v0.43.7

🌟 Release Highlights

This release strengthens security, enhances configuration flexibility, and improves workflow validation with compile-time checks and better debugging visibility.

🔒 Security Enhancements

@mention Sanitization Fix - Closed a bypass vulnerability where underscore-prefixed mentions (test_@user) could evade sanitization. The regex now explicitly blocks [^A-Za-z0-9]patterns instead of[^\w], ensuring all mention variations are properly escaped. #15076

Title Field Sanitization - Title fields now receive full content sanitization, including @mention escaping, dangerous URL protocol blocking ((redacted) (redacted) and 128-character enforcement. This aligns title security with text content standards. #15077

✨ New Features

Footer Control - Added footer: false boolean field to safe-output configurations (both individual and global levels). When disabled, AI-generated footers are omitted while XML markers remain for searchability. Perfect for cleaner automation outputs. #15079

Cross-Repo Base Branch - New base-branch field for create-pull-request enables targeting non-default branches in external repositories. Essential for workflows creating PRs to vnext, develop, or other branches in cross-repo scenarios. #15089

Concurrency Expression Validation - Compile-time syntax validation now catches errors in custom concurrency group expressions (unbalanced braces, unclosed quotes, malformed operators) before runtime, saving debugging time. #15082

🐛 Bug Fixes & Improvements

Safe-Output Debugging - Step summaries now log raw .jsonl content via core.info(), providing visibility into exactly what the handler processed—invaluable for troubleshooting unexpected outputs. #15083

Standardized Agent Summaries - Agent conversation output now consistently displays as "Agentic Conversation" across all AI engines (Copilot, Claude, Codex), replacing parser-specific titles for uniform UX. #15072

Experimental Feature Warning - The rate-limit configuration now emits a compile-time warning, clearly marking it as experimental and aligning with other preview features. #15073

Updated Dependencies - Bumped to gh-aw-firewall v0.14.1 and gh-aw-mcpg v0.1.4, bringing the latest stability and security improvements to network isolation and MCP gateway components. #15088

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Mark rate-limit as experimental by @Copilot in #15073
• Standardize agent output summary title to "Agentic Conversation" by @Copilot in #15072
• Fix @mention sanitization bypass with underscore prefix by @Copilot in #15076
• Apply full content sanitization to title fields by @Copilot in #15077
• Log raw .jsonl content when writing safe-output step summaries by @Copilot in #15083
• Add compile-time syntax validation for concurrency group expressions by @Copilot in #15082
• Add footer boolean field to safe-output configurations (individual and global) by @Copilot in #15079
• Bump gh-aw-firewall to v0.14.1 and gh-aw-mcpg to v0.1.4 by @Copilot in #15088
• Add base-branch field for cross-repo PRs targeting non-default branches by @Copilot in #15089

Full Changelog: v0.43.6...v0.43.7

v0.43.6

🌟 Release Highlights

This release delivers major security hardening, enhanced rate limiting controls, and critical fixes to template injection vulnerabilities. We've strengthened the foundation for production agentic workflows with bot detection, improved project operations, and removed GPL dependencies.

🔒 Security Enhancements

Template Injection Protection - Multiple layers of defense against injection attacks:

• Heredoc delimiter standardization (#14942) - All heredocs now use prefixed GH_AW_* delimiters to prevent variable expansion attacks
• Template syntax sanitization (#15015) - Prevents T24 bypass vulnerabilities in MCP configs and workflow expressions
• HTML entity encoding fixes (#15014) - Closes @mention sanitization bypass using HTML entities
• MCP config heredoc hardening (#15066) - Eliminates template injection vectors in tool configurations

Bot Detection System (#15007, #15053) - Automated protection against suspicious account activity:

• Analyzes user profiles for bot-like patterns (creation date, activity, naming)
• Integrates security-guard functionality for comprehensive checks
• Learn more: Rate Limiting Controls

GPL Dependency Removal (#15050) - Eliminates 6 GPL-licensed dependencies via golangci-lint binary distribution, improving license compliance for enterprise deployments

⚡ Rate Limiting Controls

Per-User Per-Workflow Rate Limiting (#14940, #15025) - Prevent runaway workflows from consuming resources:

• Automatic event inference for programmatic triggers (issues, PRs, discussions)
• Configurable ignored-roles field with sensible defaults ([admin, maintain, write])
• Learn more: Rate Limiting Documentation

