chore(deps): update github/gh-aw action to v0.76.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	minor	v0.67.1 → v0.76.1

---

Release Notes

github/gh-aw (github/gh-aw)

v0.76.1

Compare Source

🌟 Release Highlights

This release brings a new replay command for timeline log visualization, inline skill support, improved safe-outputs reliability, and Codex model updates.

✨ What's New

• replay command — Render and stream unified timeline logs directly in your terminal for faster post-run analysis (#​34835)
• Inline skill extraction/runtime — Define and run skills inline within workflows, mirroring the inline sub-agent syntax for a more consistent authoring experience (#​34874)
• Codex default model updated to gpt-5.4 — Workflows using Codex now use the latest model by default; lockfiles have been regenerated (#​34804)
• tracker-id frontmatter documented — The tracker-id field is now fully documented in the reference, making it easier to correlate workflow runs with external tracking systems (#​34799)

🐛 Bug Fixes & Improvements

• safe-outputs push_to_pull_request_branch — Documented as append-only and now auto-linearizes merge commits before a signed push, preventing push failures on branches with merge history (#​34834)
• Codex threat-detection — Response-event logs from Codex are now correctly parsed in threat-detection result processing (#​34850)
• Step name alignment stabilized — Direct manifest reads are now permitted and agent guidance tightened to prevent step name drift (#​34873)
• Reduced duplicate frontmatter scanning — ParseWorkflow no longer scans frontmatter twice, improving compilation performance (#​34819)
• Build & test reliability — Integration-tagged builds and CGO fuzz jobs now correctly share test helpers, eliminating spurious CI failures (#​34841, #​34816)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 838.6K

---

What's Changed

• Enforce //go:build !integration on untagged unit test files by @​Copilot in #​34798
• doc: document tracker-id frontmatter field in main reference by @​Copilot in #​34799
• Set Codex default fallback model to gpt-5.4 and regenerate lockfiles by @​Copilot in #​34804
• Fix CGO fuzz job compile failure by exposing shared test helpers to integration-tagged builds by @​Copilot in #​34816
• Fix failing unit test: align Metrics Trends row labels with test expectations by @​Copilot in #​34833
• Reduce duplicate frontmatter scanning in ParseWorkflow by @​Copilot in #​34819
• Fix integration-tag test build by making initTestGitRepo helper available to all test variants by @​Copilot in #​34841
• [compiler-threat-spec] chore(spec): daily threat spec optimizer 2026-05-26 — bump to v1.0.12 by @​github-actions[bot] in #​34845
• [community] Update community contributions in README by @​github-actions[bot] in #​34846
• Route Antigravity AWF target through Gemini provider key by @​Copilot in #​34839
• Handle Codex response-event logs in threat-detection result parsing by @​Copilot in #​34850
• fix(safe-outputs): document push_to_pull_request_branch as append-only; auto-linearize merge commits before signed push by @​Copilot in #​34834
• feat: add replay command for rendering unified timeline logs by @​Copilot in #​34835
• [code-simplifier] Reuse gatewayTimestampToTime in agentEntryToTimelineEvent by @​github-actions[bot] in #​34864
• Stabilize Step Name Alignment by permitting direct manifest reads and tightening agent guidance by @​Copilot in #​34873
• [jsweep] Clean add_comment.cjs by @​github-actions[bot] in #​34866
• Add inline skill extraction/runtime support mirroring inline sub-agents by @​Copilot in #​34874

Full Changelog: github/gh-aw@v0.76.0...v0.76.1

v0.76.0

Compare Source

🌟 Release Highlights

This release brings a major new engine (Antigravity), significant improvements to token forecasting, supply chain protection, and expanded observability — alongside a wave of quality and performance improvements.

