Update github/gh-aw action to v0.80.9

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending
github/gh-aw	action	minor	v0.77.5 → v0.80.9	v0.82.0 (+1)

---

Release Notes

github/gh-aw (github/gh-aw)

v0.80.9

Compare Source

🌟 Release Highlights

This release focuses on reliability and correctness — squashing noisy error conditions in the MCP server and agentic workflows, hardening security, and keeping the observability pipeline complete.

🐛 Bug Fixes & Improvements

• MCP stdio error handling — handleMessage now correctly serialises plain-object throws (not just Error instances), eliminating the cryptic -32603 [object Object] failures that blocked submit_pull_request_review on the stdio transport path. (#​40715)

• Issue Monster noise reduction — Agent-availability errors ("copilot coding agent is not available for this repository") are now treated as transient and silently skipped, so the issue tracker is no longer spammed with failure issues on every 30-minute poll cycle. (#​40716)

• Observability report completeness — The daily observability report now explicitly requests agent and detection artifact sets alongside usage metrics, preventing incomplete/noop outcomes caused by missing telemetry inputs. (#​40705)

• Task session data fetch — Fixed a failing agent GitHub Actions job caused by a stale data-fetch pattern in task session handling. (#​40728)

🔒 Security

• Atomic temp-file writes — Replaced direct fs.writeFileSync calls in the safe-output evaluations script with an atomic write helper, closing a CWE-377 insecure-temporary-file vulnerability flagged by CodeQL. (#​40721)

🔧 Internal

• Safe Outputs conformance checker — Added MCE-006 check verifying that mcp_server_core.cjs enforces valid JSON-RPC 2.0 error codes (spec §8.2); split spec/script version comments for clarity. (#​40737)

• Maintenance workflow header — agentics-maintenance.yml now carries an explicit, purpose-specific header describing the maintenance schedule and how to disable it, replacing the generic compiled-workflow boilerplate. (#​40706)

Generated by 🚀 Release · 31.3 AIC · ⊞ 8.2K

---

What's Changed

• fix(daily-observability-report): request agent+detection artifacts in logs fetches by @​pelikhan with @​Copilot in #​40705
• Make agentics-maintenance.yml header maintenance-specific by @​pelikhan with @​Copilot in #​40706
• fix: handleMessage avoids [object Object] errors and enforces valid JSON-RPC error codes for thrown plain objects by @​pelikhan with @​Copilot in #​40715
• Update task session data fetch by @​mnkiefer with @​Copilot in #​40728
• fix(issue-monster): gracefully skip agent availability errors with ignore-if-error by @​pelikhan with @​Copilot in #​40716
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @​github-actions[bot] in #​40737
• [blog] Weekly blog post – 2026-06-22 by @​github-actions[bot] in #​40724
• [code-scanning-fix] Fix js/insecure-temporary-file: use atomic write to prevent symlink attacks by @​github-actions[bot] in #​40721

Full Changelog: github/gh-aw@v0.80.8...v0.80.9

v0.80.8

Compare Source

🌟 Release Highlights

This release brings a meaningful performance win, improved slash-command UX, a new Go linter, and a wave of reliability and documentation improvements.

⚡ Performance

• Fixed a +320% regression in CompileComplexWorkflow by eliminating a redundant yaml.Unmarshal call — complex workflows now compile as fast as expected (#​40662).

✨ What's New

• Slash-command status comments are now created in the central router and reused downstream, giving users consistent, real-time feedback on slash-command progress (#​40644).
• New deferinloop Go linter flags defer statements inside for-loop bodies — a common source of resource-leak bugs — catching issues earlier in the development cycle (#​40679).
• gh-aw-detection rolled out to 50% of agentic workflows, expanding coverage of automated workflow health checks (#​40698).
• Daily Safe Output Integrator can now inspect compiler safe-output tests, broadening daily CI coverage (#​40697).
• Codex experiment models are now available in the Daily Cache Strategy Analyzer (#​40682).