✨ New Features

Temporary Project IDs (#15003, #14995) - Seamlessly reference items created earlier in workflows:

• Use $TEMP_PROJECT_ITEM_1 syntax in create-project and update-project operations
• Automatically resolved to actual GitHub Project item IDs by safe-outputs handlers
• Documentation

Cache Memory Scopes (#14935) - Enhanced cache security with cache-memory.scope field:

• Prevents unsafe restore-keys configurations that could leak data across workflow runs
• Tighter control over cache isolation boundaries

CLI Tool Updates (#15069) - Latest versions:

• GitHub Copilot CLI: 0.0.407
• Codex: 0.99.0
• MCP Gateway: v0.1.2

Workflow Dispatch Improvements (#15044, #15047) - Better input type validation:

• Support for environment input type in workflow triggers
• Comprehensive test coverage for enum validation

🐛 Bug Fixes & Improvements

• Safe-outputs handlers (#15031) - close_issue and add_labels now respect target-repo configuration
• SBOM-based dependency detection (#15028) - gpclean workflow uses pre-downloaded SBOMs for offline analysis
• Permission warnings (#15026) - Compiler warns about id-token: write permission usage
• Shell escaping (#15017) - Proper @Q escaping for environment variables in echo statements

📚 Documentation

• Rate limiting guide (#15023) - Comprehensive documentation for controlling workflow execution frequency
• Tokens page refinement (#14937, #14936, #14933) - Fixed build errors and clarified fallback behavior
• Common issues cleanup (#14994) - Streamlined troubleshooting documentation
• Project operations videos (#14927, #14922, #14919, #14916) - Visual guides for token setup

---

57 pull requests merged since v0.43.5

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• chore: add video for copilot org token by @mnkiefer in #14909
• chore: add video for copilot user token by @mnkiefer in #14916
• chore: add video for project org token by @mnkiefer in #14919
• chore: add video for project user token by @mnkiefer in #14922
• chore: add video for pagent org token by @mnkiefer in #14927
• [specs] Update layout specification - 2026-02-11 by @github-actions[bot] in #14913
• [docs] Update documentation for features from 2026-02-11 by @github-actions[bot] in #14920
• chore: refactor tokens page by @mnkiefer in #14933
• Standardize heredoc delimiters with GH_AW_ prefix by @Copilot in #14942
• chore: refine token docs by @mnkiefer in #14961
• chore: add missing docs images by @mnkiefer in #14965
• Create daily agentic workflow "gpclean" for GPL dependency detection and removal by @Copilot in #14955
• Add cache-memory scope field and fix restore-keys security by @Copilot in #14935
• [WIP] Fix the failing GitHub Actions workflow build
  Analyze the workflow logs, identify the root cause of the failure, and implement a fix.
  Job ID: 63270126575
  Job URL: https://github.com/github/gh-aw/actions/runs/21912473820/job/63270126575 by @Copilot in #14979
• Fix the failing GitHub Actions workflow Integration: Workflow Rendering & Bundling
  Analyze the workflow logs, identify the root cause of the failure, and implement a fix.
  Job ID: 63270126990
  Job URL: https://github.com/github/gh-aw/actions/runs/2191... by @Copilot in #14977
• chore: rm outdated project top-level field from instructions by @mnkiefer in #14982
• [WIP] Update compile command to show failed workflow IDs by @Copilot in #14980
• Fix template injection validator for prefixed heredoc delimiters by @Copilot in #14985
• chore: rm project mention from simple dependabot burner by @mnkiefer in #14963
• Refactor tokens.md to MDX with Video component by @Copilot in #14988
• [docs] Unbloat common-issues.md troubleshooting documentation by @github-actions[bot] in #14994
• chore: improve project prompt instructions by @mnkiefer in #14984
• Fix heredoc tests and production code to use GenerateHeredocDelimiter by @Copilot in #14993
• Fix TestSafeInputsHTTPMode to use GenerateHeredocDelimiter by @Copilot in #15002
• Remove inline CSS styling from tokens.mdx using Astro Starlight components by @Copilot in #14998
• Add temporary ID resolution for create-project item_url and update-project content_number by @Copilot in #15003
• Add bot detection workflow by @Copilot in #15007
• Add per-user per-workflow rate limiting with automatic event inference for programmatic events by @Copilot in #14940
• Apply shell escaping with @q to environment variables in echo statements by @Copilot in #15017
• Sort GH_AW_RATE_LIMIT_EVENTS alphabetically by @Copilot in #15018
• Fix HTML entity encoding bypass in @mention sanitization by @Copilot in #15014
• Add template syntax sanitization to prevent injection bypass (T24) by @Copilot in #15015
• Remove debug step from conclusion job generation by @Copilot in #15020
• Configure bot-detection to use gpt-5.1-codex-mini for agent and detection jobs by @Copilot in #15024
• Add compilation warning for id-token: write permission by @Copilot in #15026
• Add ignored-roles field to rate-limit configuration with defaults by @Copilot in #15025
• Fix: close_issue and add_labels handlers ignore target-repo config by @Copilot in #15031
• Add SBOM-based dependency discovery to gpclean workflow by @Copilot in #15028
• Document rate limiting controls for preventing runaway agentic workflows by @Copilot in #15023
• Document workflow_dispatch environment input type by @Copilot in #15044
• Add Go proxy domains to CLI Consistency Checker network allowlist by @Copilot in #15043
• Fix gpclean.md: use pre-downloaded SBOM, don't re-download without token by @Copilot in #15040
• Add copilot to bot-detection allowlist by @Copilot in #15046
• Change layout-spec-maintainer to weekly schedule by @Copilot in #15045
• Add test coverage for workflow_dispatch input type enum validation by @Copilot in #15047
• Remove GPL dependencies via golangci-lint binary distribution by @Copilot in #15050
• Consolidate security-guard into bot-detection workflow by @Copilot in #15053
• Update developer-docs-consolidator to write to scratchpad/dev.md by @Copilot in #15055
• Fix template-injection in MCP config heredocs by @COP...