✨ What's New

• Antigravity Engine — A new first-class AI engine joins gh-aw. The Antigravity engine is available as a workflow option, with Gemini now deprecated in its favor. (#​34693)

• First-class engine.permission-mode — Claude's permission mode is now decoupled from bash wildcard access. You can explicitly set engine.permission-mode in your workflow frontmatter for fine-grained control over agent permissions. (#​34525)

• Unified Event Timeline — The MCP Gateway, AWF firewall, and agent logs now share a unified event timeline, making it much easier to trace what happened across all components during a workflow run. (#​34782)

• Shared PMG Pre-step (Supply Chain Protection) — A new Package Manager Guard (PMG) pre-step is available as a shared component to protect workflows from supply chain attacks during package installs. (#​34672)

• GHE Support for Add-Wizard — The add-wizard shorthand now falls back to the github.com org when used on GitHub Enterprise Server, with improved cross-host error guidance. (#​34526)

• Interruption-Aware Forecast — The forecast command now ignores skipped runs, handles interruptions correctly, and focuses output on effective-token predictions for more actionable cost estimates. (#​34740, #​34750)

🐛 Bug Fixes & Improvements

• GHE Fix: Extension Upgrade — Pinned GH_HOST=github.com for extension upgrades in GitHub Enterprise environments to prevent authentication failures. (#​34752)

• Codex Default-Deny Fetch — Restored Codex's default-deny fetch behavior during workflow compilation, closing a potential overfetch path. (#​34726)

• Secret Redaction Update — Updated ghs_ secret redaction to cover long-form GitHub App installation tokens. (#​34737)

• Build Cycle Fix — Broke a logger↔timeutil import cycle that was causing CGO/fuzz workflow failures. (#​34584)

• Codex Default Model — Updated the Codex default model to gpt-5.3-codex. (#​34518)

• AWF Firewall & MCP Gateway Bumps — Updated default AWF to v0.25.55 and MCP Gateway to v0.3.19. (#​34763)

⚡ Performance

• Reduced ExtractWorkflowNameFromFile overhead by removing a redundant deferred close path. (#​34777)
• Optimized incremental bundle transport for stale PR branch sync workflows. (#​34753)
• Reduced PR Description Updater token overhead in sub-agent orchestration. (#​34723)

📚 Documentation

• Added outcome span attributes and an outcomes reference page, contributed by @mnkiefer. (#​34627)
• Updated glossary, architecture diagram, and documentation for 2026-05-25 features.