🐛 Bug Fixes

• Prevented tool-denial cascade in daily-formal-spec-verifier, avoiding runaway failures when individual tools are unavailable (#​40655).
• Fixed sparse checkout path typing in the Skillet pre-activation skills checkout, resolving failures in sparse-repo workflows (#​40684).
• Migrated assignAgentToIssue to REST, retaining GraphQL fallbacks in lookup helpers for resilience (#​40669).
• Replaced SHA-256 with FNV-1a for heredoc delimiter generation, eliminating crypto-library overhead in hot compilation paths (#​40696).
• Reduced ambient prompt surface in high-traffic workflows, improving token efficiency and reducing unintended context bleed (#​40695).

📚 Documentation

• Leaner model-tables intro in the docs (#​40658).
• Fixed broken outbound links in the README (#​40675).
• Tightened authoring guidance for incident prefetch/dedup and visual baseline sourcing (#​40660).
• Extended JSON-LD schema to blog posts and inner pages for improved SEO (#​40678).

Generated by 🚀 Release · 31.7 AIC · ⊞ 8.2K

---

What's Changed

• fix: prevent tool denial cascade in daily-formal-spec-verifier by @​pelikhan with @​Copilot in #​40655
• [docs] docs: unbloat model tables intro by @​github-actions[bot] in #​40658
• SPDD 2026-06-21: fix spec divergences across 5 spec files by @​pelikhan with @​Copilot in #​40656
• Create slash-command status comments in the central router and reuse them downstream by @​pelikhan with @​Copilot in #​40644
• Align checkout credential integration test with safe_outputs PR flow by @​pelikhan with @​Copilot in #​40661
• Tighten workflow authoring guidance for incident prefetch/dedup and visual baseline sourcing by @​pelikhan with @​Copilot in #​40660
• Update README to replace broken outbound links with canonical working targets by @​pelikhan with @​Copilot in #​40675
• Strengthen actionpins spec coverage for unresolved pinning and edge-case resolution by @​pelikhan with @​Copilot in #​40676
• Use available Codex experiment models in Daily Cache Strategy Analyzer by @​pelikhan with @​Copilot in #​40682
• Skillet: fix sparse checkout path typing in pre-activation skills checkout by @​pelikhan with @​Copilot in #​40684
• feat(linters): add deferinloop analyzer — flags defer inside for-loop bodies by @​pelikhan with @​Copilot in #​40679
• Extend docs JSON-LD schema to blog posts and inner pages by @​pelikhan with @​Copilot in #​40678
• fix: migrate assignAgentToIssue to REST, retain GraphQL fallbacks in lookup helpers by @​pelikhan with @​Copilot in #​40669
• Enable gh-aw-detection on 50% of agentic workflows by @​pelikhan with @​Copilot in #​40698
• Replace SHA-256 with FNV-1a for heredoc delimiter generation by @​pelikhan with @​Copilot in #​40696
• perf: fix +320% regression in CompileComplexWorkflow by eliminating redundant yaml.Unmarshal by @​pelikhan with @​Copilot in #​40662
• Allow Daily Safe Output Integrator to inspect compiler safe-output tests by @​pelikhan with @​Copilot in #​40697
• Reduce ambient prompt surface in high-traffic workflows by @​pelikhan with @​Copilot in #​40695

Full Changelog: github/gh-aw@v0.80.7...v0.80.8

v0.80.7

Compare Source

🌟 Release Highlights

v0.80.7 brings powerful new automation options, compiler safety guardrails, and a set of targeted bug fixes that improve reliability across workflows, CLI tools, and the safe-outputs system.

⚠️ Breaking Changes

• allow-team-members renamed to allowed-collaborators in safe-outputs.mentions (#​40394)
  Run gh aw fix --write with codemod add-allow-team-members-collaborators to migrate automatically.

✨ What's New

• Auto-upgrade workflow generation: Set auto_upgrade: true in aw.json to automatically generate a weekly agentic-auto-upgrade.yml workflow that keeps your setup current (#​40414).
• Auto-pin unversioned action refs: The compiler now auto-pins unversioned uses: references and fails compilation when no pin is resolvable — preventing silent runtime failures (#​40475).
• allowed-teams in mentions config: Authorize entire GitHub teams to trigger agentic mentions without enumerating every user (#​40368).
• Wildcard suffix for slash_command: Use a trailing * to match a family of related commands with a single workflow (#​40369).
• max-turn-cache-misses top-level field: Configure cache-miss guardrail thresholds directly in workflow frontmatter (#​40388).
• code_quality MCP toolset: The code_quality toolset is now mapped in GitHub MCP toolsets configuration (#​40625).

