The frontmatter key sandbox.agent.network-isolation has been renamed to sandbox.agent.default-route (#41302). Update any workflows using this key to use the new name.

✨ What's New

• Organization-wide gh aw update — Run gh aw update across an entire org with dry-run PR previews before applying changes, making fleet-wide workflow upgrades safer and more auditable (#41247).
• Templatable safe-outputs.staged values — safe-outputs.staged now accepts GitHub Actions expressions (${{ ... }}), enabling dynamic output values at workflow runtime (#41296).
• link-sub-issue accepts GitHub expressions — The allowed-repos field in link-sub-issue now supports GitHub Actions expressions for more flexible cross-repo linking (#41237).
• ready_for_review trigger support — pull_request_target workflows can now trigger on the ready_for_review event, enabling automation when draft PRs are marked ready (#41161).
• GH_HOST support in gh aw trial — gh aw trial --clone-repo now correctly honors the GH_HOST environment variable for GHES environments (#41159).
• Sudo enabled in agentic sandboxes — All agentic workflow sandboxes now have sudo available by default, unblocking common agent install patterns (#41313).
• Firewall v0.27.10 + mcpg v0.3.30 — Network-isolated workflows omit unnecessary sudo from generated lock files; bundled firewall and MCP gateway updated (#41269).

⚡ Performance

• Parallelized audit analysis — gh aw audit now runs analysis tasks in parallel, significantly reducing latency for long-running workflows (#41185).

🐛 Bug Fixes

• Windows ConPTY crash fixed — Removed a compat import that caused gh aw to crash on startup on Windows (#41235).
• Rootless AWF install — gh aw installs correctly into $HOME/.local without root and properly exports $GITHUB_PATH in rootless environments (#41310).
• Copilot assignee resolution restored — Assignee checks now prefer issue-scoped resolution, fixing cases where the wrong user was assigned (#41306).
• UpdateContainerPins no longer wipes containers — Fixed a regression where gh aw update erased the entire containers section on every run (#41262).
• Locked-PR 422 handled gracefully — Safe outputs now treats HTTP 422 on locked PRs as a soft skip with retry rather than a hard failure (#41155).
• Compiler error quality improved — Errors now include accurate YAML context offsets, import hints, and early engine validation to help authors fix issues faster (#41234).
• set_issue_type migrated to REST API — Replaced the GraphQL-based set_issue_type safe output with a single REST call for better reliability (#41241).
• Linter fixes — lenstringsplit false positives with empty separators and ctxbackground false negatives in closures are resolved (#41188, #41187).
• Codex MCP CLI wrapper resolution — Fixed safe output path resolution for the Codex MCP CLI wrapper (#41242).

📚 Documentation

• Safe rollout guidance streamlined for clarity (#41272).
• Glossary updated with latest terminology (#41211).