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 709K

---

What's Changed

• Handle Gemini chunked threat-detection verdict parsing by @​Copilot in #​34509
• Reviewing Codex configuration against documentation by @​Codex in #​34480
• [linter-miner] feat(linters): add fprintlnsprintf linter by @​github-actions[bot] in #​34498
• codex: set default model to gpt-5.3-codex by @​Copilot in #​34518
• Normalize report-style output guidance in non-compliant workflows by @​Copilot in #​34512
• refactor(workflow): migrate resolve_test.go to testify assertions by @​Copilot in #​34511
• Improve PR Sous Chef engine-failure context for AWF startup crashes by @​Copilot in #​34524
• [doc-healer] Expand rejection detection to include non-DDUw bot-authored PRs by @​Copilot in #​34542
• Add github.com org fallback for add-wizard shorthand on GHE and improve cross-host error guidance by @​Copilot in #​34526
• Decouple Claude permission mode from bash wildcard and add first-class engine.permission-mode by @​Copilot in #​34525
• Refactor PR code quality reviewer to use grumpy sub-agent and strict A2A triage by @​Copilot in #​34555
• [community] Update community contributions in README by @​github-actions[bot] in #​34558
• [compiler-threat-spec] spec: fix CTR-018 implementation mapping filename and bump to v1.0.11 by @​github-actions[bot] in #​34559
• [blog] Weekly blog post – 2026-05-25 by @​github-actions[bot] in #​34566
• [log] Add debug logging to utility packages by @​github-actions[bot] in #​34571
• Smoke Copilot: enforce add_comment budget in prompt before output phase by @​Copilot in #​34611
• docs: Add outcome span attributes and outcomes reference by @​mnkiefer in #​34627
• Break logger↔timeutil import cycle causing CGO/fuzz workflow failures by @​Copilot in #​34584
• Update model alias and multiplier inventories for 2026-05-25 by @​Copilot in #​34585
• fix: defensive type assertion for project ID in RunProjectNew by @​Copilot in #​34583
• [jsweep] Clean action_setup_otlp.cjs by @​github-actions[bot] in #​34578
• [docs] Update documentation for features from 2026-05-25 by @​github-actions[bot] in #​34640
• [docs] Update glossary - weekly full scan by @​github-actions[bot] in #​34633
• [spec-extractor] Update package specifications for tty, types, typeutil, workflow by @​github-actions[bot] in #​34630
• [architecture] Update architecture diagram - 2026-05-25 by @​github-actions[bot] in #​34623
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @​github-actions[bot] in #​34589
• [specs] Update layout specification - 2026-05-25 by @​github-actions[bot] in #​34606
• Bump gh-aw-firewall to v0.25.54 and align embedded AWF schema by @​Copilot in #​34568
• Surface experiment metadata fields in picker step summary by @​Copilot in #​34665
• Bind docs dev server to IPv4 for workflow readiness checks by @​Copilot in #​34670
• Add span-level gh-aw.cli.version for setup/conclusion OTLP spans by @​Copilot in #​34666
• [blog] Agent of the Day – 2026-05-25 by @​github-actions[bot] in #​34676
• [dead-code] chore: remove dead functions — 1 function removed by @​github-actions[bot] in #​34674
• feat: add shared PMG (Package Manager Guard) pre-step for supply chain protection by @​Copilot in #​34672
• Fix docs workflow failure by correcting blog metadata and broken spec links by @​Copilot in #​34702
• Add antigravity engine, deprecate Gemini by @​Copilot in #​34693
• SPDD: close spec drift gaps across Effective Tokens, Forecast, Frontmatter Hash, Fuzzy Schedule, and MCP Scripts by @​Copilot in #​34719
• Render AWF model alias resolution events in firewall step summary by @​Copilot in #​34700
• Restore Codex default-deny fetch behavior for workflow compilation by @​Copilot in #​34726
• Reduce PR Description Updater token overhead in sub-agent orchestration by @​Copilot in #​34723
• Add smoke-antigravity workflow by cloning smoke-gemini onto antigravity engine by @​Copilot in #​34729
• Update ghs_ secret redaction for long-form installation tokens by @​Copilot in #​34737
• CI: make DIFC proxy gh CLI check tolerant to GitHub API rate limits by @​Copilot in #​34736
• [linter-miner] feat(linters): add uncheckedtypeassertion linter (run #​18) by @​github-actions[bot] in #​34738
• Make forecast interruption-aware, ignore skipped runs, and clean up empty CI output by @​Copilot in #​34740
• Refocus forecast output on effective-token predictions by removing yield and episode metrics by @​Copilot in #​34750
• [caveman] Optimize instruction verbosity — serena-tool.md, subagents.md (2026-05-25) by @​github-actions[bot] in #​34764
• fix: pin GH_HOST=github.com for extension upgrade in GHE environments by @​Copilot in #​34752
• Bump default AWF to v0.25.55 and MCP Gateway to v0.3.19 by @​Copilot in #​34763
• Migrate pkg/cli/git_test.go to testify assertions by @​Copilot in #​34775
• Reduce ExtractWorkflowNameFromFile overhead by removing deferred close path by @​Copilot in #​34777
• Optimize incremental bundle transport for stale PR branch sync workflows by @​Copilot in #​34753
• Fix smoke-antigravity: replace npm install with GCS binary download, add missing log parser by @​Copilot in #​34768
• feat: unified event timeline across MCP Gateway, AWF firewall, and agent logs by @​Copilot in #​34782

Full Changelog: github/gh-aw@v0.75.4...v0.76.0

v0.75.4

Compare Source

🌟 Release Highlights

This release brings significant improvements to the Codex engine harness, OTel tracing for child SDKs, compiler guardrails, and overall tooling reliability — alongside a migration to Go 1.26.

