v0.78.2

🌟 Release Highlights

This release marks the full transition from Effective Tokens to AI Credits (AIC) as the primary cost metric, while hardening the Copilot SDK driver, tightening safe-outputs contracts, and cleaning up long-deprecated schema fields.

⚠️ Breaking Changes

Several deprecated fields have been removed in this release. Update your workflows before upgrading:

• rate-limit frontmatter field removed — use user-rate-limit instead
• inline-sub-agents and features.inline-agents fields removed — migrate to the sub-agents configuration
• disable-model-invocation removed from the workflow schema
• max-daily-effective-tokens removed — use max-daily-ai-credits instead (see cost management docs)
• models frontmatter field deprecated — compilation warnings will be emitted
• Premium Requests (PRU) support removed
• Copilot SDK driver inlined mode removed — only standalone driver mode is supported

✨ What's New

AI Credits (AIC) — New Cost Accounting Standard

AI Credits (AIC) is now the primary cost metric across gh-aw, replacing Effective Tokens:

• max-daily-ai-credits is a new frontmatter guardrail (docs)
• ΔAIC and AIC columns added to token usage step summary tables for clear cost attribution
• AIC reported in generated footers, OTLP spans, and gh aw forecast output
• A W3C-style AI Credits specification documents the calculation methodology and models.json format
• Model catalog now sourced from models.dev with native cost fields; pricing updated automatically

Copilot SDK Driver Enhancements

• Multi-language driver support: SDK drivers can now be written in any language or use arbitrary commands (docs)
• engine.copilot-sdk-driver field added to override the default driver script
• engine.copilot-sdk is now auto-inferred from engine.copilot-sdk-driver when present
• SDK driver events are now streamed to stderr as JSONL for real-time observability
• Default SDK log level set to all in harness mode for richer debugging

Safe Outputs Improvements

• close-older-pull-requests option added to create-pull-request safe output
• Multi-repo wildcard target-repo now supported in safe-outputs jobs
• REST comment IDs accepted in hide_comment (auto-resolved to GraphQL node IDs)
• add_comment wildcard target misses are now non-fatal
• safe-outputs.mentions.allowed now honored during NDJSON collection
• add_comment with target: "*" now requires an explicit item_number

New Tooling & Workflows

• designer-drift-audit workflow detects when the agentic workflow designer drifts from its spec
• Daily Ambient Context Optimizer workflow automatically reduces prompt overhead in high-traffic daily workflows
• workflow-step-summaries and prompt-token-efficiency skills added to the skills library
• model_size experiment added to 5 daily workflows with a new small-agent alias
• API-proxy steering event counts now surfaced in gh aw logs, gh aw audit, and OTLP spans
• 100M/100K notation now accepted for templatable token-limit fields

🐛 Bug Fixes & Improvements

• Security: Fixed a safe-outputs file-protection bypass via patch-parser differential (#36752)
• Security: Fixed patch/bundle desynchronization in safe-outputs (#36762)
• Fixed YAML corruption in safe-outputs when OTLP header masking is enabled
• Fixed close_pull_request target-repo propagation for cross-repo operations
• Fixed Copilot SDK custom provider resolution in standalone driver main()
• Fixed empty step summary preview for Copilot SDK session events
• Slash command parser now performs precise name matching with dash support
• tolowerequalfold linter avoids false positives on ToLower(x) == x idioms
• gh aw upgrade now verifies the post-upgrade version before reporting success

📚 Documentation

• Renamed assign-to-copilot → copilot-cloud-agent across all guides
• Copilot SDK support, driver configuration, and specification guidance added (docs)
• Cost management page expanded with token-reduction tips and AIC migration guidance (docs)
• Specification docs moved into a dedicated collapsed Specs section for better navigation
• Linter reference expanded to cover all 21 analyzers
• Self-hosted runner compatibility guidance added to workflow constraints

Generated by 🚀 Release · 122 AIC

---

What's Changed

• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #36545
• [docs] Self-healing documentation fixes from issue analysis - 2026-06-03 by @github-actions[bot] in #36551
• [model-inventory] Update aliases and multipliers for 2026-06-03 inventory by @Copilot in #36555
• [avenger] Update wasm golden files for 2026-06-03 model inventory by @github-actions[bot] in #36560
• Remove compiler-generated GitHub App token invalidation steps and refresh compiled workflow locks by @Copilot in #36556
• Improve slog adapter tests to run in CI and cover handler behavior by @Copilot in #36569
• [community] Update community contributions in README by @github-actions[bot] in #36562
• Add target field support to submit_pull_request_review safe-output by @Copilot in #36546
• [log] Add debug logging to token-limit parser, engine config dir, and inline section helpers by @github-actions[bot] in #36571
• Code Simplifier: allow required validation commands in sandbox tool permissions by @Copilot in #36573
• Refine Copilot SDK-mode tool permission scoping from engine config by @Copilot in #36538
• [jsweep] Clean update_pr_description_helpers.cjs by @github-actions[bot] in #36575
• Add license string support in aw.yml manifest parsing and schema by @Copilot in #36583
• [instructions] Sync instruction files with release v0.78.1 by @github-actions[bot] in #36600
• Refactor copilot SDK driver into self-contained Node program by @Copilot in #36549
• Enforce safe-output completion contract in Daily MCP Tool Concurrency Analysis by @Copilot in #36618
• Slash command parser: precise name matching with dash support by @Copilot in #36622
• Refactor duplicated markdown body/footer assembly into shared helper by @Copilot in #36587
• Ignore disabled workflows in centralized slash/label dispatch routing by @Copilot in #36621
• Reduce first-invocation ambient context; shift detailed guidance to lazy-loaded skills by @Copilot in #36628
• [docs] Update glossary - daily scan by @github-actions[bot] in #36629
• Fix Daily Semgrep Scan: allowlist semgrep.dev and disable telemetry egress by @Copilot in #36631
• [docs] Update documentation for features from 2026-06-03 by @github-actions[bot] in #36635
• [spec-enforcer] Enforce specifications for syncutil, testutil, timeutil by @github-actions[bot] in #36639
• Add Daily Ambient Context Optimizer workflow by @Copilot in #36642
• Add Copilot SDK Driver standalone reference specification by @Copilot in #36632
• [WIP] Fix failing GitHub Actions job test by @Copilot in #36647
• Tighten ET computation details layout and compact model aliases by @Copilot in #36634
• Verify post-upgrade version before reporting gh aw upgrade success by @Copilot in #36648
• fix: add missing target/target-repo/allowed-repos to safe output schemas by @dsyme in #36636
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #36658
• Detect runtime for copilot-sdk installs from engine.copilot.command via runtime manager by @Copilot in #36653
• Add self-hosted runner compatibility guidance to workflow constraints by @salmanmkc in #36620
• Align pkg/linters spec dependencies with current analyzer surface by @Copilot in #36660
• Add engine.copilot-sdk-driver to override Copilot SDK driver script by @Copilot in #36662
• Normalize report-formatting guidance in daily MCP concurrency and news workflows by @Copilot in #36665
• Refactor parser config-field extraction into composable helpers to satisfy largefunc limits by @Copilot in #36664
• Remove copilot SDK dri...