Generated by 🚀 Release · 36.2 AIC · ⊞ 8.3K

---

What's Changed

• Remove redundant python-dataviz imports from daily reporting workflows by @pelikhan with @Copilot in #41158
• Support ready_for_review for pull_request_target triggers by @pelikhan with @Copilot in #41161
• fix: treat locked-PR 422 as soft skip with retry in safe_outputs by @pelikhan with @Copilot in #41155
• Add SEC-005 exemption for issue_intents.cjs false positive by @pelikhan with @Copilot in #41182
• Allow AgentRx native package installs in Daily AgentRx Trace Optimizer by @pelikhan with @Copilot in #41183
• Pin Daily Sub-Agent Model Resolution Audit sub-agent to a valid Codex model by @pelikhan with @Copilot in #41184
• Pin RGS-007 workflow action refs to immutable SHAs by @pelikhan with @Copilot in #41189
• [docs] Update glossary - daily scan by @github-actions[bot] in #41211
• Add replace-label to Safe Output Mapping in agentic workflow designer SKILL.md by @pelikhan with @Copilot in #41190
• Honor GH_HOST in gh aw trial --clone-repo repository URLs by @pelikhan with @Copilot in #41159
• fix(lenstringsplit): empty raw-string separator escapes non-empty guard — false positive + wrong autofix by @pelikhan with @Copilot in #41188
• ctxbackground: fix false negative and unsafe autofix for closures by @pelikhan with @Copilot in #41187
• Add explicit permissions to error-message-lint workflow by @pelikhan with @Copilot in #41233
• [jsweep] Clean update_entity_helpers.cjs by @github-actions[bot] in #41166
• fix(footer): render correct trigger type in attribution suffix by @pelikhan with @Copilot in #41186
• Fix false negatives in docs npm update detection by @pelikhan with @Copilot in #41240
• fix: normalize report formatting for daily-rendering-scripts-verifier.md by @pelikhan with @Copilot in #41245
• perf: parallelize audit analysis tasks to cut latency for long-running workflows by @pelikhan with @Copilot in #41185
• refactor(workflow): split threat_detection.go (1542 lines) into focused modules by @pelikhan with @Copilot in #41231
• feat: link-sub-issue allowed-repos accepts GitHub Actions expressions by @pelikhan with @Copilot in #41237
• Migrate set_issue_type safe output from GraphQL to single REST issues.update call by @pelikhan with @Copilot in #41241
• ci: align build-wasm node setup to setup-node@v6 / Node 24 by @pelikhan with @Copilot in #41243
• feat: omit sudo from generated lock.yml when network-isolation is enabled; bump firewall to v0.27.10 and mcpg to v0.3.30 by @lpcox with @Copilot in #41269
• [review] Migrate set_issue_type safe output from GraphQL to single REST issues.update call by @github-actions[bot] in #41284
• [docs] docs: unbloat safe rollout guidance by @github-actions[bot] in #41272
• fix(windows): remove compat import to prevent ConPTY startup crash by @pelikhan with @Copilot in #41235
• Fix compiler error quality: YAML context offset, import hint, early engine validation by @pelikhan with @Copilot in #41234
• [docs] Update Astro dependencies - 2026-06-24 by @github-actions[bot] in #41258
• [linter-miner] feat(linters): add stringreplaceminusone linter by @github-actions[bot] in #41285
• fix: UpdateContainerPins wipes containers section on every gh aw update run by @pelikhan with @Copilot in #41262
• Fix Codex MCP CLI wrapper resolution for safe outputs by @pelikhan with @Copilot in #41242
• [rendering-scripts] Render Codex experimental JSONL logs in the run step summary by @github-actions[bot] in #41201
• build(deps-dev): Bump starlight-github-alerts from 0.2.0 to 0.3.0 in /docs by @dependabot[bot] in #41000
• build(deps): Bump sharp from 0.35.1 to 0.35.2 in /docs by @dependabot[bot] in #40999
• [caveman] Optimize instruction verbosity — agentic-chat, campaign, developer.instructions (2026-06-24) by @github-actions[bot] in #41301
• Reduce ambient-context bloat in shared Python dataviz import by @pelikhan with @Copilot in #41304
• fix: use python3 -m pip install for ...

v0.81.2

🌟 Release Highlights

This release introduces a new observability workflow for model resolution auditing, ships updated firewall and MCP gateway defaults, and improves internal GitHub MCP rendering consistency.

✨ What's New

• Daily Model Resolution Audit — A new daily-model-resolution workflow detects model size mismatches in inlined sub-agents by cross-referencing workflow declarations against api-proxy event logs. It runs on a daily schedule (or on demand) and opens a scoped daily issue with a per-workflow, per-sub-agent table showing declared alias vs. observed model vs. resolution status (✅ / ⚠️ / ❓). This makes it much easier to catch accidental large-model usage where a small model was intended. (#41130)

🐛 Bug Fixes & Improvements

• Integration test stability — Fixed a failing Integration: Workflow Features GitHub Actions job to restore CI reliability. (#41153)
• GitHub MCP serialization refactor — Consolidated duplicated map-serialization and section-closing logic across local, remote, and custom GitHub MCP rendering paths into shared helpers. Token passthrough, GITHUB_HOST/toolset propagation, and guard-policy footer handling are now consistently applied across all modes, reducing the risk of future drift. (#41038)

🔧 Dependency Updates

• Default firewall & MCP gateway bumped — gh-aw-firewall default updated to v0.27.9 and gh-aw-mcpg to v0.3.29. Compiled workflows now reference new immutable container digests for the AWF agent, squid, api-proxy, cli-proxy, and MCP gateway. (#41129)
• @types/node 25 → 26 — TypeScript type declarations in actions/setup/js updated to the Node.js v26 API surface. Dev-only; no runtime impact. (#40998)