✨ What's New

• Codex Harness Hardened — Secret diagnostics, missing-key fast-fail, and --json streaming mode are now built into the Codex harness. dev.md has been switched to the Codex engine for improved developer experience (#​34459).
• OTel Child SDK Correlation — OTEL_RESOURCE_ATTRIBUTES are now injected into gh-aw workflows so child processes using the OpenTelemetry SDK automatically inherit trace context, enabling end-to-end distributed tracing. Learn more (#​34450).
• opusplan Model Alias — The opusplan alias is now a built-in route in Claude model routing, making it easier to invoke structured planning via the Claude engine (#​34263).
• list_repository_collaborators in Repos Toolset — The GitHub MCP repos toolset now includes list_repository_collaborators, giving workflows richer repository access (#​34447).
• Effective Token Footer: Resolved Model Names — The effective-token footer now shows the actual resolved model name (not a user alias) and prefixes values with deterministic 5-char model IDs for consistent identification (#​34300, #​34291).
• Codex Secret Isolation Aligned with Claude — Codex AWF secret isolation now matches the Claude engine's approach, improving consistency and security posture (#​34446).
• Go 1.26 — The project has migrated to Go 1.26 (#​34318).

🐛 Bug Fixes & Improvements

• IsCompatible Semver Fix — IsCompatible now correctly returns false for invalid semver inputs instead of panicking or giving wrong results (#​34312).
• Copilot Harness: GITHUB_OUTPUT ENOENT — Fixed a crash when GITHUB_OUTPUT is inaccessible inside the AWF sandbox (#​34266).
• awf-reflect 503 Warmup Hardening — Startup is now resilient against transient 503 errors from the API proxy's /v1/models endpoint (#​34265).
• 18 Panic-in-Library-Code Violations Resolved — A new panicinlibrarycode linter was added to CI and 18 pre-existing violations were resolved, making library code safer to import (#​34268, #​34374, #​34389).
• Compiler /tmp/ Path Warning — The compiler now warns when a workflow prompt directly references /tmp/ or /tmp/gh-aw/, helping authors avoid hard-coded ephemeral paths (#​34239).
• Compilation Performance — CompileSimpleWorkflow skips manifest baseline resolution when the safe-update feature is off, reducing overhead for common workflows (#​34252).

📚 Documentation

• FAQ Condensed (~21% reduction) — The FAQ has been streamlined and verbose answers condensed for easier scanning (#​34488).
• Debugging Guide Unbloated (48% reduction) — The debugging guide is significantly leaner with focused, actionable content (#​34261).

