Skip to content

v0.65.7

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 03 Apr 05:34
· 444 commits to main since this release
v0.65.7
f2bf5c6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release focuses on cross-repo workflow reliability, safe-outputs improvements, and new token optimization tooling β€” along with a handful of highly-requested community fixes.

✨ What's New

  • MCP Gateway keepalive configuration β€” Expose keepalive-interval as a first-class frontmatter option under sandbox.mcp, preventing session expiry during long-running agent tasks. Learn more

  • Dynamic github-token expressions β€” github-token fields in safe-outputs now accept $\{\{ needs.JOB.outputs.OUTPUT }} expressions, enabling short-lived tokens minted by upstream jobs (e.g., via actions/create-github-app-token or Octo STS) to be used seamlessly with built-in safe outputs. Learn more

  • Daily token usage analysis workflows β€” New daily-token-usage-analysis and daily-safe-output-optimizer workflows help you identify unused tools and reduce per-turn token costs β€” the same pattern that has already produced concrete savings in gh-aw-firewall.

  • Agent failure footers now include effective token count β€” The token consumption of each run is now surfaced directly in agent failure issue/comment footers, making cost investigation faster.

πŸ› Bug Fixes & Improvements

  • Cross-repo workflow_call integrity check fixed β€” GITHUB_WORKFLOW_REF env var always reflects the top-level caller, not the callee. The integrity check now correctly uses github.workflow_ref (the Actions context expression) to resolve the called workflow's source. Fixes long-standing failures for reusable remote workflows. Learn more

  • Stale GH_HOST and false fork-PR detection resolved β€” configure_gh_for_ghe.sh returned early for github.com without clearing a previously-set GH_HOST, causing gh pr checkout and related commands to fail against the wrong host. A secondary false-positive fork detection was also removed. Closes #24208, #24217, #24218.

  • Detection gate wired for imported safe-outputs β€” Workflows that declare no safe-outputs: in their own frontmatter but pull it in via imports: were compiled without a detection job gate. This is now correctly enforced.

  • CI Cleaner always produces safe outputs β€” The CI Cleaner agent now has a mandatory exit protocol ensuring at least one safe-output tool is called before it exits, preventing silent "no safe outputs generated" failures.

πŸ“š Documentation

  • Frontmatter hash clarified β€” Documentation now accurately describes the frontmatter hash as a stale-lock detection mechanism, not a tamper-protection or security boundary, to avoid misleading security assumptions. See reference

  • Copilot Agent Files reference page reduced from 167 β†’ 125 lines (25% leaner) while preserving all essential information.

πŸ”§ Maintenance

  • Playwright Browser bumped to v1.59.1 (Windows regression fix)
  • MCP Gateway bumped to v0.2.12
  • AWF Firewall bumped to v0.25.13
  • 6 GitHub Actions updated to latest SHA-pinned releases

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@ferryhinardi

@salekseev

@strawgate

@virenpepper

For complete details, see CHANGELOG.

Generated by Release Β· ● 716.4K

What's Changed

  • [docs] Update documentation for 2026-04-02 features by @github-actions[bot] in #24170
  • fix: wire detection gate for safe-outputs assembled entirely from imports by @Copilot in #24155
  • fix(ci-cleaner): add mandatory exit protocol to always produce safe outputs by @Copilot in #24182
  • [actions] Update GitHub Actions versions - 2026-04-02 by @Copilot in #24181
  • [log] Add debug logging to 4 Go files by @Copilot in #24180
  • chore: Bump AWF firewall version to v0.25.13 by @lpcox in #24185
  • feat: Add daily token usage analysis and optimization workflows by @Copilot in #24192
  • Include effective token count in agent failure issue/comment footer by @Copilot in #24196
  • fix(workflows): normalize report headers to h3+ and add progressive disclosure by @Copilot in #24201
  • docs: clarify frontmatter hash is stale-lock detection, not tamper protection by @Copilot in #24198
  • fix: Clear stale GH_HOST and remove false fork PR detection (#24208) by @lpcox in #24221
  • feat: Expose MCP gateway keepalive-interval in workflow config schema by @Copilot in #24220
  • [docs] docs: reduce bloat in Copilot Agent Files reference page by @github-actions[bot] in #24223
  • fix: unset stale GH_HOST when configuring gh for github.com by @Copilot in #24222
  • feat: Allow ${{ needs.JOB.outputs.OUTPUT }} expressions in github-token fields by @Copilot in #24215
  • Fix cross-repo workflow_call integrity check: use github.workflow_ref instead of GITHUB_WORKFLOW_REF by @Copilot in #24200
  • [jsweep] Clean add_reaction_and_edit_comment.cjs by @github-actions[bot] in #24228
  • Use details/summary for progressive disclosure of failure reporting tip by @Copilot in #24229
  • chore: update Playwright Browser v1.59.1, MCP Gateway v0.2.12 by @Copilot in #24226

Full Changelog: v0.65.6...v0.65.7

Contributors

lpcox
Assets 18
Loading