v0.78.1

🌟 Release Highlights

This release focuses on Copilot SDK hardening — smarter timeout management and better authentication flow — plus improvements to slash_command routing and safe-outputs configuration.

✨ What's New

• slash_command support across smoke workflows — All smoke agentic workflows now have centralized slash_command handling, making it easier to trigger them consistently via slash commands. (#36522)

• Smarter Copilot SDK session timeouts — The Copilot SDK session timeout is now automatically derived from the agent step timeout (minus 30 seconds), eliminating manual coordination and reducing timeout-related failures. (#36505)

• COPILOT_CONNECTION_TOKEN in headless harness — The Copilot SDK headless harness flow now correctly generates and wires COPILOT_CONNECTION_TOKEN, unblocking authentication in headless execution environments. (#36506)

• deduplicate-by-title for create-issue safe-outputs — The deduplicate-by-title option is now wired into the compiled safe-outputs config for create-issue, preventing duplicate issues from being filed by agents. (#36527)

🐛 Bug Fixes & Improvements

• Copilot CLI Deep Research bash allowlist — Aligned the bash allowlist with the survey commands actually used by the Deep Research prompt, fixing permission errors during research runs. (#36531)

📚 Documentation

• Cost management: max-turns guidance — Added documentation on using max-turns as a cost control mechanism. Learn more (#36529)

Generated by 🚀 Release · sonnet46 972.1K

---

What's Changed

• Stabilize BenchmarkYAMLGeneration by removing safe-update overhead by @Copilot in #36514
• [cli-consistency] Standardize e.g., punctuation across CLI help text by @Copilot in #36513
• Derive Copilot SDK session timeout from agent step timeout (minus 30s) by @Copilot in #36505
• Align max-turns integration test with current frontmatter schema semantics by @Copilot in #36521
• [safe-output-integrator] Add missing safe-output test workflow and compiler test for create-check-run by @github-actions[bot] in #36520
• Generate and wire COPILOT_CONNECTION_TOKEN in Copilot SDK headless harness flow by @Copilot in #36506
• docs: add max-turns to cost management page by @Copilot in #36529
• feat: add slash_command centralized support to all smoke agentic workflows by @Copilot in #36522
• Align Copilot CLI Deep Research bash allowlist with its prompt-driven survey commands by @Copilot in #36531
• Wire create-issue deduplicate-by-title into compiled safe-outputs config by @Copilot in #36527
• Latest slides by @pelikhan in #36541

Full Changelog: v0.78.0...v0.78.1

v0.78.0

🌟 Release Highlights

This release focuses on Copilot SDK 1.0.0 integration, token cost controls, and a round of reliability fixes across agentic engines.

✨ What's New

• Copilot SDK 1.0.0 — Updated to the stable Copilot SDK 1.0.0 and enabled it on 50% of Copilot-backed agentic workflows, with harness fixes for stdin wiring, SDK resolution, and custom-provider setup. (#36495, #36455, #36358)

• max-turns support — All agentic engines now support a top-level max-turns frontmatter field, giving you finer control over agent session length. (#36451)

• Short-form effective-token limits — Token budget fields now accept human-readable shorthand like 100M or 500K in addition to raw integers, across schema, parsers, and docs. (#36496)

• Daily ET guardrail enabled by default — The effective-token guardrail now runs by default on all supported workflows; opt out by setting the limit to -1. (#36392)

• On-demand token audit workflow — A new agentic-token-trend-audit workflow accepts a date-range dispatch input for historical token usage analysis, and now emits daily trend charts. (#36412, #36432)

🐛 Bug Fixes & Improvements

• Fixed the daily ET guardrail step that never failed the activation job; improved conclusion reporting. (#36497)
• Corrected the GraphQL mutation name to markPullRequestReadyForReview. (#36494)
• Added id-token: write permission to the detection job for GitHub OIDC auth. (#36461)
• Fixed the pull-request-target-checkout-false codemod to skip when checkout is a mapping node. (#36453)
• Clarified Copilot 401 errors from the gh-aw API proxy with actionable messages. (#36454)
• Preserved OTEL resource attribution and normalized agent token counters. (#36450)

⚠️ Breaking Changes

• Removed deprecated run-install-scripts frontmatter field — This top-level field has been removed. Migrate to the supported install section if you use it. (#36387)

📚 Documentation

• New Cost Management guide covers the max-daily-effective-tokens guardrail and environment variable configuration. (#36468)