Generated by 🚀 Release · 28.1 AIC · ⊞ 8.3K

---

What's Changed

• Refactor GitHub MCP serialization into shared section helpers by @pelikhan with @Copilot in #41038
• feat: daily sub-agent model resolution audit workflow by @pelikhan with @Copilot in #41130
• build(deps-dev): Bump @types/node from 25.9.2 to 26.0.0 in /actions/setup/js by @dependabot[bot] in #40998
• Bump default gh-aw-firewall to v0.27.9 and gh-aw-mcpg to v0.3.29 by @lpcox with @Copilot in #41129
• [WIP] Fix failing GitHub Actions job 'Integration: Workflow Features' by @pelikhan with @Copilot in #41153

Full Changelog: v0.81.1...v0.81.2

v0.81.1

🌟 Release Highlights

This release focuses on reliability and resilience — fixing common workflow failure modes, hardening remote fetch operations, and expanding platform support with a new network-isolation topology for ARC/DinD runners.

✨ What's New

• Network-isolation topology mode for ARC/DinD runners (#41088): Compiler now emits the --network-isolation topology for AWF workflows, enabling egress control without requiring NET_ADMIN or host iptables. This unblocks deployments on Actions Runner Controller (ARC) with Docker-in-Docker.

• issue_intents runtime support (#41092): Issue mutations can now carry structured rationale, confidence, and suggest metadata when the server supports the issue_intents feature flag, with automatic fallback to the legacy format — no workflow changes required.

• Automatic threat-detection engine fallback for pi (#41098): When a workflow targets the pi engine (which does not support threat-detect directly), the compiler now automatically defaults to Copilot for threat detection — eliminating the need to configure this per workflow.

🐛 Bug Fixes & Improvements

• Safe-outputs graceful no-op (#41037): Fixes a leading cause of workflow failures where a missing or empty safe-outputs file caused safe_outputs job failures. The runtime now treats a missing file as an empty collection and continues cleanly.

• Improved assign-to-agent diagnostics (#41047): Copilot assignee lookup during safe-outputs now searches across all known Copilot bot aliases, preventing silent resolution failures that blocked agent assignment.

• Hardened go-gh remote fetch (#41036): Contents API path construction is now properly escaped, REST clients are bounded, and client creation logic is deduplicated — reducing reliability gaps on remote repository operations.

• Accurate audit pre-activation diagnostics (#41022): gh aw audit no longer incorrectly reports "failed before agent activation" for runs that did execute but exported no telemetry. Diagnosis now correctly distinguishes pre-activation failures from agent-run failures. See audit reference.

📚 Documentation

• Editing workflows guide streamlined (#41086): Dense sub-sections replaced with readable inline prose for faster scanning.
• Release cadence clarified (#41087): Docs now reflect the weekly/bi-weekly minor release clock (not best-effort semver).

Generated by 🚀 Release · 48.4 AIC · ⊞ 8.3K

---

What's Changed

• audit: distinguish pre-activation failures from agent-run failures without telemetry by @pelikhan with @Copilot in #41022
• [docs] docs: unbloat editing workflows guide by @github-actions[bot] in #41086
• Improve assign-to-agent diagnostics for Copilot assignee alias lookup by @pelikhan with @Copilot in #41047
• docs: release cadence is weekly/bi-weekly minor, not best-effort semver by @pelikhan with @Copilot in #41087
• [linter-miner] linter: add lenstringsplit analyzer by @github-actions[bot] in #41090
• Harden go-gh remote fetch callsites with escaped contents paths/refs and bounded REST clients by @pelikhan with @Copilot in #41036
• Default threat detection to Copilot when engine is pi by @pelikhan with @Copilot in #41098
• Add compiler support for AWF --network-isolation topology mode (ARC/DinD-compatible egress) by @lpcox with @Copilot in #41088
• [caveman] Optimize instruction verbosity — adr-writer.agent.md, workflow-constraints.md (2026-06-23) by @github-actions[bot] in #41105
• Add issue_intents runtime support for issue labels, type, and fields by @pelikhan with @Copilot in #41092
• fix: treat missing safe-outputs file as empty collection (graceful no-op) by @pelikhan with @Copilot in #41037

Full Changelog: v0.81.0...v0.81.1

v0.81.0

🌟 Release Highlights

This release delivers expanded engine configurability, a batch of high-impact bug fixes across the compiler and CLI, and tighter security defaults — making workflows more reliable and cost-efficient out of the box.