v0.43.5

🌟 Release Highlights

A security-focused maintenance release that hardens file operations and refines sandbox configuration, plus important bug fixes for compilation feedback.

🔒 Security Improvements

• Path Traversal Protection (#14883): Standardized path validation across all file operations using fileutil.ValidateAbsolutePath() to prevent malicious path traversal attacks. All file reads/writes now enforce absolute path requirements.

⚠️ Breaking Changes

• Sandbox Configuration Update (#14888): Deprecated top-level sandbox: false in favor of sandbox.agent: false for more granular control. The new syntax allows disabling the agent firewall while keeping MCP gateway enabled.

  Migration:

  # ❌ Old (deprecated)
  sandbox: false
  
  # ✅ New
  sandbox:
    agent: false

🐛 Bug Fixes

• Compilation Error Visibility (#14901): Fixed a critical issue where validation errors weren't displayed during gh aw compile, leaving users unaware of workflow problems. Error messages now properly appear in compilation output.

⚡ Updates

• Firewall Update (#14903): Updated gh-aw-firewall to v0.14.0 with latest security patches and performance improvements.
• MCP Simplification (#14887): Removed jq filter support from MCP server tools. Users should use native filtering options or adjust max_tokens parameter for response size control.

📚 Documentation

• Setup Guidance (#14909): Added video tutorial for configuring Copilot organization tokens to help teams get started faster.

🔧 Internal Improvements

• Test suite cleanup after sandbox: false deprecation and jq removal
• Build system refinements for utility packages
• Code refactoring: Extracted duplicate expires field preprocessing into shared helper

---

For complete details, see the CHANGELOG.

Generated by Release

---

What's Changed

• Standardize path validation across file operations to prevent path traversal by @Copilot in #14883
• Remove jq filter support from MCP server tools by @Copilot in #14887
• Extract duplicate expires preprocessing logic into shared helper by @Copilot in #14899
• Remove sandbox: false, add sandbox.agent: false for firewall-only disable by @Copilot in #14888
• Update awf (gh-aw-firewall) to v0.14.0 by @Copilot in #14903
• Fix error messages not shown in gh aw compile output by @Copilot in #14901

Full Changelog: v0.43.4...v0.43.5

v0.43.4

🌟 Release Highlights

Quality and stability improvements focusing on rate-limiting, schema compliance, and up-to-date tooling.