Generated by 🚀 Release · sonnet46 774.4K

---

What's Changed

• Remove estimated cost from audit-workflows report by @Copilot in #36356
• AOAI endpoint smoke test by @davidslater in #36384
• Remove deprecated top-level run-install-scripts frontmatter field by @Copilot in #36387
• Reduce Chaos PR Bundle Fuzzer cadence to weekly by @Copilot in #36386
• Update 2026-06-02 model inventory: add missing Gemini preview multipliers by @Copilot in #36388
• Add sub_agent_strategy A/B experiment to daily AgentRx trace optimizer by @Copilot in #36389
• Keep safe-output token placeholders out of runtime config.json by @Copilot in #36353
• Emit daily ET guardrail by default; disable only on explicit -1 by @Copilot in #36392
• [community] Update community contributions in README by @github-actions[bot] in #36393
• Update agentic-ops workflows by @mnkiefer in #36397
• Align aw.yml install ref resolution with single-workflow latest-release behavior by @Copilot in #36396
• [log] Add debug logging to 5 sparsely-logged Go files by @github-actions[bot] in #36403
• [docs] docs: replace remaining British spelling "behaviour" → "behavior" in docs references by @github-actions[bot] in #36399
• Fix copilot-sdk harness stdin wiring, SDK installation/resolution, custom-provider setup from /reflect, and remove duplicate harness timestamps by @Copilot in #36358
• Add on-demand token audit workflow with date-range dispatch input by @Copilot in #36412
• [instructions] Sync instruction files with release v0.77.5 by @github-actions[bot] in #36430
• Add daily token trend chart output to agentic-token-trend-audit report contract by @Copilot in #36432
• Enable Copilot SDK on 50% of Copilot-backed agentic workflows by @Copilot in #36455
• fix(daily-rendering-scripts-verifier): add missing bash permissions for npx, make, and mkdir by @Copilot in #36449
• [rendering-scripts] fix(copilot-parser): render inline cached token footer (Copilot CLI 1.0.55) by @github-actions[bot] in #36428
• [jsweep] Clean validate_memory_files.cjs by @github-actions[bot] in #36404
• Refactor harness permission-denied handling into shared helper module by @Copilot in #36415
• fix(codemod): skip pull-request-target-checkout-false when checkout is a mapping by @Copilot in #36453
• Allow Python network access in token audit workflows by @Copilot in #36452
• Preserve mini-tier GPT labels in PR Sous Chef footers by @Copilot in #36467
• Refresh package README dependency specs for cli, workflow, and types by @Copilot in #36463
• Clarify Copilot 401 errors from the gh-aw API proxy by @Copilot in #36454
• Recompute effective tokens from raw usage with current weights/multipliers by @Copilot in #36421
• [blog] Agent of the Day – 2026-06-02 by @github-actions[bot] in #36472
• fix: add id-token: write to detection job permissions for github-oidc auth by @Copilot in #36461
• docs: add max-daily-effective-tokens guardrail and env var guidance to Cost Management by @Copilot in #36468
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #36471
• Preserve OTEL resource attribution and normalize agent token counters by @Copilot in #36450
• Update bundled Copilot SDK to 1.0.0 and recompile lockfiles by @Copilot in #36495
• SPDD 2026-06-02: spec sync, guard-policy decisions, deprecation notices, integration tests by @Copilot in #36499
• Add top-level max-turns support across agentic engines by @Copilot in #36451
• [docs] docs: unbloat ResearchPlanAssignOps pattern (21% reduction) by @github-actions[bot] in #36503
• fix: correct GraphQL mutation name to markPullRequestReadyForReview by @Copilot in #36494
• fix: daily ET guardrail step never fails activation job; improve conclusion reporting by @Copilot in #36497
• Token trend audit: recompute effective tokens from raw usage by @Copilot in #36504
• Support short-form effective-token limits (100M, 100K) across schema, parsers, and docs by @Copilot in #36496
• [linter-miner] feat(linters): add tolowerequalfold linter by @github-actions[bot] in #36507
• Generate init/upgrade dispatcher file lists from github/gh-aw with embedded fallback by @Copilot in #36493

Full Changelog: v0.77.6...v0.78.0

v0.77.6

🌟 Release Highlights

This release brings native Copilot SDK integration, templatable job timeouts, stricter workflow privacy enforcement, and a wave of bug fixes and internal quality improvements.

✨ What's New

• Copilot SDK harness (#36307): Workflows with copilot-sdk: true now drive Copilot directly via @github/copilot-sdk, enabling tighter, more reliable agent control compared to the CLI harness.
• Templatable timeout-minutes (#36314): Job and step timeout-minutes values now support template expressions (e.g., ${{ inputs.timeout }}), giving workflows dynamic control over timeouts without hardcoding values.
• Private workflow enforcement (#36227): Workflows that declare private: true are now rejected at the manifest level, preventing accidental publication of internal-only workflows to the registry.
• step-summary command dispatching (#36346): The agentic_commands dispatcher now recognises and routes step-summary commands, making agent step summaries consistently available downstream.
• Git credential absence warning (#36269): Agents are now explicitly warned when git credentials are absent after a checkout, reducing confusing authentication failures during push operations.

🐛 Bug Fixes & Improvements

• Cross-repo PR creation (#36250): Fixed false post-create repository validation in cross-repo create_pull_request workflows that caused spurious errors after a PR was successfully opened.
• Sparse-checkout / partial-clone hygiene (#36259, #36260): Cleared lingering partial-clone state after sparse checkouts, and removed partial-clone blob filtering from safe-outputs ref fetches, eliminating a class of fetch failures.
• CI lint fixes (#36295): Resolved copyloopvar, errorlint, modernize, and testifylint lint failures that were blocking the CI pipeline.
• DependaBot ignore pattern (#36222): Fixed the DependaBot ignore pattern for gh-aw-actions to use the exact repository name, preventing unintended dependency suppression.
• applyTo allowlist cleanup (#36309): Removed a vestigial applyTo key from the parser's validFields allowlist that could cause misleading schema validation errors.

📚 Documentation

• Frontmatter reference streamlined (#36300, #36285): Removed outdated permissions.copilot-requests: write recommendation and unbloated the frontmatter reference page for faster scanning.
• push_to_pull_request_branch clarification (#36238): Documented expected behaviour for multi-checkout workflows, reducing confusion when working across repository boundaries.
• Docs updated for 2026-06-01 features (#36235): Reference pages refreshed to reflect features shipped in this cycle.

🔧 Internal

• Compiler orchestrators refactored to respect 60-line function-length limits (#36177).
• Inline skill and sub-agent extraction moved to shared parser helpers (#36247, #36248).
• Code Simplifier and Failure Investigator workflows optimised for lower token usage (#36311, #36286).
• fmt.Errorf calls without verb arguments converted to errors.New across host and WASM targets (#36224).
• golang.org/x/tools linter modernised to use Cursor API and direct assertions (#36221).
• gosec bumped to v2.27.0 (#36220).

