Skip to content

v0.62.5

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 Mar 01:44
· 54 commits to main since this release
v0.62.5
48d8fdf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release focuses on security hardening, reliability fixes across safe-outputs and activation, and a significant documentation expansion β€” with a couple of quality-of-life feature additions along the way.

⚠️ Security

Two important security improvements ship in this release:

  • Supply chain protection: The Trivy vulnerability scanner action has been removed following the discovery of a supply chain compromise (#22007, #22065). Vulnerability scanning has been replaced with an alternative approach.
  • Public repo integrity hardening: GitHub App authentication no longer exempts public repositories from the automatic minimum-integrity guard policy (#21969). This closes a gap where same-repo untrusted content could bypass integrity checks on public repos.

✨ What's New

  • Timezone support for scheduled workflows: on.schedule cron entries now accept an optional timezone field, letting you express schedules in local time rather than UTC (#22018).
  • Boolean expression optimizer: Condition node trees are now optimized at compile time, producing cleaner and more efficient if: expressions in compiled workflows (#22025).
  • Wildcard target-repo in safe-output handlers: Safe-output handlers now accept target-repo: "*" to match any repository, making reusable handler definitions much more flexible (#21877).

πŸ› Bug Fixes & Improvements

  • Bot comment activation fixed: slash_command workflows now correctly activate on bot comments that append metadata after a newline separator β€” a common pattern with GitHub Apps (#22013).
  • Signed commits on new branches: create-pull-request no longer fails when a "Require signed commits" branch ruleset is active and the target branch doesn't yet exist on the remote (#22012).
  • Agent output artifact path: Fixed a nested-path issue where GH_AW_AGENT_OUTPUT artifacts were not found because the file resided outside the /tmp/gh-aw/ artifact root (#21968).
  • GHE: agentics URL resolution: githubnext/agentics now correctly resolves to github.com when a GitHub Enterprise Server host is configured, preventing failed action lookups on GHE (#22014).
  • gh aw new safe-output validation: Safe-output names entered via gh aw new are now validated against the JSON schema, preventing invalid configurations from being written (#21981).
  • Smoke-codex stability: Eliminated a race condition causing intermittent safe_outputs failures on scheduled smoke runs and spurious wrong-PR comments (#22039).
  • Code-push skip no longer triggers fail-fast: When a code-push step is intentionally skipped, the workflow now continues rather than halting with a failure (#21976).
  • MCP Gateway updated to v0.1.20 (#21946).

πŸ“š Documentation

A substantial documentation push accompanies this release:

  • New: Integrity reference guide β€” covers trust levels, filtering behavior, and policy configuration (#22044).
  • New: GHE Cloud data residency debugging guide β€” step-by-step troubleshooting for GitHub Enterprise Cloud data residency connectivity issues (#21993).
  • Expanded checkout: frontmatter reference β€” the checkout section now documents all supported options with examples (#22041).
  • GitHub MCP access control spec v1.1.0 β€” updated to document blocked-users and approval-labels fields (#22023).
  • Streamlined agentic-authoring guide β€” reduced size and improved focus for faster onboarding (#22054).

For complete details, see the CHANGELOG.

Generated by Release

What's Changed

  • Update MCP Gateway v0.1.19 β†’ v0.1.20 by @Copilot in #21946
  • fix: allow wildcard target-repo: "*" in safe-output handlers by @Copilot in #21877
  • fix: remove GitHub App auth exemption from automatic public-repo min-integrity guard policy by @Copilot in #21969
  • chore: update golang.org/x/mod v0.33.0 β†’ v0.34.0 by @Copilot in #21970
  • fix(codex): align execute step name to "Execute Codex CLI" by @Copilot in #21972
  • fix: skipped code-push should not trigger fail-fast; retry PR review on unresolvable line by @Copilot in #21976
  • fix: resolve CLI consistency issues in help text and documentation by @Copilot in #21971
  • docs: add GHE Cloud data residency debugging guide by @lpcox in #21993
  • fix: validate safe-output names in gh aw new against JSON schema; fix create-project oneOf by @Copilot in #21981
  • deps: update golang.org/x/crypto v0.48.0 β†’ v0.49.0 by @Copilot in #21980
  • chore: bump trivy-action from 0.33.1 to 0.35.0 by @lpcox in #22003
  • Harden Issue Monster against integrity-filtered issue reads by @Copilot in #21999
  • fix(campaign): prevent duplicate Security Alert Burndown Epic issues by @Copilot in #21998
  • Fix GH_AW_AGENT_OUTPUT nested path by enforcing /tmp/gh-aw/ artifact root by @Copilot in #21968
  • security: remove Trivy action due to supply chain compromise by @Copilot in #22007
  • [code-simplifier] refactor: simplify guard policy setOutput, footer logic, and comment clarity by @github-actions[bot] in #22016
  • Add token budget and context-pruning guardrails to Daily CLI Performance Agent by @Copilot in #21997
  • fix: pushSignedCommits fails on new branches with "Require signed commits" ruleset by @Copilot in #22012
  • Improve sliceutil test coverage from ~29% to ~100% of exported functions by @Copilot in #22015
  • fix: strip redundant resource identifier from integrity filtering note (#21988) by @Copilot in #22019
  • [docs] Self-healing documentation fixes from issue analysis - 2026-03-20 by @github-actions[bot] in #22020
  • docs: update GitHub MCP access control specification v1.1.0 β€” add blocked-users and approval-labels fields by @Copilot in #22023
  • feat: add timezone field support to on.schedule cron entries by @Copilot in #22018
  • fix: ensure githubnext/agentics resolves to github.com when GHE is configured by @Copilot in #22014
  • Fix slash_command activation for bot comments with newline-separated metadata by @Copilot in #22013
  • [log] Add debug logging to 5 workflow/cli files by @github-actions[bot] in #22026
  • docs: add VEX integration guidance to dependabot prompt by @Copilot in #22027
  • docs(central-repo-ops): replace actions/checkout step with checkout: frontmatter field in worker example by @Copilot in #22038
  • refactor: move misplaced functions to semantically correct files by @Copilot in #22034
  • fix(smoke-codex): eliminate safe_outputs instability on schedule runs and wrong-PR comments by @Copilot in #22039
  • docs: expand checkout: section in frontmatter reference by @Copilot in #22041
  • chore(deps): bump h3 from 1.15.8 to 1.15.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #22043
  • [docs] docs: unbloat agentic-authoring guide by @github-actions[bot] in #22054
  • [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #22051
  • docs: add integrity.md reference documentation by @Copilot in #22044
  • feat: add boolean expression optimizer for ConditionNode trees by @Copilot in #22025
  • fix: cache action inputs in actions-lock.json for deterministic smoke-codex compilation by @Copilot in #22048
  • chore: remove trivy by @Copilot in #22065
  • Remove session management from safe outputs MCP HTTP server by @Copilot in #22056

Full Changelog: v0.62.4...v0.62.5

Contributors

lpcox and dependabot
Assets 18
Loading