Download Latest Version
gh-aw-wasm-v0.68.3.tar.gz (4.9 MB)
Get an email when there's a new version of GitHub Agentic Workflows
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| sbom.cdx.json | 2026-04-06 | 3.2 MB | |
| sbom.spdx.json | 2026-04-06 | 5.5 MB | |
| linux-arm64 | 2026-04-06 | 23.7 MB | |
| windows-amd64.exe | 2026-04-06 | 26.3 MB | |
| windows-arm64.exe | 2026-04-06 | 24.0 MB | |
| freebsd-arm64 | 2026-04-06 | 23.6 MB | |
| gh-aw-wasm-v0.67.1.tar.gz | 2026-04-06 | 4.8 MB | |
| linux-386 | 2026-04-06 | 24.7 MB | |
| linux-amd64 | 2026-04-06 | 25.7 MB | |
| linux-arm | 2026-04-06 | 24.6 MB | |
| android-arm64 | 2026-04-06 | 25.9 MB | |
| checksums.txt | 2026-04-06 | 1.0 kB | |
| freebsd-amd64 | 2026-04-06 | 25.6 MB | |
| darwin-amd64 | 2026-04-06 | 26.2 MB | |
| darwin-arm64 | 2026-04-06 | 24.3 MB | |
| freebsd-386 | 2026-04-06 | 24.5 MB | |
| README.md | 2026-04-06 | 14.1 kB | |
| v0.67.1 source code.tar.gz | 2026-04-06 | 239.6 MB | |
| v0.67.1 source code.zip | 2026-04-06 | 241.8 MB | |
| Totals: 19 Items | 794.0 MB | 0 | |
🌟 Release Highlights
This release delivers a major OpenTelemetry observability overhaul, a new report_incomplete safe output signal, Claude Code 1.0.0 compatibility, and a wave of security hardening — all driven in part by community-reported issues.
✨ What's New
🔭 OpenTelemetry Observability (Multiple PRs)
A substantial series of improvements makes distributed tracing production-ready:
- Accurate span names — job lifecycle spans now use the actual job name (e.g.
gh-aw.agent.conclusion) instead of the genericgh-aw.job.conclusion, making traces immediately readable in Grafana/Honeycomb/Datadog. - Real job duration — conclusion spans now record actual execution time (previously always reported 2–5 ms due to a missing
startMs). - OTLP payload sanitization — sensitive values (
token,secret,key,auth, etc.) in span attributes are automatically redacted before sending to any OTLP collector. - OTLP headers masking —
OTEL_EXPORTER_OTLP_HEADERSis masked with::add-mask::in every job, preventing auth tokens from leaking in GitHub Actions debug logs. - MCP Gateway OpenTelemetry — the MCP Gateway now receives
opentelemetryconfig derived fromobservability.otlpfrontmatter and theactions/setuptrace IDs, correlating all MCP tool-call traces under the workflow root trace. - New resource attributes —
service.version,github.repository,github.run_id,github.event_name,github.ref,github.sha,github.actions.run_url,deployment.environment,gh-aw.staged,gh-aw.run.attemptenriching all spans. - Observability job summary auto-enabled — the job summary step is now rendered automatically whenever OTLP is configured; the
observability.job-summaryopt-in field is removed (auto-detected). - Real OTLP trace ID in the observability job summary (was incorrectly showing the
workflow_call_id). - GitHub API rate limit analytics —
gh aw audit,gh aw logs, andgh aw audit diffnow show GitHub API quota consumed per run, per resource.
🛡️ report_incomplete Safe Output
A new first-class signal for agents to surface infrastructure or tool failures without being misclassified as successful runs. When an agent emits report_incomplete, the safe-outputs handler activates failure handling regardless of agent exit code — preventing "tool-failure comment disguised as a success" scenarios. Can be configured with create-issue, title-prefix, and labels, just like missing_tool.
✅ checks as a First-Class MCP Tool
The checks tool is now registered in the gh-aw MCP server, returning a normalized CI verdict (success, failed, pending, no_checks, policy_blocked). Review workflows no longer need to shell out to gh aw checks.
🔐 Security Hardening
- Token/secret injection prevention — 422 instances of
$\{\{ secrets.* }}interpolated directly intorun:blocks have been moved toenv:mappings across 181 lock files and hand-authored CI workflows, preventing shell injection if a token contains metacharacters. - runner-guard added to static analysis — the
static-analysis-reportworkflow now runs Vigilant-LLC'srunner-guardscanner alongside zizmor, poutine, and actionlint.
🔍 Pre-Activation Visibility
When a workflow activation is denied (bot gate, role gate, stop-after, skip-if-match, etc.), the activation job now writes a $GITHUB_STEP_SUMMARY explaining the exact reason and providing remediation guidance — no more silently skipping PRs with no visible indicator.
🤖 Claude Code 1.0.0 Compatibility
The --disable-slash-commands flag has been removed from the Claude CLI args builder. Claude Code 1.0.0 dropped this flag as a breaking change; the compiler was unconditionally injecting it, causing all Claude-engine workflows to fail at startup.