Generated by 🚀 Release · sonnet46 798.8K

---

What's Changed

• [log] Add debug logging to token/offset/input helpers by @github-actions[bot] in #36182
• Refactor compiler orchestrators to enforce 60-line largefunc limits (part 1) by @Copilot in #36177
• [instructions] Sync instruction files with release v0.77.5 by @github-actions[bot] in #36212
• [schema-coverage] feat: add schema coverage demo for runs-on-slim field by @github-actions[bot] in #36206
• [schema-coverage] feat: add schema coverage demo for run-name field by @github-actions[bot] in #36205
• [schema-coverage] feat: add schema coverage demo for resources field by @github-actions[bot] in #36203
• [schema-coverage] feat: add schema coverage demo for redirect field by @github-actions[bot] in #36202
• [schema-coverage] feat: add schema coverage demo for private field by @github-actions[bot] in #36200
• chore: update drain3 default log pattern weights by @github-actions[bot] in #36190
• chore(deps): bump github.com/securego/gosec/v2 v2.26.1 → v2.27.0 by @Copilot in #36220
• Add UTC timezone tests for expiration closing comments in issues and PRs by @Copilot in #36229
• [docs] Update documentation for features from 2026-06-01 by @github-actions[bot] in #36235
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #36230
• [model-inventory] Add Sonnet dot-notation alias coverage and missing 2026-06-01 multipliers by @Copilot in #36226
• fix: use exact repo name as DependaBot ignore pattern for gh-aw-actions by @Copilot in #36222
• Enforce manifest-level rejection of workflows that declare private: true by @Copilot in #36227
• Enforce fmterrorfnoverbs: convert no-verb fmt.Errorf → errors.New (2 host + 14 wasm sites) by @Copilot in #36224
• linters: modernize golang.org/x/tools usage — Cursor API, direct assertions, golden fix test by @Copilot in #36221
• Clear partial-clone state after sparse checkouts when filter: '' is intended by @Copilot in #36259
• Remove partial-clone blob filtering from safe-outputs ref fetches by @Copilot in #36260
• Clarify push_to_pull_request_branch behavior for multi-checkout workflows by @Copilot in #36238
• Fix false post-create repo validation in cross-repo create_pull_request workflows by @Copilot in #36250
• [blog] Agent of the Day – 2026-06-01 by @github-actions[bot] in #36272
• Warn agents that git credentials are absent after checkout by @Copilot in #36269
• Remove permissions.copilot-requests: write recommendation from frontmatter reference by @Copilot in #36285
• Refactor workflow cache/action/validation paths by extracting focused helpers by @Copilot in #36248
• [aw] Failure Investigator: cut token overhead by removing redundant sub-agents and tightening prefetch/prompt scope by @Copilot in #36286
• Refactor inline skill/sub-agent extraction to shared parser helpers by @Copilot in #36247
• Fix lint-go CI failures: copyloopvar, errorlint, modernize, testifylint by @Copilot in #36295
• [spdd] Daily spec work plan - 2026-06-01: add Safeguards/Norms/Sync Notes to model-alias, pkg-manifest, and effective-tokens specs by @Copilot in #36293
• [docs] docs: unbloat frontmatter reference by @github-actions[bot] in #36300
• Remove bundled daily-subagent-optimizer workflow artifacts by @Copilot in #36299
• Remove stale CHANGELOG reference from generated release notes by @Copilot in #36302
• Optimize Code Simplifier workflow token footprint via deterministic preprocessing, inline skills, and small-model sub-agents by @Copilot in #36311
• Remove vestigial applyTo from parser validFields allowlist by @Copilot in #36309
• Fix validate-yaml failure by regenerating code-simplifier lock workflow with dev metadata by @Copilot in #36316
• [linter-miner] feat(linters): add seenmapbool linter — flag map[string]bool used as a set by @github-actions[bot] in #36313
• Make timeout-minutes a templatable integer in schema + custom job compilation by @Copilot in #36314
• copilot_harness: drive Copilot via @github/copilot-sdk when copilot-sdk: true by @Copilot in #36307
• Add step-summary command visibility to agentic_commands dispatcher by @Copilot in #36346
• Consolidate LintMonster function-length issues into one tracking workflow by @Copilot in #36347
• Refactor checks_command tests into table-driven suites and add formatter output coverage by @Copilot in #36327

Full Changelog: v0.77.5...v0.77.6

v0.77.5

🌟 Release Highlights

This release tightens the daily effective-workflow guardrail with smarter configuration gating, structured diagnostics, and a bug fix for artifact client setup — plus a project-level UTC offset feature for more accurate timestamps across timezones.

✨ What's New

• Project UTC offset for timestamps (#36142) — Rendered timestamps and expiration messages now respect a configured project UTC offset, so deadlines and expiry notices display correctly for teams in any timezone.
• Structured diagnostics in daily ET guardrail (#36164) — The daily effective-workflow guardrail now emits structured diagnostic output, making it easier to understand and debug guardrail evaluation results.
• close_discussion safe output in Daily Regulatory workflow (#36155) — The Daily Regulatory workflow can now close discussions as part of its safe-output actions, completing the full discussion lifecycle.
• New fmterrorfnoverbs linter (#36146) — A new Go linter enforces correct verb usage in fmt.Errorf calls, catching a common class of formatting mistakes at lint time.

🐛 Bug Fixes & Improvements

• Gate ET guardrail on explicit configuration (#36179) — The daily effective-workflow guardrail and its artifact client setup are now only activated when explicitly configured, preventing unnecessary overhead in workflows that do not use this feature.
• Fix @actions/artifact install for ET guardrail (#36153) — Resolved a missing dependency that caused failures when the daily-effective-workflow guardrail was enabled.
• Deploy command refactor (#36144) — Deploy command orchestration in pkg/cli was refactored to satisfy largefunc linter limits, improving maintainability without changing behavior.
• Parser test coverage (#36149) — Frontmatter extraction tests migrated to testify with additional coverage, strengthening the parser test suite.

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 659.7K

---

What's Changed

• Add project UTC offset support for rendered timestamps and expiration messages by @Copilot in #36142
• Fix: install @actions/artifact when daily-effective-workflow guardrail is configured by @Copilot in #36153
• [linter-miner] feat(linters): add fmterrorfnoverbs linter by @github-actions[bot] in #36146
• Refactor deploy command orchestration to satisfy largefunc limits in pkg/cli by @Copilot in #36144
• test(parser): migrate frontmatter_extraction_test.go to testify + add missing coverage by @Copilot in #36149
• Enable close_discussion safe output in Daily Regulatory workflow by @Copilot in #36155
• [blog] Agent of the Day – 2026-06-01 by @github-actions[bot] in #36158
• Add structured diagnostics to the daily workflow ET guardrail by @Copilot in #36164
• [blog] Weekly blog post – 2026-06-01 by @github-actions[bot] in #36178
• Gate daily ET guardrail and artifact client setup on explicit configuration by @Copilot in #36179

Full Changelog: v0.77.4...v0.77.5

v0.77.4

🌟 Release Highlights

This release delivers Anthropic WIF authentication, a new copilot-sdk engine, expanded aw.yml manifest capabilities, and a battery of reliability fixes across safe-outputs, threat-detection, and workflow compilation.