⚡ Improvements

• Rate Limiting Protection - Added 10-second delays between agent assignments in assign_to_agent.cjs and assign_copilot_to_created_issues.cjs to prevent GitHub API spawn rate limiting (#14866)

• Safe-Output Defaults - assign-to-agent now defaults to max: 1 for safer operation, matching dispatch-workflow behavior (#14867)

• Updated CLI Tools - All bundled tools upgraded to latest versions:

  • MCP Gateway: v0.1.0 (first stable production-ready release!)
  • Copilot CLI: 0.0.406
  • Claude Code: 2.1.39
  • Sandbox Runtime: 0.0.37
  • Playwright: v1.58.2

  (#14878)

🐛 Bug Fixes

• Schema Compliance - Removed deprecated timeout_minutes field from schema in favor of timeout-minutes (hyphen), eliminating ambiguity (#14860)

• Test Fixtures - Fixed integration test fixtures to use timeout-minutes after schema update (#14885)

• Labels Validation - Added runtime validation for workflow labels (empty labels, whitespace) that schema alone couldn't enforce (#14860)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Remove timeout_minutes from schema and add labels validation by @Copilot in #14860
• Add 10-second delay between agent assignments to prevent spawn rate limiting by @Copilot in #14866
• Set default max to 1 for assign-to-agent safe-output by @Copilot in #14867
• Update CLI tools: Claude Code 2.1.39, Copilot 0.0.406, Sandbox Runtime 0.0.37, Playwright v1.58.2, MCP Gateway v0.1.0 by @Copilot in #14878
• Fix test fixture using deprecated timeout_minutes field by @Copilot in #14885

Full Changelog: v0.43.3...v0.43.4

v0.43.3

🌟 Release Highlights

This maintenance release strengthens security, improves runtime reliability, and updates dependencies to keep your workflows running smoothly.

🔒 Security Improvements

Enhanced Content Sanitization - Multiple improvements to prevent security bypasses in user-generated content:

• HTML entities (like @, @) are now decoded before @mention detection, preventing attackers from bypassing mention validation (#14846)
• Username regex now correctly supports underscores in GitHub usernames (e.g., @user_name) while maintaining security boundaries (#14849)
• String literals in runtime expressions are validated and sanitized to neutralize expression markers, preventing injection attacks (#14851)

Lockdown Mode for Public Workflows - Workflows processing issues, PRs, and discussions from non-collaborators now use tools.github.lockdown: true to filter content to only items from users with push access (#14840). This protects public repositories from malicious content.

🐛 Bug Fixes & Improvements

Runtime Import Path Resolution - Fixed path resolution for runtime imports to correctly default to .github/workflows/ directory, ensuring workflows can reliably import shared components (#14850)

Dependency Updates - Updated to latest stable versions:

• Agentic Workflow Framework (AWF) v0.13.14 for improved stability (#14854)
• Go modules: golang.org/x/crypto, golang.org/x/mod, golang.org/x/term, and github.com/modelcontextprotocol/go-sdk (#14842)
• npm: @actions/exec 3.0.0, @types/node 25.2.3 (#14853, #14755)

---

Full Changelog: v0.43.2...v0.43.3

Generated by Release

---

What's Changed

• chore(deps): Consolidate Go module updates (crypto, mod, term, go-sdk) by @Copilot in #14842
• Add GitHub lockdown mode to workflows processing non-collaborator content by @Copilot in #14840
• Decode HTML entities before @mention detection to prevent bypass by @Copilot in #14846
• Support underscores in @ mention username regex by @Copilot in #14849
• Update npm dependencies: @actions/exec 3.0.0, @types/node 25.2.3 by @Copilot in #14853
• Validate and sanitize string literals in runtime expression evaluation by @Copilot in #14851
• chore(deps-dev): bump @actions/exec from 2.0.0 to 3.0.0 in /actions/setup/js by @dependabot[bot] in #14755
• Bump AWF to v0.13.14 by @Copilot in #14854
• Fix runtime-imports path resolution to default to .github/workflows/ by @Copilot in #14850

Full Changelog: v0.43.2...v0.43.3

v0.43.2

🌟 Release Highlights

This release focuses on security hardening and quality improvements, addressing multiple expression parsing vulnerabilities and validation issues.