⚠️ Breaking Changes

• CLI flag rename (#40822): The --skip-secret, --disable-security-scanner, and --disable-release-bump flags have been renamed to the --no-secret, --no-security-scanner, and --no-release-bump convention. Update any scripts or CI configurations that pass these flags.

✨ What's New

• Model provider selection (#40903): Workflows can now declare an engine-level model-provider field, enabling provider-aware runtime wiring — including running Claude models via the Copilot engine. A new Claude-on-Copilot smoke workflow validates the path end-to-end.
• engine.driver field (#40897): A new shared engine.driver field allows specifying the Pi agent core as a built-in driver, simplifying engine configuration.
• sandbox.agent.platform frontmatter (#40877): Workflows can now read the AWF platform type via sandbox.agent.platform, making platform-conditional logic easier to express.
• GH_AW_RUNTIME_FEATURES flag support (#40824): Built-in workflow jobs now honor the GH_AW_RUNTIME_FEATURES environment variable for progressive feature rollout.
• replace-label safe-output type (#40423): A new experimental replace-label safe-output type lets workflows atomically swap issue/PR labels.
• Smarter merge-pull-request (#40915): The merge-pull-request safe-output now refuses to merge when the target branch has no upstream open PR, preventing accidental merges into stale branches.
• Slash-command status tracking (#40928): Centralized slash-command status comments are now updated with a link to the dispatched workflow run, so you always know where the work went.
• Firewall activity backfill (#41046): Activity reports can now be backfilled from usage artifact domain aggregates, filling gaps in firewall observability data.

🐛 Bug Fixes & Improvements

• Compiler: fix hyphenated workflow_call inputs (#41019): Workflows with hyphenated input names in workflow_call events now compile correctly.
• Compiler: fix on.bots/on.roles state leakage (#41018): A state leak that could corrupt workflow_run trigger generation when on.bots or on.roles were set has been fixed.
• Compiler: reduce template-injection noise (#41025): The compiler now emits fewer false-positive template-injection diagnostics in generated workflow run blocks.
• Linter: wgdonenotdeferred loop-scope fix (#41026): The linter no longer incorrectly flags deferred WaitGroup.Done() calls inside goroutine closures in loop bodies.
• Status comments: correct run URL and name (#40831): Centralized repo status comments now display the actual workflow name and a working link to the run.
• Detection: honor continue-on-error (#40790): Detection jobs now respect continue-on-error when the external detector result file is missing.
• Detection: always run on safe outputs (#40882): Cache-memory detection is now guaranteed to run even on noop and boop safe-output types.
• Ollama reachability (#40888): Ollama is now bound to 0.0.0.0 so the api-proxy Docker container can reach it correctly.
• Action ref pass-through (#40887): Supported local and Docker action refs are now passed through without triggering pin resolution.
• --engine log filter (#40793): gh aw logs --engine now correctly filters runs by engine ID.
• Telemetry: Copilot/Pi turn and token reporting (#40792): Turn count and token usage are now emitted correctly for the Copilot and Pi engines.
• Portfolio analyst turn runaway (#40858): The portfolio analyst workflow now has max-turns and max-ai-credits guardrails to prevent unbounded execution.

⚡ Performance

• ~9,600 chars trimmed from ambient context (#40874): Per-run token usage is meaningfully reduced by pruning verbose ambient context that agents did not need.
• Failure investigator cost reduction (#40880): The aw-failure-investigator workflow has been optimized to use fewer AI credits per run.

🔒 Security

• Hardened checkout credential defaults (#40794): Generated checkout steps now default to persist-credentials: false, reducing the credential exposure window in generated workflows.

📚 Documentation

• max-daily-ai-credits cost warnings (#41055): Docs now warn about the API unit cost implications of max-daily-ai-credits and include examples for disabling the field, with a recommendation to configure at the org level.
• Authoring guidance improvements (#40819, #40820): Tightened guidance on noop semantics, workflow_run triage, report window scoping, and permissions documentation.