✨ What's New

• Anthropic WIF Authentication — Claude-engine workflows can now authenticate via Workload Identity Federation, eliminating long-lived API key secrets (#35939)
• copilot-sdk Engine — A new copilot-sdk frontmatter engine field gives workflows access to the Copilot SDK runtime directly (#35936)
• aw.yml Manifest: Includes, Skills & Agents — The repository manifest now supports includes, skills, and agents keys, making it easier to compose and share workflow components across repos (#35778)
• Per-Workflow 24-Hour Effective-Token Guardrail — A new configurable token guardrail prevents runaway agent costs with enterprise-grade defaults and ET shorthand support (#36042)
• search_commits in GitHub MCP Search Toolset — Commit search is now available to agents via the GitHub MCP search toolset (#36115)
• copilot-review Skill — A new skill guides agents through planning, addressing, and responding to PR review feedback (#36111)
• go-codemod Skill — Agents can now implement and test Go codemods for the gh aw fix command (#36034)
• Ruflo-Backed Agentic Task Workflow — New workflow for running agentic tasks via the Ruflo engine (#36046)

🐛 Bug Fixes & Improvements

• Activation comment fix — Activation comments no longer use the wrong repo/client or fire on empty commits (#35982)
• Safe-output target-repo — Safe output handlers now correctly respect the configured target-repo (#35901)
• Sparse-checkout filter — Agent checkout now emits filter: '' correctly when sparse-checkout is enabled (#35949)
• Protected-files fallback — create_pull_request now pushes the branch before creating a fallback issue (#35990)
• HEAD-only bundle handling — create_pull_request safe-output fallback handles HEAD-only bundles gracefully (#35989)
• Threat-detection hardening — Missing prompt artifacts no longer block safe-output execution (#36113)
• Reusable workflow timeout — timeout-minutes is now correctly passed through reusable workflow callers (#36107)
• on.needs YAML strip — Processed on.needs keys are stripped from emitted YAML, preventing invalid workflow syntax (#35965)
• Billing multiplier accuracy — billing.multiplier from Copilot reflect is now used as the primary ET multiplier source of truth (#36027)
• Prefer toolcache Copilot CLI — Workflows now prefer the Actions toolcache copy of the Copilot CLI before downloading a release, speeding up setup (#35992)
• Disable histexpand in shell wrappers — Bash history expansion is disabled in all generated shell wrappers to prevent unexpected ! expansion (#35991)

📚 Documentation

• Deprecated/migration callouts removed for a cleaner reference experience (#35923)
• OpenTelemetry reference slimmed down — duplicate config examples removed (#36143)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 994.4K

---

What's Changed

• Stabilize Step Name Alignment by removing legacy CLI-proxy path by @Copilot in #35804
• Enforce strconvparseignorederror in CI and remove 6 silent parse discards by @Copilot in #35805
• [deep-report] Raise Avenger max-turns to 50 to prevent max-turn exits by @Copilot in #35789
• chore: bump awf to v0.25.57, mcpg to v0.3.21 by @Copilot in #35782
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #35806
• Remove emoji from experiment assignment summary heading by @Copilot in #35815
• Align lipgloss compat detection with stderr output path by @Copilot in #35813
• Extend aw.yml to support includes, skills, and agents by @Copilot in #35778
• Fix context cancel lifecycle violations in workflow + MCP inspect paths by @Copilot in #35811
• refactor(workflow): decompose Claude allowed-tools assembly to reduce function complexity by @Copilot in #35812
• DDUw: catch not_planned docs-coverage/convention gaps (engine-example parity) by @Copilot in #35820
• Add missing Claude Opus multiplier aliases and correct GPT-5.5 multipliers for 2026-05-30 inventory by @Copilot in #35826
• Refactor Agentic Workflows routing: move dispatch index to skill, keep agent static, and update init generator by @Copilot in #35817
• [awf] Fix tool-cache mount handling, smoke-pi runtime config, and cache-memory git recovery by @Copilot in #35802
• [community] Update community contributions with Tier 3 findings by @github-actions[bot] in #35844
• Clarify Outcome Collector reference mapping to enforce exact Status-order link parity by @Copilot in #35852
• [log] Add debug logging to three previously-unlogged pkg/ files by @github-actions[bot] in #35857
• [docs] docs: apply American English spelling in content reference docs by @github-actions[bot] in #35853
• [code-simplifier] Simplify claude_tools.go: use getOrCreateToolMap and clearer isClaudeToolName by @github-actions[bot] in #35855
• fix: safe output handlers now respect target-repo config by @dsyme in #35901
• Share RUNNER_TEMP with agent step in compiled lock.yml by @Copilot in #35880
• [docs] Update editor preview screenshots – 2026-05-30 by @github-actions[bot] in #35890
• [instructions] Sync instruction files with release v0.76.1 by @github-actions[bot] in #35892
• docs: remove deprecated/migration callouts by @dsyme in #35923
• [spec-enforcer] Enforce specifications for typeutil, workflow, actionpins by @github-actions[bot] in #35910
• Remove markdown header from <repo-memory> default prompt section by @Copilot in #35920
• [docs] Consolidate developer specifications into instructions file by @github-actions[bot] in #35928
• Improve checkout prompt clarity: repo→path mapping and sparse-checkout visibility by @Copilot in #35927
• Remove nested Markdown headers from mcp-clis prompt section by @Copilot in #35922
• fix: add SEC-004 exemption to safe_output_execution_metadata.cjs by @Copilot in #35933
• Preserve agent and inlined-skill frontmatter during runtime imports so model selection is honored by @Copilot in #35938
• fix: emit filter:'' in agent checkout when sparse-checkout is enabled (#35947) by @dsyme in #35949
• Copy skills from aw.yml manifest first; copy skill folders recursively and safely by @Copilot in #35946
• Add safe-output failure guardrails and actionable PR-branch checkout errors by @Copilot in #35945
• Drop redundant --yolo from Pi engine invocations by @Copilot in #35950
• Route harness fallback diagnostics through safeoutputs CLI by @Copilot in #35934
• feat: Anthropic WIF support in EngineAuthConfig and ClaudeEngine by @Copilot in #35939
• Strip processed on.needs from emitted on: YAML to prevent invalid workflow syntax by @Copilot in #35965
• chore: bump firewall to v0.25.58 and gateway to v0.3.22 by @Copilot in #35973
• fix: activation comment uses wrong repo/client and fires on empty commits by @dsyme in #35982
• feat: add copilot-sdk engine front matter field by @Copilot in #35936
• Disable bash histexpand in all generated shell wrappers by @Copilot in https://github....

v0.77.3

🌟 Release Highlights

This release brings expanded sandbox configuration capabilities, improved workflow validation, and several reliability fixes across the compiler and setup infrastructure.