🔒 Security Enhancements

Expression Parser Hardening - Critical improvements to prevent prototype pollution and object traversal attacks:

• Compile-time validation (#14829) - Blocks dangerous JavaScript property names (constructor, __proto__, prototype, etc.) in expressions before workflows run
• Runtime protection (#14826) - Hardened expression parser with safe property access patterns, nesting depth limits (max 5 levels), and expanded dangerous property blocking
• Title sanitization (#14825) - Prevents Unicode-based attacks via bidirectional overrides, zero-width characters, and fullwidth ASCII conversion

These changes protect workflows from malicious inputs while maintaining backward compatibility for legitimate expressions.

🐛 Bug Fixes

• Fixed validation error reporting (#14831) - Corrected line numbers, eliminated duplicate prefixes, and clarified paths for nested safe-outputs validation errors
• Fixed checkout action parameter (#14830) - Corrected actions/checkout to use fetch-depth instead of deprecated depth parameter
• Diagnostic logging (#14834) - Added comprehensive logging to interpolate_prompt.cjs for troubleshooting prompt rendering issues

🔧 Maintenance

• Reverted inadvertent action pins and recompiled dependabot workflow (#14835)
• Simplified Dependabot burner workflow with restricted permissions (#14833)

---

Security Focus: This release strengthens gh-aw's security posture with multiple layers of protection against expression-based attacks. All changes are backward compatible.

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Sanitize titles for Unicode security and duplicate prefix prevention by @Copilot in #14825
• Harden JavaScript expression parser against prototype pollution and traversal attacks by @Copilot in #14826
• Fix checkout action parameter: use fetch-depth instead of depth by @Copilot in #14830
• Add compile-time validation for dangerous property names in expressions by @Copilot in #14829
• Fix error location, double prefix, and confusing paths for nested safe-outputs validation errors by @Copilot in #14831
• Add diagnostic logging to interpolate_prompt.cjs by @Copilot in #14834
• chore: add simple dependabot burner workflow by @mnkiefer in #14833

Full Changelog: v0.43.1...v0.43.2

v0.43.1

🌟 Release Highlights

This maintenance release focuses on quality improvements, security hardening, and documentation enhancements to keep gh-aw workflows running smoothly and securely.

🔒 Security Enhancements

Unicode Hardening for Markdown Sanitization (#14795)

• Strengthens content security by applying NFC normalization, zero-width character removal, directional override removal, and full-width ASCII conversion
• Protects workflows from Unicode-based injection attacks and rendering issues
• Automatically applied to all sanitized content including labels, issues, and discussions

🐛 Bug Fixes & Improvements

Case-Insensitive Discussion Categories (#14820)

• Discussion category matching is now case-insensitive (e.g., "Audits" matches "audits")
• Resolves category resolution failures when category names don't match exact casing
• Improves workflow reliability when creating discussions

Enhanced Failure Diagnostics (#14793)

• Agent failure templates now include workflow ID and run URL for faster troubleshooting
• Makes debugging failed workflows more efficient with direct links to logs

Debug Logging Expansion (#14743)

• Adds debug logging to 5 core Go files for better troubleshooting
• Enables detailed diagnostics when DEBUG=* is set
• Helps diagnose compilation and runtime issues

📚 Documentation

Documentation Protection (#14802)

• Introduces disable-agentic-editing: true frontmatter field to protect critical documentation from automated editing
• Security-sensitive docs (architecture, tokens, sandbox, threat detection) are now safeguarded

Ownership Clarification (#14798)

• New documentation explaining user vs. organization ownership for workflows
• Learn more

Documentation Cleanup (#14817, #14754)

• Removed bloat from errors.md documentation
• Updated glossary with latest terminology

🔧 Maintenance

• Dependency updates (#14790)
• Fixed typo in CLI documentation (#14789)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix typo in CLI documentation: "Agennt" → "Agent" by @Copilot in #14789
• [docs] Update glossary - daily scan by @github-actions[bot] in #14754
• [log] Add debug logging to 5 core Go files for better troubleshooting by @github-actions[bot] in #14743
• chore: add docs for user vs. org ownership by @mnkiefer in #14798
• Add Unicode hardening to markdown sanitization functions by @Copilot in #14795
• updated pins by @pelikhan in #14790
• Add workflow ID and run URL to agent failure template prompt by @Copilot in #14793
• Add disable-agentic-editing frontmatter field to Astro docs by @Copilot in #14802
• [docs] Remove bloat from errors.md documentation by @github-actions[bot] in #14817
• Make discussion categories case-insensitive by @Copilot in #14820

Full Changelog: v0.43.0...v0.43.1

v0.43.0

🌟 Release Highlights

This release focuses on security hardening, quality improvements, and developer experience enhancements. We've addressed critical vulnerabilities, improved workflow reliability, and added comprehensive documentation.