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 849.9K

---

What's Changed

• Propagate AWF runtime version to all setup-emitted OTel spans by @​Copilot in #​34221
• Normalize agent workflow temp paths to /tmp/gh-aw/agent by @​Copilot in #​34225
• Inline Copilot error detection into copilot_harness and remove detect-copilot-errors step generation by @​Copilot in #​34230
• Optimize mattpocock-skills-reviewer by offloading PR triage to an inline small-model sub-agent by @​Copilot in #​34229
• compiler: warn when prompt references /tmp/ or /tmp/gh-aw/ directly by @​Copilot in #​34239
• safeoutputs: make Strategy 3 choose nearest remote merge-base in generate_git_patch by @​Copilot in #​34222
• Replace mutable pkg/cli test seams with per-flow dependency injection by @​Copilot in #​34224
• Pin Agent Persona Explorer to explicit Copilot model to avoid Anthropic beta-header failures by @​Copilot in #​34244
• SPDD spec alignment: add enforcement flows, failure safeguards, and sync protocols by @​Copilot in #​34247
• deps: update golang.org/x/crypto v0.51.0 → v0.52.0 by @​Copilot in #​34251
• Clarify stable vs prerelease upgrade messaging by @​Copilot in #​34245
• Raise daily-code-metrics max-patch-size from 50 KB to 128 KB by @​Copilot in #​34253
• [docs] docs: unbloat debugging.md (48% line reduction) by @​github-actions[bot] in #​34261
• Add opusplan builtin alias to Claude model routing by @​Copilot in #​34263
• Reduce CompileSimpleWorkflow overhead by skipping manifest baseline resolution when safe-update is off by @​Copilot in #​34252
• [linter-miner] feat: add panic-in-library-code linter by @​github-actions[bot] in #​34268
• Harden awf-reflect startup against api-proxy warmup 503s on /v1/models by @​Copilot in #​34265
• fix(copilot-harness): handle ENOENT when GITHUB_OUTPUT is inaccessible inside AWF sandbox by @​Copilot in #​34266
• Improve test quality in pkg/repoutil/spec_test.go by @​Copilot in #​34287
• Prefix effective-token footer values with deterministic 5-char model IDs by @​Copilot in #​34291
• fix: pin chaos-pr-bundle-fuzzer to claude-sonnet-4.6 to avoid deprecated 1M context beta header by @​Copilot in #​34295
• fix: use actual resolved model name in effective tokens footer, not user-provided alias by @​Copilot in #​34300
• Set executable bit on jqschema.sh to unblock Copilot PR data fetch by @​Copilot in #​34301
• deps(go): bump charmbracelet golden to 798e623 pseudo-version by @​Copilot in #​34304
• bump: Claude Code 2.1.150, Copilot CLI 1.0.51, GitHub MCP Server v1.0.5 by @​Copilot in #​34307
• fix: IsCompatible returns false for invalid semver inputs by @​Copilot in #​34312
• fix: lint Go, update node:lts-alpine SHA, recompile lock files by @​Copilot in #​34316
• Refactor pkg/parser long production functions into focused helper units by @​Copilot in #​34297
• feat: add Avenger hourly CI fixer workflow by @​Copilot in #​34322
• move to go 1.26 by @​pelikhan in #​34318
• Disable npm release-age cooldown for Claude, Codex, and Gemini engine installs by @​Copilot in #​34338
• chore: bump AWF firewall to v0.25.53 by @​Copilot in #​34321
• [log] Add debug logging to fuzzy match, bot aliases, manifest updates, and templatables by @​github-actions[bot] in #​34364
• Enforce panicinlibrarycode in CI and tune it for accepted repo patterns by @​Copilot in #​34374
• Replace magic time.Sleep literals in pkg/cli with named duration constants by @​Copilot in #​34373
• [docs] Update dictation skill instructions by @​github-actions[bot] in #​34387
• [spec-enforcer] Enforce specifications for jsonutil, linters, logger by @​github-actions[bot] in #​34416
• [docs] Update documentation for features from 2026-05-24 by @​github-actions[bot] in #​34413
• [spec-extractor] Update package specification for stringutil by @​github-actions[bot] in #​34409
• [instructions] Sync safe-outputs.md with v0.74.8 — document allow-body by @​github-actions[bot] in #​34405
• [community] Update community contributions in README by @​github-actions[bot] in #​34354
• Bump pinned Copilot/Codex/GitHub MCP versions and regenerate workflow artifacts by @​Copilot in #​34390
• refactor: reduce function-length violations across pkg/workflow, pkg/cli, pkg/parser, pkg/actionpins, pkg/linters by @​Copilot in #​34388
• Refine footer effective-token suffix formatting and short model alias rendering by @​Copilot in #​34428
• Refactor ResolveActionPin into focused helpers to reduce large-function lint debt by @​Copilot in #​34339
• Defer file closes in pkg/cli workflow readers and logs cache writer by @​Copilot in #​34372
• fix(linters): resolve 18 panic-in-library-code violations by @​Copilot in #​34389
• Add list_repository_collaborators to repos toolset mapping by @​Copilot in #​34447
• Align Codex AWF secret isolation with Claude engine by @​Copilot in #​34446
• gpclean: add tool_verbosity A/B experiment by @​Copilot in #​34448
• Align package specs with spec-librarian audit findings for linters, syncutil, and errorutil by @​Copilot in #​34453
• Inject OTEL_RESOURCE_ATTRIBUTES for child OTel SDK correlation in gh-aw workflows by @​Copilot in #​34450
• codex harness: secret diagnostics, missing-key fast-fail, --json streaming; switch dev.md to codex by @​Copilot in #​34459
• Optimize daily malicious code scan prompt with shared git artifacts and inline scoring/classification sub-agents by @​Copilot in #​34466
• [dead-code] chore: remove dead functions — 3 functions removed by @​github-actions[bot] in #​34469
• SPDD 2026-05-24: Strengthen MCP Scripts norms, expand ET sync notes, add forecast/fuzzy-schedule tests by @​Copilot in #​34479
• [docs] docs: unbloat FAQ — condense verbose answers (~21% reduction) by @​github-actions[bot] in #​34488
• Unblock recompile pipeline by fixing Go linter modernizations and Codex WASM golden drift by @​Copilot in #​34493

