Download Latest Version
gh-aw-wasm-v0.68.3.tar.gz (4.9 MB)
Get an email when there's a new version of GitHub Agentic Workflows
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| sbom.cdx.json | 2026-04-10 | 3.3 MB | |
| sbom.spdx.json | 2026-04-10 | 5.6 MB | |
| windows-amd64.exe | 2026-04-10 | 26.4 MB | |
| windows-arm64.exe | 2026-04-10 | 24.1 MB | |
| linux-386 | 2026-04-10 | 24.8 MB | |
| linux-amd64 | 2026-04-10 | 25.8 MB | |
| linux-arm | 2026-04-10 | 24.6 MB | |
| linux-arm64 | 2026-04-10 | 23.7 MB | |
| freebsd-arm64 | 2026-04-10 | 23.7 MB | |
| gh-aw-wasm-v0.68.1.tar.gz | 2026-04-10 | 4.8 MB | |
| android-arm64 | 2026-04-10 | 26.0 MB | |
| checksums.txt | 2026-04-10 | 1.0 kB | |
| darwin-amd64 | 2026-04-10 | 26.2 MB | |
| darwin-arm64 | 2026-04-10 | 24.4 MB | |
| freebsd-386 | 2026-04-10 | 24.6 MB | |
| freebsd-amd64 | 2026-04-10 | 25.7 MB | |
| README.md | 2026-04-10 | 10.2 kB | |
| v0.68.1 source code.tar.gz | 2026-04-10 | 245.9 MB | |
| v0.68.1 source code.zip | 2026-04-10 | 248.1 MB | |
| Totals: 19 Items | 807.7 MB | 1 | |
π Release Highlights
This release delivers a critical Copilot CLI reliability hotfix, a new engine.bare control for AI context management, significant security hardening, and resolutions for 9 community-reported issues.
β¨ What's New
-
engine.barefrontmatter field β Disable automatic context loading for supported engines, giving you full control over what the AI agent sees. Usebare: truewithcopilot(suppressesAGENTS.mdand user instructions) orclaude(suppressesCLAUDE.mdmemory files). Unsupported engines emit a compiler warning. (#25661) -
Frontmatter hash checker improvements β When a stale lock file is detected, the activation job now emits step-by-step
[hash-debug]log lines and creates a clear, actionable issue/comment (with progressive disclosure) to guide you through fixing it. (#25571) -
actions/github-scriptupgraded to v9 β Scripts now getgetOctokitas a built-in context parameter, eliminating the need for dynamic@actions/githubimports in safe-output handlers. (#25553) -
Squash-merge fallback in
gh aw addβ When a repository disallows merge commits, the setup PR now automatically falls back to squash merge rather than failing. (#25609)
π Bug Fixes & Improvements
-
[Critical] Copilot CLI pinned to v1.0.21 β Fixes Copilot-engine workflows that were hanging indefinitely or producing 0-byte output due to incompatibilities with v1.0.22. v1.0.21 is the last confirmed working version. (#25689)
-
Security:
agent-stdio.logpermissions hardened β Log file is now pre-created with0600permissions beforeteewrites, preventing world-readable exposure of MCP gateway bearer tokens. Dynamic gateway token redaction added toredact_secrets.cjs. (#25618) -
Agent file injection fixed for Codex and Gemini β Both engines now read
INSTRUCTIONfromprompt.txt(already assembled by the compiler), eliminating fragile shell-variable injection and double-inclusion of agent file content. (#25681) -
Claude agent file injection fixed β Claude now reliably reads its agent file via
prompt.txtin AWF sandbox mode, resolving crashes caused by--env-allnot propagating shell variables into AWF containers. (#25589) -
Write-to-read codemod no longer converts
id-token/copilot-requestsβ The "Convert write permissions to read" codemod now correctly skips write-only permissions that cannot meaningfully be set toread. (#25604) -
Race condition in PR checkout β When a PR is merged milliseconds after triggering a workflow (stale
state: openin the payload), the agent now re-queries the API before treating the checkout failure as a hard error. (#25581) -
CLI consistency fixes β Aligned
--dirflag semantics acrossadd/add-wizard/compile/fix/upgrade; added missing--dirflag toremove; corrected misleading--no-fixdescription; improved help text fortrial,run,mcp add, andpr transfer. (#25658) -
smoke-gemininow triggers on thesmokelabel β Fixes the Gemini smoke test being excluded from the standard PR smoke suite. (#25639)
π Documentation
firewall-audit-logsartifact reference β Newdocs/reference/artifacts.mddocuments all artifact names, their download paths, and the correct way to access token usage data (it lives infirewall-audit-logs, notagent). (#25684)
π Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
### `@adamhenson` - [compiled lock files hardcode github.token in Configure Git credentials steps -- breaks in sandboxed runners](https://github.com/github/gh-aw/issues/25345) _(direct issue)_ ### `@bbonafed` - [MCP Gateway container missing `ACTIONS_ID_TOKEN_REQUEST_URL` / `ACTIONS_ID_TOKEN_REQUEST_TOKEN` env vars](https://github.com/github/gh-aw/issues/25224) _(direct issue)_ ### `@dbudym-cs` - [Failed to register MCP tools | HTTP 400: Bad Request](https://github.com/github/gh-aw/issues/22913) _(direct issue)_ ### `@deyaaeldeen` - [Codemod 'Convert write permissions to read' incorrectly changes id-token: write to read](https://github.com/github/gh-aw/issues/25573) _(direct issue)_ ### `@drehelis` - [codex exec command line argument misplaced](https://github.com/github/gh-aw/issues/25304) _(direct issue)_ ### `@lukeed` - [cli: support merging via squash](https://github.com/github/gh-aw/issues/20552) _(direct issue)_ ### `@Mossaka` - [Pipeline reports failure when Copilot CLI hits rate limit after successful completion](https://github.com/github/gh-aw/issues/21644) _(direct issue)_ ### `@salekseev` - [AWF API proxy doubles https:// scheme in --anthropic-api-target URL](https://github.com/github/gh-aw/issues/25137) _(direct issue)_ ### `@tore-unumed` - [Agent imports: .github/agents/ path does not resolve β must be under .github/workflows/](https://github.com/github/gh-aw/issues/19703) _(direct issue)_β οΈ Attribution Candidates Need Review
The following community issues were closed during this period but could not be automatically linked to a specific merged PR. Please verify whether they should be credited:
@grahame-whitefor CI Coach workflow uses invalid 'copilot-requests' permission: root cause analysis and remediation plan β closed 2026-04-10, state: NOT_PLANNED, no confirmed PR linkage found
For complete details, see CHANGELOG.
