v0.64.0

🌟 Release Highlights

This release brings important reliability and correctness fixes across safe-outputs, the Java ecosystem allowlist, and premium request tracking — along with a new protection against bot-triggered self-cancellation, improved documentation, and the latest tooling stack.

✨ What's New

• Bot-actor concurrency isolation: Workflows combining safe-outputs.github-app with issue_comment-capable triggers now automatically get bot-isolated concurrency keys, preventing App-authored safe-output comments from cancelling the originating run mid-flight. Custom concurrency: blocks get a compiler warning explaining the risk.
• Auto fault-investigation analysis: When a workflow job fails, the runtime can now automatically trigger a fault investigation analysis to surface root causes — no manual setup required.
• Expires support for create-pull-request safe output: Pull requests created by safe-outputs can now be configured with an expiry so stale runs are automatically described and auto-closed.
• GitHub App token minting for GitHub MCP server: Workflows using the GitHub MCP server toolset can now mint GitHub App tokens, enabling richer authenticated API access.
• remove-labels safe output type: A new remove-labels safe output type lets workflows programmatically remove labels from issues and PRs. See the safe-outputs reference.
• Two-file agentic workflow structure: The compiler now validates dispatch-workflow references and supports separating prompt files (.github/agentics/<id>.md) from compiled frontmatter (.github/workflows/<id>.md). See the workflow structure reference.
• Aggregate compilation errors: gh aw compile now reports all validation errors together instead of stopping at the first one. Use --fail-fast to restore the legacy behaviour.

🐛 Bug Fixes & Improvements

• Fixed fractional PRU tracking: Models like gemini-3-flash-preview that consume 0.33 PRU per request were incorrectly reported as 1. The log parser now handles decimal premium request units correctly.
• Fixed upload-asset safe output for private repos: The upload-asset safe output type now works correctly with private repositories.
• Fixed staged: true in individual safe outputs: The staged flag in per-message safe output configuration was being ignored; it now applies correctly.
• Fixed safe-outputs expression-size limit: Workflows where the safe-outputs tools.json references $\{\{ }} expressions no longer hit the GitHub Actions expression-size limit.
• Java ecosystem: Maven Central mirror domains added: maven-central.storage-download.googleapis.com and repository.apache.org are now in the Java allowlist, resolving Maven 3.9+ dependency resolution failures in sandboxed workflows.
• Fixed /opt setup error: An Error mkdir setting up /opt failure that affected some runner configurations has been resolved.
• Fixed GitHub IP allow list incompatibility: Workflows in organizations using GitHub IP allow lists no longer fail at setup.
• Fixed gh-aw binary availability: The gh-aw binary is now reliably present in the runner working directory for all workflow types, including the portfolio-analyst workflow.
• GitHub CLI authentication in Action runs: GitHub CLI access inside workflow runs is now correctly authenticated.
• Retry logic for Copilot CLI installer: The Copilot CLI installation step now retries on transient download failures, reducing flaky CI setup.
• Mirrored runner environment variables: Essential GitHub Actions runner environment variables (Java, Android, browsers, package managers, tool paths) are now mirrored into the AWF agent container.
• Security: shell injection fix: Single quotes and backslashes in JSON embedded in shell environment variables are now escaped correctly (go/unsafe-quoting).

📚 Documentation

• gh aw logs / gh aw audit as workflow steps: Added prominent warnings clarifying that actions: read permission and setup-cli must come before any gh aw step. See the CLI reference.
• Engine model field clarification: The model field example in the engines reference now correctly conveys that it is an override, not the engine default.
• remove-labels safe output type: Full reference documentation, examples, and table-of-contents entry added.

🔧 Infrastructure

• AWF firewall updated to v0.11.2 with the agent container switched to act
• Tool versions updated: Claude Code 2.1.19 · Copilot CLI 0.0.394 · Codex 0.91.0 · Playwright MCP 0.0.58 / Browser v1.58.0 · MCP Gateway v0.0.78
• Safe-outputs MCP server migrated from stdio to HTTP transport for improved reliability
• Step summaries generated for each processed safe-output message
• Pinned actions/checkout to v6.0.2 and actions/download-artifact to v7.0.0

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@chrizbo

• upload-asset safe output doesn't work for private repos (direct issue)

@DogeAmazed

• GitHub CLI unauthenticated on Action runs (direct issue)

@dsyme

• Automatically do fault investigation analysis if a fault happens (direct issue)

@heaversm

• gh-aw binary not present in runner working directory for portfolio-analyst (direct issue)

@jaroslawgajewski

• Usage of models that consumes 0.33% of premium requests is counted as 1 premium request (direct issue)

@mhavelock

• Steps using gh aw must always follow extension install (document/clarify in templates and docs) (direct issue)

@mnkiefer

• Option staged: true does not work within individual safe outputs (direct issue)

@Pierrci

• Incompatibility with GitHub IP allow lists (direct issue)

@plengauer

• Error mkdir setting up /opt (direct issue)

@samuelkahessay

• Warn when GitHub App-authored safe-outputs can self-cancel comment-triggered workflows via shared concurrency (direct issue)
• docs(engines): model field example/comment mismatch (direct issue)

@stacktick

• share context (direct issue)

@strawgate

• Safe outputs tools.json block triggers expression-size limit when target uses ${{ }} (direct issue)

---

For complete details, see CHANGELOG.