Full Changelog: github/gh-aw@v0.75.3...v0.75.4

v0.75.3

Compare Source

What's Changed

• [log] Add debug logging to utility and workflow files by @​github-actions[bot] in #​34165
• [rendering-scripts] Extract token counts from new Copilot CLI footer by @​github-actions[bot] in #​34192
• [instructions] Sync instruction files with release v0.74.8 by @​github-actions[bot] in #​34196
• [docs] Update documentation for features from 2026-05-23 by @​github-actions[bot] in #​34202
• [spec-enforcer] Enforce specifications for errorutil, fileutil, gitutil by @​github-actions[bot] in #​34206
• Pin explicit Copilot model in Constraint Solving POTD workflow to avoid utility-model rate-limit failures by @​Copilot in #​34208
• Set Copilot BYOK fallback model to Sonnet 4.5 and regenerate lockfiles by @​Copilot in #​34215
• Handle engine HTTP 429 failures as first-class agent failure context by @​Copilot in #​34214
• Align package specs with current APIs and dependency classifications by @​Copilot in #​34217
• Fix daily-syntax-error-quality producing no safe outputs by @​Copilot in #​34212

Full Changelog: github/gh-aw@v0.75.2...v0.75.3

v0.75.2

Compare Source

What's Changed

• fix: reject create_pull_request/push_to_pull_request_branch when branch equals base_branch after detection by @​Copilot in #​34138
• Use Copilot BYOK platform default model instead of hard-coded Claude fallback by @​Copilot in #​34149
• fix: exclude merged upstream commits from diffSize in push_to_pull_request_branch incremental mode by @​Copilot in #​34139
• Refactor workflow helper hotspots from semantic clustering audit by @​Copilot in #​34144
• [community] Update community contributions in README by @​github-actions[bot] in #​34155