✨ What's New

• authHeader support in sandbox agent targets — Workflows using sandbox.agent.targets can now specify custom authentication headers directly in the frontmatter, enabling secure communication with authenticated agent endpoints. (#35694)

• gh aw init creates the Agentic Workflows custom agent — Running gh aw init now scaffolds a GitHub Copilot custom agent configuration for Agentic Workflows, giving you an AI-powered assistant right from project setup. (#35773)

• Stricter schema validation for workflow_call/workflow_dispatch inputs — Unknown keys in workflow_call and workflow_dispatch input definitions are now rejected at compile time, catching configuration errors early and preventing silent misconfiguration. (#35788)

🐛 Bug Fixes & Improvements

• Fixed false expression harvesting in bash comments — Expressions inside ${{ ... }} that appeared in bash # comment lines were incorrectly harvested. These are now properly ignored, preventing spurious validation errors in scripts with commented-out expressions. (#35777)

• Fixed bundle recovery on shallow/sparse checkouts — The --filter=blob:none git option is now only applied when the repository is a shallow or sparse checkout, resolving failures in standard full-clone environments. (#35766)

• Improved setup installer resilience — The setup installer now handles missing Antigravity checksums.txt gracefully, preventing installation failures when checksum files are unavailable. (#35747)

• Removed deprecated Copilot model aliases — Stale model aliases and multiplier registry entries (including gpt-5.3-codex) have been cleaned up. Workflows using these aliases should update to current model names. (#35786, #35765)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 840.1K

---

What's Changed

• Handle missing Antigravity checksums.txt in setup installer by @Copilot in #35747
• [WIP] Fix failing GitHub Actions job "lint-go" by @Copilot in #35743
• Harden Daily SPDD planner output contract to prevent placeholder issue bodies by @Copilot in #35752
• fix(bundle-recovery): gate --filter=blob:none on shallow or sparse checkouts by @dsyme in #35766
• Refine Outcome Collector executive report layout and shift cadence to 3-day runs by @Copilot in #35748
• feat: expose authHeader in sandbox.agent.targets frontmatter by @Copilot in #35694
• fix: use 1s benchtime for CLI helper benchmarks to eliminate false regressions by @Copilot in #35763
• Migrate smoke-copilot and daily-fact off deprecated gpt-5.3-codex → gpt-5.4 by @Copilot in #35765
• [linter-miner] feat(linters): add jsonmarshalignoredeerror linter to catch discarded json.Marshal/Unmarshal errors by @github-actions[bot] in #35767
• Add missing job timeouts to high-risk push/PR workflows by @Copilot in #35775
• Use testify assertions in pkg/errorutil/errors_test.go for consistent table-test failures by @Copilot in #35776
• Update gh aw init to create the Agentic Workflows custom agent by @Copilot in #35773
• Ignore ${{ ... }} in bash # comments during run-script expression harvesting by @Copilot in #35777
• Remove deprecated Copilot model aliases from built-in alias and multiplier registries by @Copilot in #35786
• Schema: reject unknown keys in workflow_call/dispatch input definitions by @Copilot in #35788
• workflow: replace deprecated empty AddCommentConfig with alias to AddCommentsConfig by @Copilot in #35787

Full Changelog: v0.77.2...v0.77.3

v0.77.2

🌟 Release Highlights

This release introduces permission-based Copilot token control, new sandbox configuration options, BYOK improvements, and a community-contributed git fetch fix.

⚠️ Breaking Changes

Copilot Requests — Permission-based enablement replaces feature flag (#35642)

features.copilot-requests has been removed. Copilot inference via github.token is now controlled by an explicit workflow permission:

permissions:
  copilot-requests: write

A migration codemod is available to update existing workflows automatically:

gh aw fix

✨ What's New

• Model fallback toggle — A new sandbox.agent.model-fallback field in workflow frontmatter lets you enable or disable automatic model fallback for agent runs. (#35630)

• BYOK: smarter provider routing — When COPILOT_PROVIDER_BASE_URL is set, COPILOT_GITHUB_TOKEN injection is now suppressed to avoid conflicts with custom Bring-Your-Own-Key provider setups. (#35631)

• Updated default versions — Default Claude, Copilot, Codex engine versions, and the GitHub MCP Server have been bumped to their latest stable releases. (#35691)

🐛 Bug Fixes & Improvements

• Git fetch depth alignment — The git fetch step now correctly passes --depth to match the configured checkout fetch-depth, preventing shallow-clone mismatches in sparse-checkout scenarios. (#35730)

• Hardened cache-memory artifact upload — Cache-memory uploads are now resilient against corrupted git object stores that previously caused silent failures. (#35595)

• Secret redaction regex updated — The ghs_ redaction pattern has been updated to correctly handle the new stateless token format. (#35612)

• Failure-reporter deduplication — Failure reports are now deduplicated over a 24-hour window with per-category issue caps, reducing notification noise. (#35596)

• SHA256 checksum verification — The install_antigravity_cli.sh script now verifies downloaded binaries against their SHA256 checksums before installation. (#35629)

📚 Documentation

• Measuring Impact — New guide on how to measure the impact of agentic workflows. (#35651)

• Daily outcome reporting — Updated executive-first daily outcome report with lifecycle health guidance. (#35650)