🐛 Bug Fixes & Improvements

• Call-workflow permissions: Job permissions are now correctly derived from the caller, not the worker (#​40175 — thanks @dsyme!).
• gh aw logs reliability: Fixed context-deadline cancellation for --timeout (#​40498) and added a --report-file flag to avoid shell redirect failures (#​40425).
• Idle-timeout resolved as success: When output has been collected and all tools are complete, idle-timeout no longer marks a run as failed (#​40419).
• set_issue_field temporary ID resolution: set_issue_field can now resolve temporary_id values from a create_issue in the same batch (#​40615).
• Firewall-mode LLM routing: All LLM traffic in firewall mode is now correctly routed through the AWF gateway (#​40616).
• Improved error guidance: Empty-arguments errors now include schema guidance to prevent missing-tool reports (#​40542); hide_comment validation surfaced GraphQL node ID guidance (#​40361).
• Template-injection scanner: Fixed false positive that rejected the compiler's own generated Configure Git credentials step (#​40613).
• /help command: Fixed routing fallthrough, error handling, reactions, and mention sanitization (#​40476).

📚 Documentation

• CLI setup guide streamlined for clarity (#​40484, view docs).
• allowed-teams option surfaced in the agentic mentions configuration docs (#​40421).
• /help now uses structured headings and links commands to their source workflows (#​40500).