Generated by 🚀 Release · 36.8 AIC · ⊞ 8.2K

---

What's Changed

• [docs] Update glossary - weekly full scan by @github-actions[bot] in #40776
• Sync workflow designer skill with safe-output and network reference docs by @pelikhan with @Copilot in #40742
• Reduce tool-denial failures in Daily Compiler Threat Spec Optimizer by @pelikhan with @Copilot in #40743
• Align threshold linters with sibling analyzer behavior by @pelikhan with @Copilot in #40740
• fix(seenmapbool): eliminate duplicate diagnostics for set-maps in closures by @pelikhan with @Copilot in #40741
• [architecture] Update architecture diagram - 2026-06-22 by @github-actions[bot] in #40769
• [schema-coverage] feat: Add schema coverage demo for max-turn-cache-misses field by @github-actions[bot] in #40753
• safe-outputs: make create-pull-request bundling resilient to diverged-history replay conflicts by @pelikhan with @Copilot in #40720
• [code-scanning-fix] Fix workflow-graphql-id-unescaped: eliminate string interpolation in GraphQL mutations via variables by @github-actions[bot] in #40757
• [code-simplifier] simplify: dedup validateAllowedIssueFields and extract parseUnknownModelAICreditsFromAuditEntry by @github-actions[bot] in #40725
• fix: increase timeout-minutes from 10 to 30 in example-workflow-analyzer by @pelikhan with @Copilot in #40788
• [jsweep] Clean validate_lockdown_requirements_templates.cjs by @github-actions[bot] in #40730
• fix: resolve SEC-004 false-positive sanitization flags on assign_agent_helpers and update_pull_request by @pelikhan with @Copilot in #40791
• fix: update actions toolset to consolidated tool names (actions_get/actions_list) by @pelikhan with @Copilot in #40787
• refactor: centralise symlink guard into shared lstatGuard helper by @pelikhan with @Copilot in #40795
• fix: restore AIC data in usage-only log collection by @pelikhan with @Copilot in #40786
• pi: propagate GH_AW_NODE_BIN into AWF execution path for Daily News by @pelikhan with @Copilot in #40789
• docs(permissions): move read-only constraint note and add group descriptions by @pelikhan with @Copilot in #40820
• Docs: tighten workflow authoring guidance for noop semantics, workflow_run triage, and report window scoping by @pelikhan with @Copilot in #40819
• fix(logs): --engine filter correctly filters runs by engine ID by @pelikhan with @Copilot in #40793
• fix(telemetry): emit turns/tokens for Copilot/Pi; trim cli-version-checker prompt; foreground recompile by @pelikhan with @Copilot in #40792
• Add GH_AW_RUNTIME_FEATURES support to built-in workflow jobs by @pelikhan with @Copilot in #40824
• fix(cli): rename --skip-secret, --disable-security-scanner, --disable-release-bump to --no-* convention; fix docs gaps by @pelikhan with @Copilot in #40822
• refactor(cli): extract ReportProvenance f...

v0.80.9

🌟 Release Highlights

This release focuses on reliability and correctness — squashing noisy error conditions in the MCP server and agentic workflows, hardening security, and keeping the observability pipeline complete.

🐛 Bug Fixes & Improvements

• MCP stdio error handling — handleMessage now correctly serialises plain-object throws (not just Error instances), eliminating the cryptic -32603 [object Object] failures that blocked submit_pull_request_review on the stdio transport path. (#40715)

• Issue Monster noise reduction — Agent-availability errors ("copilot coding agent is not available for this repository") are now treated as transient and silently skipped, so the issue tracker is no longer spammed with failure issues on every 30-minute poll cycle. (#40716)

• Observability report completeness — The daily observability report now explicitly requests agent and detection artifact sets alongside usage metrics, preventing incomplete/noop outcomes caused by missing telemetry inputs. (#40705)

• Task session data fetch — Fixed a failing agent GitHub Actions job caused by a stale data-fetch pattern in task session handling. (#40728)

🔒 Security

• Atomic temp-file writes — Replaced direct fs.writeFileSync calls in the safe-output evaluations script with an atomic write helper, closing a CWE-377 insecure-temporary-file vulnerability flagged by CodeQL. (#40721)