Full Changelog: github/gh-aw@v0.75.1...v0.75.2

v0.75.1

Compare Source

What's Changed

• [compiler-threat-spec] spec: add CTR-019 Cache-Memory Integrity Enforcement by @​github-actions[bot] in #​33908
• Reject @filepath local file references in safe-output MCP tool calls by @​Copilot in #​33919
• Fix Go and JS lint drift in OTLP observability files by @​Copilot in #​33922
• feat: DataFlow PR & Discussion Dataset Builder workflow by @​Copilot in #​33925
• [jsweep] Clean action_input_utils.cjs by @​github-actions[bot] in #​33933
• Add Pi inference request diagnostics to provider logging by @​Copilot in #​33886
• Add githubnext/agentic-ops by @​mnkiefer in #​33931
• [docs] Update documentation for features from 2026-05-22 by @​github-actions[bot] in #​33984
• [spec-enforcer] test: enforce specifications for console, constants, envutil by @​github-actions[bot] in #​33997
• Add create-check-run safe output type for multi-agent PR analysis by @​Copilot in #​33852
• Migrate remaining pkg/* logging callsites off log.* linter pattern to pkg/logger by @​Copilot in #​33946
• Fix Step Name Alignment manifest path to avoid workspace access denials by @​Copilot in #​33944
• Refactor dispatch/call workflow duplication with shared input, tool, and resolver helpers by @​Copilot in #​33947
• Add request_review protected-files mode for create_pull_request by @​Copilot in #​33954
• Add success check-run publishing to reviewer workflows by @​Copilot in #​34025
• feat: expand copilot as a bot alias to all GitHub Copilot bot identities by @​Copilot in #​34026
• [docs] Consolidate developer specifications into instructions file (v9.14) by @​github-actions[bot] in #​34023
• [ab-advisor] Add sub_agent_strategy A/B experiment to smoke-temporary-id workflow by @​Copilot in #​34020
• Clarify status/list pattern semantics and add CLI help example validation by @​Copilot in #​34018
• Update blog workflow links to githubnext/agentics to fix broken add-wizard installs by @​Copilot in #​34005
• Format {files} placeholders as inline code in JS template rendering by @​Copilot in #​34011
• Add A/B experiment wiring for smoke-pi sub-agent decomposition by @​Copilot in #​34027
• Add maintenance compile PR mode and configurable GitHub token secret by @​Copilot in #​34002
• fix: update deprecated CopilotBYOKDefaultModel to claude-sonnet-4-5-20250929 by @​Copilot in #​34019
• chore: Update OTel observability spec by @​mnkiefer in #​34043
• Support object-form runs-on in custom jobs schema by @​Copilot in #​34007
• Switch Developer Documentation Consolidator cadence from daily to weekly by @​Copilot in #​34031
• Add tone-style A/B experiment to Typist workflow by @​Copilot in #​34033
• Make add/add-wizard and update manifest-aware for aw.yml package installs by @​Copilot in #​34008
• Surface OTel token usage from agent-stdio.log when proxy usage logs are missing by @​Copilot in #​34036
• Improve daily-experiment-report readability with progressive disclosure, quick stats, and visual status cues by @​Copilot in #​34035
• Add SEC-004 exemption for generate_safe_outputs_tools.cjs false positive by @​Copilot in #​34038
• feat: add .sentrux/rules.toml with architectural quality gates by @​Copilot in #​34062
• Remove shared/apm.md; point to microsoft/apm canonical source by @​Copilot in #​34068
• Optimize ab-testing-advisor prompt with inline sub-agents by @​Copilot in #​34063
• fix: hypothesis always "(not specified)" in daily experiment report by @​Copilot in #​34037
• feat(failure-handler): add cascade detection when ≥10 [aw] failures fire within 60 min by @​Copilot in #​34060
• [docs] docs: unbloat correction-ops.md by @​github-actions[bot] in #​34074
• Remove deprecated model state; retain full multiplier history by @​Copilot in #​34079
• fix: infer MCP tool-call status from level/error when status field is absent by @​Copilot in #​34061
• Bump qs from 6.14.1 to 6.15.2 in /docs in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​34082
• fix(check_membership): skip roles check for allowlisted bots to eliminate spurious permission warning by @​Copilot in #​34064
• fix: set GH_AW_WORKFLOW_SOURCE_URL for local workflows in failure issues by @​Copilot in #​34090
• Render sandbox.firewall models.json in AWF step summaries by @​Copilot in #​34088
• Bump default MCP Gateway image to gh-aw-mcpg v0.3.18 by @​Copilot in #​34081
• [linter-miner] Add manual-mutex-unlock linter to detect non-deferred mutex unlocks by @​github-actions[bot] in #​34091
• fix: skip unlock job when activation was skipped by @​Copilot in #​34124
• Increase audit workflow repo-memory patch budget to prevent push_repo_memory failures by @​Copilot in #​34120
• safe-outputs: resolve base branch from origin/HEAD and harden full patch base selection by @​Copilot in #​34066
• Consolidate workflow FieldLocation onto console ErrorPosition by @​Copilot in #​34123
• Guard OTLP attribute merge against allocation-size overflow by @​Copilot in #​34117
• Fix Codex smoke workflow by preserving OPENAI_API_KEY in AWF container env by @​Copilot in #​34129
• Create REQUEST_CHANGES review for create_pull_request threat-warning mode by @​Copilot in #​34133
• Bump gh-aw-firewall to v0.25.52 and sync embedded AWF schema by @​Copilot in #​34114
• Add @​app/copilot-swe-agent as a copilot bot alias by @​Copilot in #​34136