Generated by 🚀 Release · 41.4 AIC · ⊞ 8.2K

---

What's Changed

• optimize(glossary-maintainer): prompt trim, turn guardrail, batch reads, haiku sub-agent for term discovery by @​pelikhan with @​Copilot in #​40353
• Update slides by @​mnkiefer in #​40364
• fix: replace local .github/aw/ paths with public URLs in agentic-workflows agent by @​pelikhan with @​Copilot in #​40358
• fix(daily-spdd-spec-planner): add sed -n to bash allowlist to prevent tool denial threshold by @​pelikhan with @​Copilot in #​40366
• Avoid LFS-dependent checkout in Documentation Unbloat by @​pelikhan with @​Copilot in #​40365
• Tighten Daily Formal Spec Verifier safe-output contract by @​pelikhan with @​Copilot in #​40367
• Recursively order nested with/env/secrets maps during YAML serialization by @​pelikhan with @​Copilot in #​40362
• [linter-miner] feat(linters): add sprintferrdot — flag redundant .Error() calls in fmt format functions by @​github-actions[bot] in #​40371
• Make safe-job conclusion dependencies deterministic by @​pelikhan with @​Copilot in #​40363
• fix(hide_comment): surface GraphQL node ID guidance in comment_id validation error by @​pelikhan with @​Copilot in #​40361
• Enforce per-type safe-output max count at MCP invocation time (MCE4) by @​dsyme with @​Copilot in #​40348
• Support wildcard suffix matching for slash_command by @​pelikhan with @​Copilot in #​40369
• feat(safe-outputs): add allowed-teams to mentions configuration by @​pelikhan with @​Copilot in #​40368
• Enable Smoke Pi safeoutputs CLI mounting and migrate 20 non-smoke workflows to Pi by @​pelikhan with @​Copilot in #​40375
• feat(codemods): rename allow-team-members → allowed-collaborators in safe-outputs.mentions by @​pelikhan with @​Copilot in #​40394
• [docs] Self-healing documentation fixes from issue analysis - 2026-06-20 by @​github-actions[bot] in #​40402
• Add top-level max-turn-cache-misses support with env-managed default by @​pelikhan with @​Copilot in #​40388
• Add skillet skill-routed PR reviewer workflow by @​pelikhan with @​Copilot in #​40399
• Add step authoring guidance to .github/aw instruction files by @​pelikhan with @​Copilot in #​40413
• Add centralized /dependabot-burner grouping and retry-aware single-workflow remediation by @​pelikhan with @​Copilot in #​40396
• [community] Update community contributions in README by @​github-actions[bot] in #​40424
• docs: surface allowed-teams in agentic mentions config docs by @​pelikhan with @​Copilot in #​40421
• Refresh docs site theme toward neutral GitHub-style surfaces by @​pelikhan with @​Copilot in #​40422
• fix(sdk-driver): resolve idle-timeout as success when output collected and all tools complete by @​pelikhan with @​Copilot in #​40419
• [docs] Consolidate developer specifications into instructions file (v9.18) by @​github-actions[bot] in #​40465
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @​github-actions[bot] in #​40456
• [instructions] Sync instruction files with release v0.80.6 by @​github-actions[bot] in #​40453
• [docs] Update editor preview screenshots – 2026-06-20 by @​github-actions[bot] in #​40451
• fix: add --report-file flag to gh-aw logs to avoid shell redirect failure by @​pelikhan with @​Copilot in #​40425
• model-inventory: alias updates 2026-06-20 by @​pelikhan with @​Copilot in #​40420
• Handle pi threat verdicts in detection log parser by @​pelikhan with @​Copilot in #​40469
• [WIP] Fix failing GitHub Actions job Integration: Workflow Features by @​pelikhan with @​Copilot in #​40471
• [jsweep] Clean write_daily_aic_usage_cache.cjs by @​github-actions[bot] in #​40433
• feat: run code-scanning-fixer every 6h; replace MCP tool calls with gh CLI by @​pelikhan with @​Copilot in #​40470
• Roll out gh-aw-detection to 20% of repository workflows by @​pelikhan with @​Copilot in #​40477
• feat: add top-level auto_upgrade to generate a weekly agentic-auto-upgrade workflow by @​pelikhan with @​Copilot in #​40414
• [docs] docs: unbloat CLI setup guide by @​github-actions[bot] in #​40484
• Refine workflow-creation guidance for workflow_run scoping, scheduled report windows, and visual-regression minimal config by @​pelikhan with @​Copilot in #​40482
• Auto-pin unversioned action uses refs in compiler; fail compilation when no pin is available by @​pelikhan with @​Copilot in #​40475
• Fix /help routing fallthrough, error handling, reaction, and mention sanitization by @​pelikhan with @​Copilot in #​40476
• [linter-miner] linter: add sprintferrorsnew — flag errors.New(fmt.Sprintf(...)) by @​github-actions[bot] in #​40490
• Surface dedicated max-runs guardrail failures in agent failure conclusions by @​pelikhan with @​Copilot in #​40487
• docs: apply GEO audit fixes — llms-full.txt, sameAs KG pillars, About page by @​pelikhan with @​Copilot in #​40486
• fix(pr-sous-chef): replace contradictory safe-output guidance with correct safeoutputs CLI examples by @​pelikhan with @​Copilot in #​40496
• /help: use ### heading, link commands to source workflows by @​pelikhan with @​Copilot in #​40500
• Reduce Daily Safe Output Integrator tool-denial guardrail trips by @​pelikhan with @​Copilot in #​40503
• fix: proper context-deadline cancellation for gh aw logs --timeout by @​pelikhan with @​Copilot in #​40498
• Improve max-tool-denials report with recent shell call context by @​pelikhan with @​Copilot in #​40506
• Harden Daily Ambient Context Optimizer issue publication against placeholder and oversize payload failures by @​pelikhan with @​Copilot in #​40508
• fix: enforce minLength JSON schema constraints at MCP call time and extend '.' stdin sentinel to per-field CLI arguments by @​pelikhan with @​Copilot in #​40497
• [code-scanning-fix] Fix go/unsafe-quoting: replace Python network-allowed updater with JavaScript in actions/setup/js by @​github-actions[bot] in #​40502
• Exclude actions-lock.json from daily code metrics churn report by @​pelikhan with @​Copilot in #​40532
• Add close-discussion safe-output to daily-performance-summary workflow by @​pelikhan with @​Copilot in #​40533
• refactor: consolidate 6 identical hasStringKey copies into pkg/setutil.Contains by @​pelikhan with @​Copilot in #​40534
• Smoke Copilot: require dispatch_workflow.inputs.message for haiku-printer by @​pelikhan with @​Copilot in #​40550
• q: load token optimization skill when user mentions optimize/cost/improve by @​pelikhan with @​Copilot in #​40552
• fix: include schema guidance in empty-arguments error to prevent missing-tool reports by @​pelikhan with @​Copilot in #​40542
• [code-scanning-fix] Fix go/unsafe-quoting: safe YAML quoting for category filter env vars by @​github-actions[bot] in #​40545
• Precompute usage-artifact activity aggregates and include GitHub API rate limit data for usage-only reporting by @​pelikhan with @​Copilot in #​40504
• Clarify direct safe-output usage in Daily Compiler Quality Check by @​pelikhan with @​Copilot in #​40575
• fix: derive call-workflow job permissions from caller, not worker (#​40169) by @​dsyme in #​40175
• Align Smoke Copilot prompts with actual tool names by @​pelikhan with @​Copilot in #​40576
• [docs] Update dictation skill instructions by @​github-actions[bot] in #​40593
• Add SEC-004 exemptions for non-reemitting body usage in slash routing and update/upgrade handlers by @​pelikhan with @​Copilot in #​40617
• fix: resolve set_issue_field target via temporary_id from same-batch create_issue by @​pelikhan with @​Copilot in #​40615
• [instructions] Sync instruction files with release 0.80.6 by @​github-actions[bot] in #​40604
• [mcp-tools] Add code_quality toolset to GitHub MCP toolsets mapping by @​github-actions[bot] in #​40625
• [jsweep] Clean update_pr_description_helpers.cjs by @​github-actions[bot] in #​40584
• code simplifier: allowed_issue_fields.cjs; remove drain3_server.py by @​pelikhan with @​Copilot in #​40578
• feat(lenstringzero): extend linter to cover relational len-string comparisons by @​pelikhan with @​Copilot in #​40621
• fix(pi): always route firewall-mode LLM traffic through AWF gateway by @​pelikhan with @​Copilot in #​40616
• [code-scanning-fix] Fix go/incorrect-integer-conversion: unsafe int64 to int conversion (CWE-190) by @​github-actions[bot] in #​40599
• fix: prevent template-injection scanner from rejecting its own generated Configure Git credentials step by @​pelikhan with @​Copilot in #​40613
• Ensure Copilot proxy-auth template resolves for PR Sous Chef by @​pelikhan with @​Copilot in #​40623
• chore: CLI version updates 2026-06-21 by @​pelikhan with @​Copilot in #​40618
• Reduce actionlint SC2086 noise in generated AWF run scripts by @​pelikhan with @​Copilot in #​40620
• Copy aw_info.json into usage artifact; fall back to activation artifact when missing (including cached usage runs) by @​pelikhan with @​Copilot in #​40634
• Refactor duplicated issue/PR update payload normalization into shared helper by @​pelikhan with @​Copilot in #​40624
• Include detection AIC parsing in external-detector workflows by @​pelikhan with @​Copilot in #​40645
• Delight: prevent agent-step timeout failures from tool denials and blocked Go proxy by @​pelikhan with @​Copilot in #​40652
• Fix tolowerequalfold package resolution for alias imports and shadowed identifiers by @​pelikhan with @​Copilot in #​40622