🔧 Internal

• Safe Outputs conformance checker — Added MCE-006 check verifying that mcp_server_core.cjs enforces valid JSON-RPC 2.0 error codes (spec §8.2); split spec/script version comments for clarity. (#40737)

• Maintenance workflow header — agentics-maintenance.yml now carries an explicit, purpose-specific header describing the maintenance schedule and how to disable it, replacing the generic compiled-workflow boilerplate. (#40706)

Generated by 🚀 Release · 31.3 AIC · ⊞ 8.2K

---

What's Changed

• fix(daily-observability-report): request agent+detection artifacts in logs fetches by @pelikhan with @Copilot in #40705
• Make agentics-maintenance.yml header maintenance-specific by @pelikhan with @Copilot in #40706
• fix: handleMessage avoids [object Object] errors and enforces valid JSON-RPC error codes for thrown plain objects by @pelikhan with @Copilot in #40715
• Update task session data fetch by @mnkiefer with @Copilot in #40728
• fix(issue-monster): gracefully skip agent availability errors with ignore-if-error by @pelikhan with @Copilot in #40716
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #40737
• [blog] Weekly blog post – 2026-06-22 by @github-actions[bot] in #40724
• [code-scanning-fix] Fix js/insecure-temporary-file: use atomic write to prevent symlink attacks by @github-actions[bot] in #40721

Full Changelog: v0.80.8...v0.80.9

v0.80.8

🌟 Release Highlights

This release brings a meaningful performance win, improved slash-command UX, a new Go linter, and a wave of reliability and documentation improvements.

⚡ Performance

• Fixed a +320% regression in CompileComplexWorkflow by eliminating a redundant yaml.Unmarshal call — complex workflows now compile as fast as expected (#40662).

✨ What's New

• Slash-command status comments are now created in the central router and reused downstream, giving users consistent, real-time feedback on slash-command progress (#40644).
• New deferinloop Go linter flags defer statements inside for-loop bodies — a common source of resource-leak bugs — catching issues earlier in the development cycle (#40679).
• gh-aw-detection rolled out to 50% of agentic workflows, expanding coverage of automated workflow health checks (#40698).
• Daily Safe Output Integrator can now inspect compiler safe-output tests, broadening daily CI coverage (#40697).
• Codex experiment models are now available in the Daily Cache Strategy Analyzer (#40682).

🐛 Bug Fixes

• Prevented tool-denial cascade in daily-formal-spec-verifier, avoiding runaway failures when individual tools are unavailable (#40655).
• Fixed sparse checkout path typing in the Skillet pre-activation skills checkout, resolving failures in sparse-repo workflows (#40684).
• Migrated assignAgentToIssue to REST, retaining GraphQL fallbacks in lookup helpers for resilience (#40669).
• Replaced SHA-256 with FNV-1a for heredoc delimiter generation, eliminating crypto-library overhead in hot compilation paths (#40696).
• Reduced ambient prompt surface in high-traffic workflows, improving token efficiency and reducing unintended context bleed (#40695).

📚 Documentation

• Leaner model-tables intro in the docs (#40658).
• Fixed broken outbound links in the README (#40675).
• Tightened authoring guidance for incident prefetch/dedup and visual baseline sourcing (#40660).
• Extended JSON-LD schema to blog posts and inner pages for improved SEO (#40678).