🐛 Bug Fixes & Improvements
- Fix Octokit
.endpointproxy —pre_activationcheck scripts were failing withroute.endpoint is not a functiondue to the rate-limit-awaregithubproxy stripping Octokit's.endpointdecorator; fixed with aProxywrapper. - Fix OTLP span kind — job lifecycle spans now use
SPAN_KIND_INTERNAL(wasSPAN_KIND_SERVER), preventing false RED-metric pollution in observability backends. - Error message quality — duplicate permission scope hints suppressed, redundant path prefix stripped from single-failure messages, and YAML parse error fallbacks now emit proper IDE-navigable positions.
- Fix
daily-issues-report— switched fromcodextocopilotengine after OpenAI API access restrictions blocked Codex since Mar 24. - Fix runner-guard v2 module path — corrected
go installpath to include/v2/suffix for Go major version convention compliance. - Fix docs breadcrumb config — removed unrecognized
breadcrumbs: truekey that was breaking Starlight config. - Add stateful scanning pattern to
memory.md— documents the baseline-diff approach for nightly scans usingrepo-memory.
🌍 Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
### `@bbonafed` - [Fix: Flexible import path resolution and cross-repo agent imports](https://github.com/github/gh-aw/issues/23900) _(direct issue)_ ### `@dagecko` - [CI/CD Security Hardening: Extract tokens and secrets from run blocks into env mappings](https://github.com/github/gh-aw/issues/24743) _(direct issue)_ ### `@samuelkahessay` - [gh-aw treats a comment-based review verdict as successful even when the agent only reported tool failures](https://github.com/github/gh-aw/issues/24756) _(direct issue)_ - [bot-gated PR review runs can disappear with no review check or surfaced skip reason](https://github.com/github/gh-aw/issues/24755) _(direct issue)_ - [gh-aw MCP server exposes 8 CLI tools but not `checks`, forcing review workflows to shell out to `gh aw checks`](https://github.com/github/gh-aw/issues/24754) _(direct issue)_For complete details, see CHANGELOG.
Generated by Release · ● 1.2M
What's Changed
- feat: report agent failure in OTEL conclusion span by @Copilot in https://github.com/github/gh-aw/pull/24650
- fix: use actual job name in OTLP span names (#fix-span-names) by @Copilot in https://github.com/github/gh-aw/pull/24648
- feat: add daily-otel-instrumentation-advisor workflow by @Copilot in https://github.com/github/gh-aw/pull/24655
- [docs] Unbloat upgrading guide (-20% words) by @github-actions[bot] in https://github.com/github/gh-aw/pull/24657
- feat(otel): enrich resource attributes with service.version, github.repository, github.run_id, github.event_name by @Copilot in https://github.com/github/gh-aw/pull/24659
- feat(otel-advisor): query live Sentry OTel data to ground analysis by @Copilot in https://github.com/github/gh-aw/pull/24661
- fix(otel): show real OTLP trace ID in observability job summary by @Copilot in https://github.com/github/gh-aw/pull/24666
- feat: add gh-aw.run.attempt to setup and conclusion OTel spans by @Copilot in https://github.com/github/gh-aw/pull/24670
- [jsweep] Clean action_conclusion_otlp.cjs by @github-actions[bot] in https://github.com/github/gh-aw/pull/24669
- chore: update drain3 default log pattern weights by @github-actions[bot] in https://github.com/github/gh-aw/pull/24673
- enrich OTel error conclusion spans with agent_output.json error details by @Copilot in https://github.com/github/gh-aw/pull/24675
- [docs] Update dictation skill instructions by @github-actions[bot] in https://github.com/github/gh-aw/pull/24676
- fix: OTel conclusion spans record actual job execution duration instead of ~0 ms by @Copilot in https://github.com/github/gh-aw/pull/24680
- test: add test coverage for tool call result preview in generatePlainTextSummary (core.info) by @Copilot in https://github.com/github/gh-aw/pull/24688
- chore: upgrade gh-aw-mcpg to v0.2.14 by @Copilot in https://github.com/github/gh-aw/pull/24689
- [architecture] Update architecture diagram - 2026-04-05 by @github-actions[bot] in https://github.com/github/gh-aw/pull/24693
- feat(otel): add
github.actions.run_urlresource attribute to all spans by @Copilot in https://github.com/github/gh-aw/pull/24691 - docs: add stateful scanning (repo-memory baseline diff) pattern to memory.md by @Copilot in https://github.com/github/gh-aw/pull/24687
- docs: add pre-step data-fetching pattern to create-agentic-workflow.md by @Copilot in https://github.com/github/gh-aw/pull/24685
- Add GitHub API rate limit observability via JSONL artifact logging and OTLP span enrichment by @Copilot in https://github.com/github/gh-aw/pull/24694
- fix(otel): use SPAN_KIND_INTERNAL for job lifecycle spans instead of SPAN_KIND_SERVER by @Copilot in https://github.com/github/gh-aw/pull/24701