Full Changelog: github/gh-aw@v0.80.6...v0.80.7

v0.80.6

Compare Source

🌟 Release Highlights

v0.80.6 focuses on safe-outputs reliability, GHES host support, and new agentic workflow capabilities — with dozens of targeted fixes that make credential handling, asset uploads, and compilation more robust.

✨ What's New

• Headroom context compression — A new shared agentic workflow compresses agent context when headroom is low, reducing token burn for long-running workflows. (#​40223)
• Tool output previews in Copilot CLI — The conversation renderer now shows inline previews of tool outputs, making it easier to follow what an agent did at a glance. (#​40116)
• AWF reflect summary surfaced to GitHub Actions — awf reflect output is now written to core.info, making reflection results visible in the Actions run log without extra steps. (#​40069)
• Auto-detect GHES host in compile — gh aw compile now automatically detects GitHub Enterprise Server hosts, so GHES users no longer need manual host configuration for correct repo validation. (#​40030)
• Cached owner-type API call — The compiler now caches the repository owner-type lookup once per compilation run, eliminating redundant API calls on large workflows. (#​40258)
• gh aw init aligned to Copilot MCP schema — The MCP suggestion emitted by gh aw init now matches the official .github/mcp.json schema used by GitHub Copilot. (#​40327)
• External threat-detect binary — Threat detection has migrated to an external threat-detect binary behind a feature flag, improving isolation and upgrade flexibility. (#​40166)