Generated by 🚀 Release · 31.7 AIC · ⊞ 8.2K

---

What's Changed

• fix: prevent tool denial cascade in daily-formal-spec-verifier by @pelikhan with @Copilot in #40655
• [docs] docs: unbloat model tables intro by @github-actions[bot] in #40658
• SPDD 2026-06-21: fix spec divergences across 5 spec files by @pelikhan with @Copilot in #40656
• Create slash-command status comments in the central router and reuse them downstream by @pelikhan with @Copilot in #40644
• Align checkout credential integration test with safe_outputs PR flow by @pelikhan with @Copilot in #40661
• Tighten workflow authoring guidance for incident prefetch/dedup and visual baseline sourcing by @pelikhan with @Copilot in #40660
• Update README to replace broken outbound links with canonical working targets by @pelikhan with @Copilot in #40675
• Strengthen actionpins spec coverage for unresolved pinning and edge-case resolution by @pelikhan with @Copilot in #40676
• Use available Codex experiment models in Daily Cache Strategy Analyzer by @pelikhan with @Copilot in #40682
• Skillet: fix sparse checkout path typing in pre-activation skills checkout by @pelikhan with @Copilot in #40684
• feat(linters): add deferinloop analyzer — flags defer inside for-loop bodies by @pelikhan with @Copilot in #40679
• Extend docs JSON-LD schema to blog posts and inner pages by @pelikhan with @Copilot in #40678
• fix: migrate assignAgentToIssue to REST, retain GraphQL fallbacks in lookup helpers by @pelikhan with @Copilot in #40669
• Enable gh-aw-detection on 50% of agentic workflows by @pelikhan with @Copilot in #40698
• Replace SHA-256 with FNV-1a for heredoc delimiter generation by @pelikhan with @Copilot in #40696
• perf: fix +320% regression in CompileComplexWorkflow by eliminating redundant yaml.Unmarshal by @pelikhan with @Copilot in #40662
• Allow Daily Safe Output Integrator to inspect compiler safe-output tests by @pelikhan with @Copilot in #40697
• Reduce ambient prompt surface in high-traffic workflows by @pelikhan with @Copilot in #40695

Full Changelog: v0.80.7...v0.80.8

v0.80.7

🌟 Release Highlights

v0.80.7 brings powerful new automation options, compiler safety guardrails, and a set of targeted bug fixes that improve reliability across workflows, CLI tools, and the safe-outputs system.

⚠️ Breaking Changes

• allow-team-members renamed to allowed-collaborators in safe-outputs.mentions (#40394)
  Run gh aw fix --write with codemod add-allow-team-members-collaborators to migrate automatically.

✨ What's New

• Auto-upgrade workflow generation: Set auto_upgrade: true in aw.json to automatically generate a weekly agentic-auto-upgrade.yml workflow that keeps your setup current (#40414).
• Auto-pin unversioned action refs: The compiler now auto-pins unversioned uses: references and fails compilation when no pin is resolvable — preventing silent runtime failures (#40475).
• allowed-teams in mentions config: Authorize entire GitHub teams to trigger agentic mentions without enumerating every user (#40368).
• Wildcard suffix for slash_command: Use a trailing * to match a family of related commands with a single workflow (#40369).
• max-turn-cache-misses top-level field: Configure cache-miss guardrail thresholds directly in workflow frontmatter (#40388).
• code_quality MCP toolset: The code_quality toolset is now mapped in GitHub MCP toolsets configuration (#40625).

🐛 Bug Fixes & Improvements

• Call-workflow permissions: Job permissions are now correctly derived from the caller, not the worker (#40175 — thanks @dsyme!).
• gh aw logs reliability: Fixed context-deadline cancellation for --timeout (#40498) and added a --report-file flag to avoid shell redirect failures (#40425).
• Idle-timeout resolved as success: When output has been collected and all tools are complete, idle-timeout no longer marks a run as failed (#40419).
• set_issue_field temporary ID resolution: set_issue_field can now resolve temporary_id values from a create_issue in the same batch (#40615).
• Firewall-mode LLM routing: All LLM traffic in firewall mode is now correctly routed through the AWF gateway (#40616).
• Improved error guidance: Empty-arguments errors now include schema guidance to prevent missing-tool reports (#40542); hide_comment validation surfaced GraphQL node ID guidance (#40361).
• Template-injection scanner: Fixed false positive that rejected the compiler's own generated Configure Git credentials step (#40613).
• /help command: Fixed routing fallthrough, error handling, reactions, and mention sanitization (#40476).

📚 Documentation

• CLI setup guide streamlined for clarity (#40484, view docs).
• allowed-teams option surfaced in the agentic mentions configuration docs (#40421).
• /help now uses structured headings and links commands to their source workflows (#40500).