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 831K

---

What's Changed

• Update ghs_ secret redaction regex for stateless token format by @Copilot in #35612
• [WIP] Fix failing GitHub Actions job Redirect Resolution Tests by @Copilot in #35610
• Reduce failure-reporter noise with 24h dedup + per-category issue cap by @Copilot in #35596
• [community] Update community contributions in README by @github-actions[bot] in #35621
• [code-simplifier] Extract appendSparseCheckoutLines helper to remove duplication by @github-actions[bot] in #35634
• security: add SHA256 checksum verification to install_antigravity_cli.sh by @Copilot in #35629
• scout: token optimization — remove unused imports, add fetch/context guards by @Copilot in #35632
• docs(outcomes): sync Outcome States and Accepted Outcomes table with Safe Output Outcome Evaluation spec by @Copilot in #35633
• docs: Measuring Impact by @mnkiefer in #35651
• docs: executive-first daily outcome report with lifecycle health guidance by @Copilot in #35650
• Stabilize non-fast-forward fallback tests in push_to_pull_request_branch (CJS shard 4) by @Copilot in #35689
• [docs] Update glossary - daily scan by @github-actions[bot] in #35681
• [docs] Update documentation for features from 2026-05-29 by @github-actions[bot] in #35686
• [spec-extractor] docs: Update package specifications for agentdrain, cli, console, constants by @github-actions[bot] in #35680
• [instructions] Sync instruction files with release v0.76.1 by @github-actions[bot] in #35667
• CI: enforce regexpcompileinfunction and fprintlnsprintf in custom linter gate by @Copilot in #35690
• [jsweep] Clean upload_artifact.cjs by @github-actions[bot] in #35635
• BYOK: suppress COPILOT_GITHUB_TOKEN injection when COPILOT_PROVIDER_BASE_URL is set by @Copilot in #35631
• chore: bump default Claude/Copilot/Codex and GitHub MCP Server versions by @Copilot in #35691
• fix: pass --depth to git fetch step to match checkout fetch-depth by @dsyme in #35730
• feat: expose sandbox.agent.model-fallback toggle in compiler frontmatter by @Copilot in #35630
• Remove features.copilot-requests; gate Copilot token mode on permissions.copilot-requests: write, add migration codemod, and apply migration across repo workflows by @Copilot in #35642
• [blog] Agent of the Day – 2026-05-29 by @github-actions[bot] in #35732
• chore(deps): bump github.com/charmbracelet/x/exp/golden to latest safe patch pseudo-version by @Copilot in #35731
• Harden cache-memory artifact upload against corrupted git object stores by @Copilot in #35595
• refactor(errormessage): rename helper functions to reflect exact matching semantics by @Copilot in #35728

Full Changelog: v0.77.1...v0.77.2

v0.77.1

🌟 Release Highlights

This release brings meaningful performance improvements to workflow compilation, key fixes for safe-output reliability and version update notices, better multi-engine support in gh aw init, and enhanced release security with Microsoft Defender scanning.

✨ What's New

• gh aw init --engine flag (#35542) — The init command now exposes --engine and skips Copilot-specific scaffolding for non-Copilot engines (Claude, Codex, custom), reducing onboarding friction when working with alternative AI engines.

• Microsoft Defender scanning in release workflow (#35482, #35494) — Windows release binaries are now scanned with Microsoft Defender before shipping. The scan stage has been hardened to prevent silent skips where MpCmdRun.exe exits 0 without actually scanning the binary.

• Safe-output parameter documentation improvements (#35584) — Non-obvious parameter names and auto-targeting behavior are now explicitly documented, preventing silent field drops for keys like pull_request_number and issue_number.

⚡ Performance

• 37% CompileComplexWorkflow regression fixed (#35557) — Per-compile allocation hotspots were eliminated, recovering a regression from 3.06ms → 4.20ms back to baseline. GC overhead dropped from ~26% of CPU time.

• ~20% CompileMCPWorkflow regression fixed (#35540) — Repeated JSON decoding of builtin model aliases during compilation is now cached, removing a significant per-compile allocation cost.

🐛 Bug Fixes & Improvements

• Semver-aware update notices (#35588) — The CLI update notice was comparing versions lexicographically, incorrectly flagging newer pinned pre-releases as outdated. Semver comparison now correctly handles pre-release ordering.

• Safe-output PR replay base-boundary fix (#35578) — PR creation could incorrectly replay the base-branch boundary commit in shallow clones, leading to malformed PRs. The git rev-list boundary condition is now handled correctly.

• Sub-Issue Closer safe-output contract (#35590) — Fixed add_comment calls emitted without a numeric target under target: "*", which caused the post-step safe_outputs job to reject them.

• Sparse-checkout propagation in safe_outputs (#35593) — sparse-checkout patterns and fetch-depth from CheckoutConfig entries are now correctly propagated into generated safe_outputs checkout steps.

• Outcome-collector workflow report updated (#35552) — Stale paths and a report format predating typed outcome evaluators (ADR-35218) have been corrected.

🔧 Internal

• Typed engine constants (#35559) — Raw engine string comparisons replaced with constants.*Engine typed constants across compiler, firewall, and validation code.
• Consolidated InputDefinition struct (#35563) — workflow.InputDefinition and parser.ImportInputDefinition were byte-for-byte duplicates; unified into a single shared type to prevent future drift.
• New strconvparseignorederror linter (#35544) — Detects ignored errors from strconv parse functions.
• agentic-workflows dispatcher refactored to skill format (#35580) — Migrated from legacy custom agent file to the skill format, aligning with current init/upgrade flows.

📚 Documentation

• CLI reference fixes (#35600) — Missing flags and a flag rename were corrected in the CLI setup documentation.
• Network reference condensed (#35533) — network.md reduced from 391 → 297 lines (24% reduction) with no information loss.