Generated by Release Β· β 696.2K
What's Changed
- feat: update actions/github-script to v9.0.0 with builtin getOctokit by @Copilot in https://github.com/github/gh-aw/pull/25553
- Normalize report formatting: add shared/reporting.md import to two daily workflows by @Copilot in https://github.com/github/gh-aw/pull/25561
- feat: improve frontmatter hash checker with debug logging and failure propagation to conclusion job by @Copilot in https://github.com/github/gh-aw/pull/25571
- chore: update drain3 default log pattern weights by @github-actions[bot] in https://github.com/github/gh-aw/pull/25584
- chore: bump CLI versions β Claude Code 2.1.98, Copilot 1.0.22 (unpin), Gemini 0.37.1 by @Copilot in https://github.com/github/gh-aw/pull/25577
- [jsweep] Clean check_rate_limit.cjs by @github-actions[bot] in https://github.com/github/gh-aw/pull/25580
- fix: handle race condition when PR is merged before agent job checks out branch by @Copilot in https://github.com/github/gh-aw/pull/25581
- [code-simplifier] refactor: remove redundant fs require inside arrow function by @github-actions[bot] in https://github.com/github/gh-aw/pull/25591
- [architecture] Update architecture diagram - 2026-04-10 by @github-actions[bot] in https://github.com/github/gh-aw/pull/25597
- [instructions] Sync github-agentic-workflows.md with v0.67.4 by @github-actions[bot] in https://github.com/github/gh-aw/pull/25613
- fix: apply Q's weekly workflow improvements + prevent git misuse in Q prompt by @Copilot in https://github.com/github/gh-aw/pull/25607
- Fix write-to-read codemod incorrectly converting id-token and copilot-requests permissions by @Copilot in https://github.com/github/gh-aw/pull/25604
- [docs] Developer documentation tone scan v5.7 by @github-actions[bot] in https://github.com/github/gh-aw/pull/25617
- cli: try squash merge first, fall back to merge commit if not allowed by @Copilot in https://github.com/github/gh-aw/pull/25609
- fix: introduce SupportsNativeAgentFile capability; move Claude agent-file injection to compiler by @Copilot in https://github.com/github/gh-aw/pull/25589
- Pin copilot to v1.0.20 by @Copilot in https://github.com/github/gh-aw/pull/25623
- [dead-code] chore: remove dead functions β 5 functions removed by @github-actions[bot] in https://github.com/github/gh-aw/pull/25630
- test: add regression coverage for
.github/agents/root-relative import path by @Copilot in https://github.com/github/gh-aw/pull/25636 - fix(smoke-gemini): trigger on "smoke" label instead of "water" by @Copilot in https://github.com/github/gh-aw/pull/25639
- refactor: centralize close-flow logic into shared
createCloseEntityHandlerfactory by @Copilot in https://github.com/github/gh-aw/pull/25628 - security: fix agent-stdio.log world-readable exposure and MCP gateway token leakage in redaction pipeline by @Copilot in https://github.com/github/gh-aw/pull/25618
- fix(cli): address 7 CLI consistency issues across help text and flag behavior by @Copilot in https://github.com/github/gh-aw/pull/25658
- fix: set supportsNativeAgentFile=false for Codex and Gemini; remove AGENT_CONTENT shell code from Codex by @Copilot in https://github.com/github/gh-aw/pull/25681
- feat: add engine.bare frontmatter field to suppress automatic context loading by @Copilot in https://github.com/github/gh-aw/pull/25661
- Doc: document
firewall-audit-logsartifact name for downstream consumers by @Copilot in https://github.com/github/gh-aw/pull/25684 - fix: bump Copilot CLI from v1.0.20 to v1.0.21 by @lpcox in https://github.com/github/gh-aw/pull/25689
Full Changelog: https://github.com/github/gh-aw/compare/v0.68.0...v0.68.1