Generated by 🚀 Release · 41.4 AIC · ⊞ 8.2K

---

What's Changed

• optimize(glossary-maintainer): prompt trim, turn guardrail, batch reads, haiku sub-agent for term discovery by @pelikhan with @Copilot in #40353
• Update slides by @mnkiefer in #40364
• fix: replace local .github/aw/ paths with public URLs in agentic-workflows agent by @pelikhan with @Copilot in #40358
• fix(daily-spdd-spec-planner): add sed -n to bash allowlist to prevent tool denial threshold by @pelikhan with @Copilot in #40366
• Avoid LFS-dependent checkout in Documentation Unbloat by @pelikhan with @Copilot in #40365
• Tighten Daily Formal Spec Verifier safe-output contract by @pelikhan with @Copilot in #40367
• Recursively order nested with/env/secrets maps during YAML serialization by @pelikhan with @Copilot in #40362
• [linter-miner] feat(linters): add sprintferrdot — flag redundant .Error() calls in fmt format functions by @github-actions[bot] in #40371
• Make safe-job conclusion dependencies deterministic by @pelikhan with @Copilot in #40363
• fix(hide_comment): surface GraphQL node ID guidance in comment_id validation error by @pelikhan with @Copilot in #40361
• Enforce per-type safe-output max count at MCP invocation time (MCE4) by @dsyme with @Copilot in #40348
• Support wildcard suffix matching for slash_command by @pelikhan with @Copilot in #40369
• feat(safe-outputs): add allowed-teams to mentions configuration by @pelikhan with @Copilot in #40368
• Enable Smoke Pi safeoutputs CLI mounting and migrate 20 non-smoke workflows to Pi by @pelikhan with @Copilot in #40375
• feat(codemods): rename allow-team-members → allowed-collaborators in safe-outputs.mentions by @pelikhan with @Copilot in #40394
• [docs] Self-healing documentation fixes from issue analysis - 2026-06-20 by @github-actions[bot] in #40402
• Add top-level max-turn-cache-misses support with env-managed default by @pelikhan with @Copilot in #40388
• Add skillet skill-routed PR reviewer workflow by @pelikhan with @Copilot in #40399
• Add step authoring guidance to .github/aw instruction files by @pelikhan with @Copilot in #40413
• Add centralized /dependabot-burner grouping and retry-aware single-workflow remediation by @pelikhan with @Copilot in #40396
• [community] Update community contributions in README by @github-actions[bot] in #40424
• docs: surface allowed-teams in agentic mentions config docs by @pelikhan with @Copilot in #40421
• Refresh docs site theme toward neutral GitHub-style surfaces by @pelikhan with @Copilot in #40422
• fix(sdk-driver): resolve idle-timeout as success when output collected and all tools complete by @pelikhan with @Copilot in #40419
• [docs] Consolidate developer specifications into instructions file (v9.18) by @github-actions[bot] in #40465
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #40456
• [instructions] Sync instruction files with release v0.80.6 by @github-actions[bot] in #40453
• [docs] Update editor preview screenshots – 2026-06-20 by @github-actions[bot] in #40451
• fix: add --report-file flag to gh-aw logs to avoid shell redirect failure by @pelikhan with @Copilot in #40425
• model-inventory: alias updates 2026-06-20 by @pelikhan with @Copilot in #40420
• Handle pi threat verdicts in detection log parser by @pelikhan with @Copilot in #40469
• [WIP] Fix failing GitHub Actions job Integration: Workflow Features by @pelikhan with @Copilot in #40471
• [jsweep] Clean write_daily_aic_usage_cache.cjs by @github-actions[bot] in #40433
• feat: run code-scanning-fixer every 6h; replace MCP tool calls with gh CLI by @pelikhan with @Copilot in #40470
• Roll out gh-aw-detection to 20% of repository workflows by @pelikhan with @Copilot in #40477
• feat: add top-level auto_upgrade to generate a weekly agentic-auto-upgrade workflow by @pelikhan with @Copilot in #40414
• [docs] docs: unbloat CLI setup guide by @github-actions[bot] in #40484
• Refine workflow-creation guidance for workflow_run scoping, scheduled report windows, and visual-regression minimal config by @pelikhan with @Copilot in #40482
• Auto-pin unversioned action uses refs in compiler; fail compilation when no pin is available by @pelikhan with @Copilot in #40475
• Fix /help routing fallthrough, error handling, reaction, and mention sanitization by @pelikhan with @Copilot in #40476
• [linter-miner] linter: add sprintferrorsnew — flag errors.New(...