Full Changelog: github/gh-aw@v0.75.0...v0.75.1

v0.75.0

Compare Source

🌟 Release Highlights

This release brings significant improvements to the gh aw upgrade command, checkout configuration flexibility, safe-output temporary ID support, and Codex engine compatibility, along with major optimizations and quality-of-life enhancements across the workflow system.

✨ What's New

Enhanced Upgrade Command

• gh aw upgrade now properly updates source .md workflow files in addition to actions-lock.json, ensuring consistency between source and compiled artifacts (#​33850)

Flexible Checkout Configuration

• Checkout settings (like fetch-depth) now apply to all workflow jobs including safe_outputs, not just the agent job (#​33746)

Safe-Output Temporary ID Support

• create_pull_request safe-output tool now correctly registers temporary_id values, enabling cross-reference patterns like #aw_pr1 in workflow outputs (#​33853)

Codex Engine Improvements

• Fixed Codex OpenAI proxy authentication by including OPENAI_API_KEY in the AWF sandbox environment (#​33833)
• Corrected --model flag placement in Codex lock compiler to appear after the exec subcommand (#​33841)

User-Defined OTLP Attributes

• Workflows can now define custom OpenTelemetry attributes with template expansion per workflow phase, improving observability and debugging (#​33846)

Cache-Memory Trending Pattern

• Extracted cache-memory trending analysis into a reusable shared component for cross-workflow consistency (#​33830)

Enhanced GitHub MCP Wrappers

• Added per_page pagination support to list_workflows and list_labels MCP wrapper tools ([#​33819](https://redirect.github.com/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[deepsource-io]

DeepSource Code Review

We reviewed changes in a4ccdc8...53b257c on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Python		May 6, 2026 11:42a.m.	Review ↗
Secrets		May 6, 2026 11:42a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-10 00:53 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-11 00:54 UTC · at 962ccd6975185fe90f9ffcf7f2c85630e810ca44

This pull request spent 1 day 33 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• .github/workflows/agentics-maintenance.yml
• .github/workflows/code-simplifier.lock.yml

EOF

---

_{Reviewed by nemotron-3-super-120b-a12b-20230311:free · 116,236 tokens}

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-11 00:54 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-13 17:52 UTC · at 12bb3e3ff9585ab26910b80c10e5309e29b68450

This pull request spent 2 days 16 hours 57 minutes 39 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-13 17:52 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-13 20:31 UTC · at 989e44b1b5e600b4c29575debef4592dbf4a301f

This pull request spent 2 hours 39 minutes 5 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-13 20:32 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-15 01:25 UTC · at aa3aa42aa7fe2b49fe23b2ef31a7de0829aec225

This pull request spent 1 day 4 hours 53 minutes 29 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-21 22:54 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-27 17:40 UTC · at 45c1e6143bc7974cfda7abda3f43e8d2076e3419

This pull request spent 5 days 18 hours 45 minutes 48 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-27 17:41 UTC · Rule: Github Actions Updates
• ✅ Checks started · on draft merge queue: embarking main (a4ccdc8), #348, #337, #344, #370, #371, #372, #373, #349, #342 and #369 together #385
• ✅ All checks passed · ready to merge 🚀
• 🔜 Merge

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud