v0.67.1

🌟 Release Highlights

This release delivers a major OpenTelemetry observability overhaul, a new report_incomplete safe output signal, Claude Code 1.0.0 compatibility, and a wave of security hardening — all driven in part by community-reported issues.

✨ What's New

🔭 OpenTelemetry Observability (Multiple PRs)

A substantial series of improvements makes distributed tracing production-ready:

• Accurate span names — job lifecycle spans now use the actual job name (e.g. gh-aw.agent.conclusion) instead of the generic gh-aw.job.conclusion, making traces immediately readable in Grafana/Honeycomb/Datadog.
• Real job duration — conclusion spans now record actual execution time (previously always reported 2–5 ms due to a missing startMs).
• OTLP payload sanitization — sensitive values (token, secret, key, auth, etc.) in span attributes are automatically redacted before sending to any OTLP collector.
• OTLP headers masking — OTEL_EXPORTER_OTLP_HEADERS is masked with ::add-mask:: in every job, preventing auth tokens from leaking in GitHub Actions debug logs.
• MCP Gateway OpenTelemetry — the MCP Gateway now receives opentelemetry config derived from observability.otlp frontmatter and the actions/setup trace IDs, correlating all MCP tool-call traces under the workflow root trace.
• New resource attributes — service.version, github.repository, github.run_id, github.event_name, github.ref, github.sha, github.actions.run_url, deployment.environment, gh-aw.staged, gh-aw.run.attempt enriching all spans.
• Observability job summary auto-enabled — the job summary step is now rendered automatically whenever OTLP is configured; the observability.job-summary opt-in field is removed (auto-detected).
• Real OTLP trace ID in the observability job summary (was incorrectly showing the workflow_call_id).
• GitHub API rate limit analytics — gh aw audit, gh aw logs, and gh aw audit diff now show GitHub API quota consumed per run, per resource.

🛡️ report_incomplete Safe Output

A new first-class signal for agents to surface infrastructure or tool failures without being misclassified as successful runs. When an agent emits report_incomplete, the safe-outputs handler activates failure handling regardless of agent exit code — preventing "tool-failure comment disguised as a success" scenarios. Can be configured with create-issue, title-prefix, and labels, just like missing_tool.

✅ checks as a First-Class MCP Tool

The checks tool is now registered in the gh-aw MCP server, returning a normalized CI verdict (success, failed, pending, no_checks, policy_blocked). Review workflows no longer need to shell out to gh aw checks.

🔐 Security Hardening

• Token/secret injection prevention — 422 instances of $\{\{ secrets.* }} interpolated directly into run: blocks have been moved to env: mappings across 181 lock files and hand-authored CI workflows, preventing shell injection if a token contains metacharacters.
• runner-guard added to static analysis — the static-analysis-report workflow now runs Vigilant-LLC's runner-guard scanner alongside zizmor, poutine, and actionlint.

🔍 Pre-Activation Visibility

When a workflow activation is denied (bot gate, role gate, stop-after, skip-if-match, etc.), the activation job now writes a $GITHUB_STEP_SUMMARY explaining the exact reason and providing remediation guidance — no more silently skipping PRs with no visible indicator.

🤖 Claude Code 1.0.0 Compatibility

The --disable-slash-commands flag has been removed from the Claude CLI args builder. Claude Code 1.0.0 dropped this flag as a breaking change; the compiler was unconditionally injecting it, causing all Claude-engine workflows to fail at startup.

🐛 Bug Fixes & Improvements

• Fix Octokit .endpoint proxy — pre_activation check scripts were failing with route.endpoint is not a function due to the rate-limit-aware github proxy stripping Octokit's .endpoint decorator; fixed with a Proxy wrapper.
• Fix OTLP span kind — job lifecycle spans now use SPAN_KIND_INTERNAL (was SPAN_KIND_SERVER), preventing false RED-metric pollution in observability backends.
• Error message quality — duplicate permission scope hints suppressed, redundant path prefix stripped from single-failure messages, and YAML parse error fallbacks now emit proper IDE-navigable positions.
• Fix daily-issues-report — switched from codex to copilot engine after OpenAI API access restrictions blocked Codex since Mar 24.
• Fix runner-guard v2 module path — corrected go install path to include /v2/ suffix for Go major version convention compliance.
• Fix docs breadcrumb config — removed unrecognized breadcrumbs: true key that was breaking Starlight config.
• Add stateful scanning pattern to memory.md — documents the baseline-diff approach for nightly scans using repo-memory.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

• Fix: Flexible import path resolution and cross-repo agent imports (direct issue)

@dagecko

• CI/CD Security Hardening: Extract tokens and secrets from run blocks into env mappings (direct issue)

@samuelkahessay

• gh-aw treats a comment-based review verdict as successful even when the agent only reported tool failures (direct issue)
• bot-gated PR review runs can disappear with no review check or surfaced skip reason (direct issue)
• gh-aw MCP server exposes 8 CLI tools but not checks, forcing review workflows to shell out to gh aw checks (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.2M