🔒 Security Fixes

Critical security vulnerabilities resolved:

• Shell injection prevention (#14724) - Fixed command injection vulnerabilities in generate_git_patch.cjs and push_repo_memory.cjs by refactoring to use safe command-args array syntax instead of string interpolation
• API key masking timing fix (#14701) - Closed timing window where API keys for Safe Outputs, Safe Inputs, and MCP Gateway could leak into logs by moving ::add-mask:: to execute immediately after generation
• Git credentials protection (#14700) - Agents no longer have access to git credentials during execution; credentials are cleaned before agent runs and regenerated afterward for safe-outputs functionality
• Slash command strict matching (#14702) - Prevented false positives from commands appearing in documentation by using startsWith() and exact equality checks instead of contains()

🐛 Bug Fixes

• Repository root detection (#14727) - Fixed actions-lock.json being created relative to CWD instead of repository root when running gh aw compile from subdirectories. The compiler now auto-detects git repository root for all commands.
• Detection job checkout failure (#14698) - Fixed actions/checkout 404 errors in detection jobs by conditionally granting contents: read permission when checkout is needed
• Workflow step ordering (#14670) - Moved aw_info.json generation before secret validation to ensure metadata is available when needed
• Dependency security updates (#14673) - Updated @sentry/mcp-server to 0.29.0, addressing security alerts in transitive dependencies (@modelcontextprotocol/sdk and hono)

📚 Documentation

• Dependabot support reference (#14669) - Comprehensive guide for handling Dependabot PRs with the --dependabot flag, including proper fix workflow and AI agent prompt templates
• Architecture updates (#14691) - Refreshed architecture documentation
• Research workflow guidance (#14668) - Clarified that research/analysis workflows should continue during release mode for long-term quality insights

🎥 Resources

• Workflow video with voice-over (#14697) - Added narrated video demonstration

---

For complete details and technical implementation notes, see the full CHANGELOG.

📦 Installation

gh extension install github/gh-aw
# or upgrade
gh extension upgrade gh-aw

🔗 Learn More

• Getting Started Guide
• MCP Server Integration
• Examples & Patterns

Generated by Release

---

What's Changed

• Allow research workflows to run during release mode by @Copilot in #14668
• Move aw_info.json generation before secret validation in compiled workflows by @Copilot in #14670
• docs: add Dependabot support reference documentation by @Copilot in #14669
• Update @sentry/mcp-server to 0.29.0 (addresses security alerts in transitive dependencies) by @Copilot in #14673
• docs: update architecture documentation by @lpcox in #14691
• chore: create workflow video with voice over by @mnkiefer in #14697
• Fix detection job checkout failure from missing contents permission by @Copilot in #14698
• Apply strict matching to slash commands (startsWith + exact equality) by @Copilot in #14702
• Fix API key masking timing vulnerability in MCP setup generation by @Copilot in #14701
• Add git credentials cleanup and regeneration for agent execution by @Copilot in #14700
• Fix shell injection in generate_git_patch.cjs and push_repo_memory.cjs via shared git_helpers.cjs by @Copilot in #14724
• Fix: actions-lock.json created relative to CWD instead of repository root by @Copilot in #14727

Full Changelog: v0.42.17...v0.43.0

v0.42.17

🌟 Release Highlights

This maintenance release focuses on quality, reliability, and workflow stability with important bug fixes and test improvements.