Generated by GitHub Agentic Workflow

---

What's Changed

• [slides] Fix default toolsets comment in slides by @github-actions[bot] in #22722
• Auto-close stale smoke-test issues when a newer run succeeds by @Copilot in #22724
• fix: nested reduce in release.md to prevent null accumulator when no PRs have closing issue references by @Copilot in #22726
• feat: group-by-day for create-issue to prevent same-day duplicate reports by @Copilot in #22725
• Add object form of imports with aw and apm-packages subfields; deprecate dependencies by @Copilot in #22727
• [WIP] Fix failing GitHub Actions workflow lint-go by @Copilot in #22734
• chore: update MCP gateway version to v0.2.5 by @Copilot in #22737
• fix: include policy-manifest.json and audit directory in firewall-audit-logs artifact by @Copilot in #22733
• Move APM packaging into own job with minimal permissions by @Copilot in #22738
• [actions] Update GitHub Actions versions - 2026-03-24 by @github-actions[bot] in #22758
• [log] add debug logging to 5 workflow package files by @github-actions[bot] in #22768
• fix: extend dangerous URL scheme check to include data: protocol by @Copilot in #22766
• fix(security): eliminate unsafe shell quoting of Gemini JSON config (CodeQL #554) by @Copilot in #22765
• fix(security): unsafe YAML quoting for GH_AW_LABEL_NAMES env var (CodeQL go/unsafe-quoting) by @Copilot in #22764
• fix: prevent code injection via github.action_path in setup-cli action by @Copilot in #22767
• Remove unused variable in generate-schema-docs.js (CodeQL alert #497) by @Copilot in #22771
• fix: remove unused id variable in compiler-loader.js (CodeQL #547) by @Copilot in #22770
• Remove unused variable in changeset test (CodeQL alert #496) by @Copilot in #22772
• fix: remove capacity pre-allocation in mergeFetchRefs to avoid overflow (CodeQL #555) by @Copilot in #22774
• Clarify AWF api-proxy auth boundary by @szabta89 in #22730
• security: block agents from pushing to default/protected branches in safeoutputs by @Copilot in #22776
• Update gh-aw-mcpg container version to v0.2.6 by @Copilot in #22781
• feat: auto-enrich gh aw audit with firewall policy rule attribution by @Copilot in #22756
• docs: add agent → detection → safe-outputs mermaid diagram and security architecture link to index by @Copilot in #22791
• docs: boost Security Architecture page in Pagefind search results by @Copilot in #22796
• docs: add Agent Factory to sidebar TOC and fix badge height uniformity by @Copilot in #22795
• feat: implement APM unpack in JavaScript, replace microsoft/apm-action restore step in agent job by @Copilot in #22775
• fix: retry GitHub REST API calls when HTML is returned instead of JSON by @Copilot in #22800
• docs: warn about actions: read + setup-cli ordering when using gh aw logs/gh aw audit as workflow steps by @Copilot in #22815
• docs(engines): clarify model field comment as override example by @Copilot in #22819
• fix: use floating point for PRU computation in extractPremiumRequestCount by @Copilot in #22820
• Add CODEOWNERS to protected files set by @Copilot in #22821
• Move threat detection into a separate detection job by @Copilot in #22782
• [docs] docs: unbloat guides/mcps.md by @github-actions[bot] in #22826
• feat: prevent GitHub App safe-outputs from self-cancelling issue_comment workflows by @Copilot in #22825
• fix: parse threat detection results from detection.log instead of agent_output.json; and add tests by @davidslater in #22832
• feat: drop-in observability kit with audit comparison and behavioral signals by @mnkiefer in #22711
• feat: add deterministic lineage and episode regressions to gh aw logs by @mnkiefer in #22845
• [docs] Update glossary - daily scan by @github-actions[bot] in #22850
• feat: limit dependabot-go-checker to direct dependencies only by @Copilot in #22854
• [code-simplifier] refactor: simplify hasSpecialTriggers to a single boolean expression by @github-actions[bot] in #22837
• [jsweep] Clean check_membership.cjs by @github-actions[bot] in #22831
• fix: exclude proxy-tls from agent artifact upload to prevent EACCES failure by @Copilot in #22853
• [community] Update community contributions in README by @github-actions[bot] in #22865
• [docs] Consolidate developer specifications - update guard-policies spec to allowed-repos by @github-actions[bot] in #22868
• fix: skip GitHub App-only scopes in toolset permission validation and exclude dependabot from "all" by @Copilot in #22851
• Rename getPlaywrightDomainsCodemod to getPlaywrightDomainsToNetworkAllowedCodemod by @Copilot in #22872
• Apply progressive disclosure to protected files warning messages by @Copilot in #22855
• Fix syntax-check docs URL mapping in getActionlintDocsURL by @Copilot in #22874
• Add compile-time glob validation for workflow trigger filter patterns by @Copilot in #22873
• fix: post add_comment status update even when code push fails by @Copilot in #22887
• Fix WCAG 2.5.5 touch targets and lower tablet sidebar breakpoint to 768px by @Copilot in #22891
• docs: document actions-lock.json purpose in FAQ and compilation reference by @Copilot in #22869
• refactor(workflow): fix outlier functions, remove wrapper method, consolidate version management by @Copilot in #22892
• refactor: extract generic parseConfigScaffold helper to eliminate safe-output parser duplication by @Copilot in #22884
• Use actionlint Snippet field instead of re-reading files for error context by @Copilot in #22893
• Consolidate threat detection parse + conclude into a single JavaScript step by @Copilot in #22910
• fix(threat-detection): restore GetDefaultDetectionModel() call in detection engine step by @Copilot in #22912
• Add tests asserting smoke-copilot and smoke-claude have detection jobs with AWF engine execution by @Copilot in #22917
• fix: skip detection job when engine disabled; include patches in agent artifact by @davidslater in #22924
• 📚 Update docs with gh-aw-actions and Dependabot guidance by @dsyme in #22915
• Use aw-gpu-runner-T4 for 3 daily workflows by @Copilot in #22940

New Contributors

• @szabta89 made their first contribution in #22730
• @davidslater made their first contribution in #22832

Full Changelog: v0.63.1...v0.64.0