---

What's Changed

• feat: report agent failure in OTEL conclusion span by @Copilot in #24650
• fix: use actual job name in OTLP span names (#fix-span-names) by @Copilot in #24648
• feat: add daily-otel-instrumentation-advisor workflow by @Copilot in #24655
• [docs] Unbloat upgrading guide (-20% words) by @github-actions[bot] in #24657
• feat(otel): enrich resource attributes with service.version, github.repository, github.run_id, github.event_name by @Copilot in #24659
• feat(otel-advisor): query live Sentry OTel data to ground analysis by @Copilot in #24661
• fix(otel): show real OTLP trace ID in observability job summary by @Copilot in #24666
• feat: add gh-aw.run.attempt to setup and conclusion OTel spans by @Copilot in #24670
• [jsweep] Clean action_conclusion_otlp.cjs by @github-actions[bot] in #24669
• chore: update drain3 default log pattern weights by @github-actions[bot] in #24673
• enrich OTel error conclusion spans with agent_output.json error details by @Copilot in #24675
• [docs] Update dictation skill instructions by @github-actions[bot] in #24676
• fix: OTel conclusion spans record actual job execution duration instead of ~0 ms by @Copilot in #24680
• test: add test coverage for tool call result preview in generatePlainTextSummary (core.info) by @Copilot in #24688
• chore: upgrade gh-aw-mcpg to v0.2.14 by @Copilot in #24689
• [architecture] Update architecture diagram - 2026-04-05 by @github-actions[bot] in #24693
• feat(otel): add github.actions.run_url resource attribute to all spans by @Copilot in #24691
• docs: add stateful scanning (repo-memory baseline diff) pattern to memory.md by @Copilot in #24687
• docs: add pre-step data-fetching pattern to create-agentic-workflow.md by @Copilot in #24685
• Add GitHub API rate limit observability via JSONL artifact logging and OTLP span enrichment by @Copilot in #24694
• fix(otel): use SPAN_KIND_INTERNAL for job lifecycle spans instead of SPAN_KIND_SERVER by @Copilot in #24701
• [instructions] Sync github-agentic-workflows.md with v0.67.0 by @github-actions[bot] in #24707
• [docs] docs: Developer documentation consolidation v5.3 — GitHub API rate limit observability by @github-actions[bot] in #24709
• [community] Update community contributions in README by @github-actions[bot] in #24705
• Rename domainStatus → classifyFirewallDomainStatus and statusEmoji → firewallStatusEmoji by @Copilot in #24712
• Add gh-aw.staged and deployment.environment to OTLP conclusion spans by @Copilot in #24711
• [dead-code] chore: remove dead functions — 7 functions removed by @github-actions[bot] in #24727
• fix(daily-doc-updater): handle new-file creation requests in Step 1b by @Copilot in #24742
• [mcp-tools] Update GitHub MCP toolsets mapping with newly discovered tools (v2.2) by @github-actions[bot] in #24729
• feat(otel): add deployment.environment to setup span resource attributes by @Copilot in #24747
• Add GitHub API rate limit consumption analysis to logs, audit, and audit diff commands (#github-api-usage) by @Copilot in #24748
• Remove dead code in audit_report.go after audit report command merged into logs by @Copilot in #24753
• security: extract tokens and secrets from run blocks into env mappings by @Copilot in #24746
• feat: add runner-guard to static-analysis-report workflow by @Copilot in #24749
• Remove observability.job-summary opt-in, render job summary when OTLP is enabled by @Copilot in #24750
• fix: preserve Octokit .endpoint on rate-limit-aware github proxy to fix route.endpoint is not a function by @Copilot in #24758
• Add checks as a first-class MCP tool to the gh-aw MCP server by @Copilot in #24757
• test(gitutil): extend coverage to 100% of exported functions by @Copilot in #24765
• docs: enable breadcrumbs and document sitemap dev-mode limitation by @Copilot in #24763
• refactor: deduplicate bots/roles codemods via factory and rename filterMapKeys by @Copilot in #24764
• fix(daily-issues-report): switch engine from codex to copilot by @Copilot in #24767
• Fix error message quality: prevent duplicate suggestions, strip redundant path prefix, improve YAML error IDE navigation by @Copilot in #24766
• [log] Add debug logging to workflow step generation and validation by @github-actions[bot] in #24780
• fix: correct Go module path for runner-guard v2 install by @Copilot in #24787
• fix(SEC-004): sanitize OTLP payload before sending to prevent sensitive value leakage by @Copilot in #24785
• feat(otel): add github.ref and github.sha to span resource attributes by @Copilot in #24786
• Add ::add-mask:: for OTEL_EXPORTER_OTLP_HEADERS to prevent telemetry auth token leakage by @Copilot in #24805
• Surface pre-activation denial reason in job summary by @Copilot in #24792
• Add report_incomplete safe output type to prevent tool-failure comments from being classified as successful runs by @Copilot in #24796
• Remove --disable-slash-commands flag for Claude Code 1.0.0 compatibility by @Copilot in #24807
• Configure MCP gateway OpenTelemetry from observability.otlp and actions/setup trace IDs by @Copilot in #24697
• fix(lint): use require.NoError for error assertion in gitutil_test.go by @Copilot in #24817
• fix: add checks tool to MCP server tool tests by @Copilot in #24818
• fix: remove unrecognized breadcrumbs key from Starlight config by @Copilot in #24821
• fix: normalize INPUT_JOB_NAME hyphen variant so OTLP spans include the actual job name by @Copilot in #24823

Full Changelog: v0.67.0...v0.67.1