🐛 Bug Fixes & Improvements

Observability & Diagnostics

• Fixed log analyzer path mismatches (#14660) - Analyzers now correctly locate downloaded artifacts, restoring observability coverage
• Improved troubleshooting documentation links (#14659) - Updated references to point to existing documentation pages

Workflow Reliability

• Fixed portfolio-analyst workflow (#14630) - Now uses local binary instead of CLI extension to avoid timing issues
• Fixed Glossary Maintainer security violation (#14637) - Moved documentation skill to .github folder and added compiler validation
• Removed mood import from smoke workflows (#14640) - Ensures consistent test execution without release-mode interference

Safe Outputs

• Added report-as-issue field to noop configuration (#14644) - Control whether no-op runs create issue comments (default: true)
• Simplified no-op comment template (#14634) - File-based template with cleaner format
• Applied progressive disclosure to issue templates (#14636) - Collapsible sections improve readability

Code Quality

• Enhanced compiler test suite (#14650) - Consolidated error tests, added edge cases, and concurrent compilation validation
• Fixed shell script redirects (#14582, #14594) - Resolved SC2129 linter warnings by grouping consecutive redirects
• Added error wrapping (#14584) - Better error context in compiler YAML generation
• Fixed test failures (#14587) - Mocked loadAgentOutput in noop message handler tests

🔧 Refinements

• Updated branding (#14638) - Standardized issue title prefix to [agentics] for brevity
• Added labels field (#14631) - FrontmatterConfig struct now includes missing labels field from schema
• Improved test coverage (#14612) - Comprehensive tests for add_reaction.cjs

📦 Dependencies

• Updated Astro (5.16.12 → 5.17.1) and Starlight (0.37.3 → 0.37.6) in docs
• Updated @actions/core (2.0.2 → 3.0.0) and charmbracelet/bubbles (0.21.1-0.20250623103423-23b8fd6302d7 → 0.21.1)

---

Generated by Release

---

What's Changed

• Small improvements to slides by @eaftan in #14562
• Remove obsolete and broken test-workflow.yml by @eaftan in #14570
• chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1-0.20250623103423-23b8fd6302d7 to 0.21.1 by @dependabot[bot] in #13445
• chore(deps): bump @astrojs/starlight from 0.37.3 to 0.37.6 in /docs by @dependabot[bot] in #13447
• chore(deps): bump astro from 5.16.12 to 5.17.1 in /docs by @dependabot[bot] in #13453
• chore(deps-dev): bump @actions/core from 2.0.2 to 3.0.0 in /actions/setup/js by @dependabot[bot] in #13449
• Fix SC2129: Group consecutive shell redirects to same file by @Copilot in #14582
• Handle no-op safe-outputs in conclusion job without treating as failures by @Copilot in #14572
• Add error wrapping to compiler_yaml.go generateYAML function by @Copilot in #14584
• Fix handle_noop_message tests failing due to unmocked loadAgentOutput by @Copilot in #14587
• Separate no-op run comments from failed runs issue by @Copilot in #14589
• Fix SC2129: group consecutive redirects in shell scripts by @Copilot in #14594
• Fix portfolio-analyst workflow: use local binary instead of CLI extension by @Copilot in #14630
• Update noop comment footer and move issue template to markdown file by @Copilot in #14602
• Add missing labels field to FrontmatterConfig struct by @Copilot in #14631
• Simplify no-op comment template by @Copilot in #14634
• [jsweep] Add comprehensive tests for add_reaction.cjs by @github-actions[bot] in #14612
• Apply progressive disclosure to no-op runs issue template by @Copilot in #14636
• Replace "[agentic-workflows]" title prefix with "[agentics]" by @Copilot in #14638
• Remove mood runtime-import from smoke workflows by @Copilot in #14640
• Fix Glossary Maintainer workflow: Move documentation skill to .github folder and add compiler validation by @Copilot in #14637
• Add report-as-issue field to safe-outputs.noop by @Copilot in #14644
• Improve compiler test quality: consolidate error tests, add edge cases and concurrency validation by @Copilot in #14650
• [WIP] Update troubleshooting link to existing documentation page by @Copilot in #14659
• Fix log analyzer path mismatches after artifact download by @Copilot in #14660

Full Changelog: v0.42.16...v0.42.17

v0.42.16

🔧 Maintenance Release

This release updates the MCP Gateway to version 0.0.113, ensuring compatibility with the latest gateway improvements.

What's Changed

• MCP Gateway Update: Bumped gh-aw-mcpg from v0.0.103 to v0.0.113 (#14559)
  • All 148 workflow lock files regenerated with the new version
  • 444 references updated across the codebase
  • Tests confirm stable operation

---

Generated by Release

---

What's Changed

• [WIP] Update to gh-aw-mcpg version 0.0.113 by @Copilot in #14559

Full Changelog: v0.42.15...v0.42.16