🐛 Bug Fixes & Improvements

Safe-outputs & credential handling:

• Fixed git credential loss in safe_outputs job checkouts — credentials are now reliably preserved throughout the job. (#​40161, #​40147)
• Fixed duplicate Authorization header (HTTP 400) on git operations in push_to_pull_request_branch. (#​40281)
• Checkout manifest relocated into safeoutputs/ so the containerized safe-outputs MCP server can read it. (#​40025)
• Cross-repo checkout directories from the manifest are now trusted, resolving dubious-ownership errors. (#​40080)
• Base branch is now validated with git check-ref-format before use in safe-outputs jobs. (#​40001)
• Corrected stale 1 MB default for safe-outputs max-patch-size in schema and derived files. (#​39999)
• Added configurable URL sanitization policy for code-region-safe suggestion handling. (#​39927)

Compilation & workflow correctness:

• Fixed compiler incorrectly passing undeclared payload inputs for call-workflow steps. (#​40154)
• Fixed invalid YAML generated for GitHub App token checkout steps in safe_outputs jobs. (#​40301)
• Fixed actions-lock.json accumulating orphaned entries on full compile. (#​39905)
• Added regression guard to ensure deterministic actions-lock.json key ordering. (#​40324)
• Enforced non-empty dispatch_workflow names across safe-output schema and MCP registration. (#​40315)

Asset uploads & authentication:

• upload_assets now resolves staged assets via a single GH_AW_ASSETS_DIR, fixing a path mismatch between RUNNER_TEMP and /tmp. (#​40122, #​40062)
• Added fallback to unauthenticated GitHub API when a SAML-enforced token blocks requests. (#​40250)
• push_repo_memory now seeds new memory branches via the GitHub API to satisfy signed-commit requirements. (#​40188)

Observability & reliability:

• Fixed stdout/stderr interleaving in mcp_cli_bridge for large outputs. (#​40037)
• Token usage table is now rendered to core.info in the parse_token_usage step for better visibility. (#​40227)
• Improved Copilot harness classification for opaque exitCode=1 failures. (#​39959)
• Improved Copilot 403 auth guidance for copilot-requests mode. (#​40052)

⚡ Performance

• Memory efficiency — Replaced 187 map[string]bool sets with map[string]struct{} across the codebase, reducing allocations throughout the compiler and runtime. (#​39954)

🔍 Code Quality & Linting

• errstringmatch linter extended to cover HasPrefix, HasSuffix, EqualFold, Index, LastIndex, and Compare — catching more brittle error-string comparisons. (#​40248)
• New linter detects bare discarded json.Marshal/json.Unmarshal calls. (#​39993)
• Hardened OpenTelemetry compatibility contract. (#​40006)