- [instructions] Sync github-agentic-workflows.md with v0.67.0 by @github-actions[bot] in https://github.com/github/gh-aw/pull/24707
- [docs] docs: Developer documentation consolidation v5.3 — GitHub API rate limit observability by @github-actions[bot] in https://github.com/github/gh-aw/pull/24709
- [community] Update community contributions in README by @github-actions[bot] in https://github.com/github/gh-aw/pull/24705
- Rename
domainStatus→classifyFirewallDomainStatusandstatusEmoji→firewallStatusEmojiby @Copilot in https://github.com/github/gh-aw/pull/24712 - Add gh-aw.staged and deployment.environment to OTLP conclusion spans by @Copilot in https://github.com/github/gh-aw/pull/24711
- [dead-code] chore: remove dead functions — 7 functions removed by @github-actions[bot] in https://github.com/github/gh-aw/pull/24727
- fix(daily-doc-updater): handle new-file creation requests in Step 1b by @Copilot in https://github.com/github/gh-aw/pull/24742
- [mcp-tools] Update GitHub MCP toolsets mapping with newly discovered tools (v2.2) by @github-actions[bot] in https://github.com/github/gh-aw/pull/24729
- feat(otel): add deployment.environment to setup span resource attributes by @Copilot in https://github.com/github/gh-aw/pull/24747
- Add GitHub API rate limit consumption analysis to logs, audit, and audit diff commands (#github-api-usage) by @Copilot in https://github.com/github/gh-aw/pull/24748
- Remove dead code in audit_report.go after audit report command merged into logs by @Copilot in https://github.com/github/gh-aw/pull/24753
- security: extract tokens and secrets from run blocks into env mappings by @Copilot in https://github.com/github/gh-aw/pull/24746
- feat: add runner-guard to static-analysis-report workflow by @Copilot in https://github.com/github/gh-aw/pull/24749
- Remove observability.job-summary opt-in, render job summary when OTLP is enabled by @Copilot in https://github.com/github/gh-aw/pull/24750
- fix: preserve Octokit
.endpointon rate-limit-aware github proxy to fixroute.endpoint is not a functionby @Copilot in https://github.com/github/gh-aw/pull/24758 - Add
checksas a first-class MCP tool to the gh-aw MCP server by @Copilot in https://github.com/github/gh-aw/pull/24757 - test(gitutil): extend coverage to 100% of exported functions by @Copilot in https://github.com/github/gh-aw/pull/24765
- docs: enable breadcrumbs and document sitemap dev-mode limitation by @Copilot in https://github.com/github/gh-aw/pull/24763
- refactor: deduplicate bots/roles codemods via factory and rename filterMapKeys by @Copilot in https://github.com/github/gh-aw/pull/24764
- fix(daily-issues-report): switch engine from codex to copilot by @Copilot in https://github.com/github/gh-aw/pull/24767
- Fix error message quality: prevent duplicate suggestions, strip redundant path prefix, improve YAML error IDE navigation by @Copilot in https://github.com/github/gh-aw/pull/24766
- [log] Add debug logging to workflow step generation and validation by @github-actions[bot] in https://github.com/github/gh-aw/pull/24780
- fix: correct Go module path for runner-guard v2 install by @Copilot in https://github.com/github/gh-aw/pull/24787
- fix(SEC-004): sanitize OTLP payload before sending to prevent sensitive value leakage by @Copilot in https://github.com/github/gh-aw/pull/24785
- feat(otel): add github.ref and github.sha to span resource attributes by @Copilot in https://github.com/github/gh-aw/pull/24786
- Add ::add-mask:: for OTEL_EXPORTER_OTLP_HEADERS to prevent telemetry auth token leakage by @Copilot in https://github.com/github/gh-aw/pull/24805
- Surface pre-activation denial reason in job summary by @Copilot in https://github.com/github/gh-aw/pull/24792
- Add report_incomplete safe output type to prevent tool-failure comments from being classified as successful runs by @Copilot in https://github.com/github/gh-aw/pull/24796
- Remove --disable-slash-commands flag for Claude Code 1.0.0 compatibility by @Copilot in https://github.com/github/gh-aw/pull/24807
- Configure MCP gateway OpenTelemetry from observability.otlp and actions/setup trace IDs by @Copilot in https://github.com/github/gh-aw/pull/24697
- fix(lint): use
require.NoErrorfor error assertion in gitutil_test.go by @Copilot in https://github.com/github/gh-aw/pull/24817 - fix: add
checkstool to MCP server tool tests by @Copilot in https://github.com/github/gh-aw/pull/24818 - fix: remove unrecognized
breadcrumbskey from Starlight config by @Copilot in https://github.com/github/gh-aw/pull/24821 - fix: normalize INPUT_JOB_NAME hyphen variant so OTLP spans include the actual job name by @Copilot in https://github.com/github/gh-aw/pull/24823
Full Changelog: https://github.com/github/gh-aw/compare/v0.67.0...v0.67.1