Generated by 🚀 Release · 40.8 AIC · ⊞ 8.2K

---

What's Changed

• Require RUNNER_TOOL_CACHE for tool-cache discovery by @​zarenner with @​Copilot in #​40157
• feat: add Monte Carlo forecast compliance test suite (P1–P13) and fix fixture AIC gap by @​pelikhan with @​Copilot in #​40126
• fix: add configurable safe-outputs URL sanitization policy for code-region-safe suggestion handling by @​pelikhan with @​Copilot in #​39927
• [community] Update community contributions in README by @​github-actions[bot] in #​40206
• Bump default gh-aw-firewall to v0.27.7 and refresh generated artifacts by @​lpcox with @​Copilot in #​40208
• fix(push_repo_memory): seed new memory branches via GitHub API to satisfy signed-commit rules by @​pelikhan with @​Copilot in #​40188
• Render token table to core.info in parse_token_usage step by @​pelikhan with @​Copilot in #​40227
• fix: expand Network Mapping and Pattern Heuristics tables in agentic-workflow-designer SKILL.md by @​pelikhan with @​Copilot in #​40249
• [jsweep] Clean update_pull_request_branches.cjs by @​github-actions[bot] in #​40246
• errstringmatch: extend brittle error-string detection to HasPrefix/HasSuffix/EqualFold/Index/LastIndex/Compare by @​pelikhan with @​Copilot in #​40248
• [WIP] Fix failing GitHub Actions job for integration add by @​pelikhan with @​Copilot in #​40239
• fix: fall back to unauthenticated GitHub API when SAML-enforced token… by @​pelikhan in #​40250
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @​github-actions[bot] in #​40286
• [docs] Update glossary - daily scan by @​github-actions[bot] in #​40289
• [docs] Update documentation for features from 2026-06-19 by @​github-actions[bot] in #​40291
• [instructions] Sync instruction files with release v0.80.4 by @​github-actions[bot] in #​40275
• feat(workflow): cache repository owner-type API call once per compilation run by @​pelikhan with @​Copilot in #​40258
• Add headroom context compression as a shared agentic workflow by @​pelikhan with @​Copilot in #​40223
• logs: download only usage artifact by default by @​pelikhan with @​Copilot in #​40259
• fix(constraint-solving-potd): prevent body: "." sentinel misuse in create_discussion by @​pelikhan with @​Copilot in #​40300
• Add regression guard for deterministic actions-lock.json key ordering by @​pelikhan with @​Copilot in #​40324
• build(deps): bump undici from 6.24.0 to 6.27.0 in /actions/setup/js in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​40326
• Align gh aw init MCP suggestion with Copilot .github/mcp.json schema by @​pelikhan with @​Copilot in #​40327
• [dead-code] chore: remove dead functions — 1 function removed by @​github-actions[bot] in #​40329
• Fix invalid YAML from checkout GitHub App token steps in safe_outputs jobs by @​pelikhan with @​Copilot in #​40301
• Migrate threat detection to external threat-detect binary behind feature flag by @​pelikhan with @​Copilot in #​40166
• Enforce non-empty dispatch_workflow names across safe-output schema and MCP registration by @​pelikhan with @​Copilot in #​40315
• Fix duplicate Authorization header (HTTP 400) on git ops in push_to_pull_request_branch by @​dsyme in #​40281

Full Changelog: github/gh-aw@v0.80.5...v0.80.6

v0.80.5

Compare Source

v0.80.4

Compare Source

🌟 Release Highlights

This release delivers a focused wave of reliability improvements, infrastructure hardening, and safe-outputs enhancements — making your agentic workflows more robust and predictable.

✨ What's New

• merge-pull-request schema parity (#​39767) — The merge-pull-request safe-output now supports samples and cross-repo targeting, bringing it to full feature parity with other safe-output operations.
• GHES-friendly action pinning (#​39908) — gh aw no longer applies its hardcoded action-pin fallback when GH_HOST targets a non-github.com host, removing friction for GitHub Enterprise Server users.
• Cleaner UX for personal repos (#​39923) — The copilot-requests onboarding tip is now suppressed for individual (non-org) repository owners, reducing noise where it doesn't apply.

🐛 Bug Fixes & Improvements

• Fixed phantom asset failures (#​39900) — Aligned the safe-outputs staging path with RUNNER_TEMP to eliminate spurious asset-not-found errors.
• Fixed MCP container tmp access (#​39950) — Added the /tmp/gh-aw bind mount to the safeoutputs MCP container so tools that write there during workflow runs work correctly.
• Fixed assign-to-agent mutations (#​39941) — Corrected the GraphQL mutations used to assign issues to agents, following the official API docs.
• Fixed silent add_comment skips (#​39926) — add_comment no longer silently no-ops when the integration token lacks discussion write permissions; the error is now surfaced clearly.
• Fixed SDK driver timeouts (#​39933) — Increased sendAndWait timeout in sample SDK drivers from 60 s to 10 min, preventing premature failures on longer agent tasks.
• Fixed null-byte corruption in step summaries (#​39910) — Stripped null bytes from gateway.md before writing to the step summary to prevent rendering errors.
• Fixed unintended dependabot.yml writes (#​39909) — gh aw no longer modifies dependabot.yml unless the --dependabot flag is explicitly passed.
• Hardened PR Sous Chef emission path (#​39951) — Reinforced the safe-output emission path for PR Sous Chef to prevent dropped outputs under edge-case conditions.
• Isolated SDK driver test state (#​39940) — copilot_sdk_driver tests now write session state in isolation, eliminating false-positive tool-denial failures.

📚 Documentation

• Terminology update (#​39913) — Renamed "Copilot Skills" → "Skills" throughout the custom-agent-for-aw reference to align with current product naming.

Generated by 🚀 Release

If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.