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 1.2M

---

What's Changed

• [WIP] Fix failing GitHub Actions job build by @Copilot in #35521
• Refine Actions secret encryption path in nacl/box usage by @Copilot in #35496
• [docs] docs: unbloat network.md (391 → 297 lines, 24% reduction) by @github-actions[bot] in #35533
• Harden Microsoft Defender scan stage to prevent silent gh-aw.exe scan skips by @Copilot in #35494
• [WIP] Fix failing GitHub Actions job lint-go by @Copilot in #35539
• Reduce CompileMCPWorkflow regression by caching builtin model alias loading by @Copilot in #35540
• Add Microsoft Defender scan job to release workflow by @Copilot in #35482
• fix(outcome-collector): update report for new Safe Output Outcome Evaluation by @Copilot in #35552
• SPDD 2026-05-28: P0/P1/P2 spec work — implement SM-IS-01 10 KB limit (all transports), fix R-IMPL-040, add norms/vectors/safeguards by @Copilot in #35528
• Expose gh aw init --engine and skip Copilot-only scaffolding for non-Copilot engines by @Copilot in #35542
• refactor: replace raw engine strings with typed constants.*Engine by @Copilot in #35559
• [linter-miner] feat(linters): add strconvparseignorederror linter by @github-actions[bot] in #35544
• Improve fix command test robustness in fix_command_test.go by @Copilot in #35564
• perf: fix 37% regression in CompileComplexWorkflow by eliminating per-compile allocation hotspots by @Copilot in #35557
• [WIP] Fix failing GitHub Actions job JS Tests (shard 2/4) by @Copilot in #35582
• [safeoutputs] Clarify non-obvious parameter names and auto-targeting to prevent silently stripped fields by @Copilot in #35584
• fix: propagate sparse-checkout patterns and fetch-depth to safe_outputs checkout by @dsyme in #35593
• Tighten Sub-Issue Closer add_comment target contract by @Copilot in #35590
• Handle base-boundary commits in signed safe-output PR replay by @Copilot in #35578
• chore: update changeset workflow model to gpt-5.4 by @Copilot in #35573
• Use semver-aware update notices for newer pinned pre-releases by @Copilot in #35588
• Consolidate duplicated input-definition structs behind a single shared type by @Copilot in #35563
• Refactor agentic-workflows dispatcher from legacy agent file to skill by @Copilot in #35580
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-29 by @github-actions[bot] in #35600
• Align workflow step names with glossary and cache naming conventions by @Copilot in #35592

Full Changelog: v0.77.0...v0.77.1

v0.77.0

🌟 Release Highlights

This release delivers significant new developer-facing capabilities — enterprise environment defaults, per-tool call limits, and forecast workflow improvements — alongside a strong set of reliability fixes for safe outputs and multi-checkout workflows.

⚠️ Breaking Changes

• Yield feature removed: The yield keyword has been removed from workflows, scripts, and documentation (#35477). Workflows using yield must be updated before upgrading.

✨ What's New

• Enterprise environment defaults (gh aw defaults): Centralized compiler controls for GH_AW_DEFAULT_* environment variables, plus a new gh aw defaults command for batch management of default settings (#35286).

• Per-tool call limits: You can now set maximum call counts per tool in tools.github.allowed, giving fine-grained control over agent tool usage within a single run (#35376).

• Forecast improvements: gh aw forecast now always files outcome issues and supports a --timeout flag with error templating for reliable scheduled workflow tracking (#35492).

• Slash-containing refs in gh aw add: gh aw add owner/repo/path/to/workflow.md@ref now correctly handles refs that contain slashes (e.g. refs/heads/feature/my-branch) (#35199).

• Slash command run-again hint: A rerun hint is now automatically appended to the generated footer when a workflow was triggered by a slash command, making it easier to re-invoke the agent (#35337).

• Body hash in lock metadata + on.stale-check: full: Lock files now include a body hash for better change detection, and the new on.stale-check: full mode enables comprehensive staleness checking (#34941).

🐛 Bug Fixes & Improvements

• Safe outputs cross-repo fix: Fixed bundle apply to skip unshallow and emit the correct fetch-refs step for cross-repo checkouts, resolving checkout failures (#35460).

• Multi-checkout PR patches: PR patches are now generated from the current: true checkout path in multi-checkout workflows, preventing incorrect base selection (#34875).

• Safe-output patch pinned to base commit: Patch application is now pinned to the recorded base commit SHA, eliminating drift when the base branch advances during a run (#34876).

• Workflow call fan-out cancellation fix: workflow_call worker concurrency is now namespaced correctly, preventing spurious cancellations of parallel agent jobs (#35173).

• setup-node with node-version-file preserved: Runtime deduplication no longer removes setup-node steps that use node-version-file, fixing regressions in projects that pin Node via .nvmrc or package.json (#35321).

• DIFC proxy crash fix: Resolved a malformed version: crash in gh --repo within DIFC proxy steps (#35293).

• MCP log write fix: Corrected a proxy container UID/GID mismatch that caused MCP log write failures (#35069).

📚 Documentation

• Significant documentation streamlining: engines.md reduced by 21% and triggers.md reduced by 22% for faster navigation (#35263, #35015).
• New cost management guidance on the docs home page with effective token cap strategies and OTLP cost tracking (#35277, #35278).
• Improved security overview on the landing page and clarified .lock.yml purpose in Quick Start (#35282, #35078).

---

For complete details, see CHANGELOG.

Generated by 🚀 Release · sonnet46 955.3K

---

What's Changed

• Promote github.actions.run_url from resource-only to span attribute in OTLP exports by @Copilot in #34898
• Generate PR patches from current: true checkout path in multi-checkout workflows by @Copilot in #34875
• Fix lint-go failure by removing unused parser helper by @Copilot in #34931
• Prevent GHES log over-masking by skipping short OTLP ::add-mask:: values by @Copilot in #34932
• Normalize copilot-session-insights discussion output hierarchy and disclosure by @Copilot in #34947
• Document pkg/logger dependency in sliceutil specification by @Copilot in #34945
• [dead-code] chore: remove dead functions — 5 functions removed by @github-actions[bot] in #34955
• Pin safe-output patch application to recorded base commit SHA by @Copilot in #34876
• Safe Outputs MCP: strip unknown keys for strict tool schemas before forwarding by @Copilot in #34934
• Optimize cli-consistency-checker with inline small-model sub-agents by @Copilot in #34957
• [blog] Agent of the Day – 2026-05-26 by @github-actions[bot] in #34954
• Reuse open [aw] <workflow> failed issues before creating new failure reports by @Copilot in #34946
• Correct Anthropic API key setup link in auth reference docs by @Copilot in #35006
• Remove 14 orphaned comment stubs from compiler.go by @Copilot in #35005
• feat(codex): gate verbose RUST_LOG behind debug mode by @Copilot in #35000
• [docs] docs: unbloat triggers.md (1040 → 810 lines, 22% reduction) by @github-actions[bot] in #35015
• Optimize include extraction hot path in findIncludesInContent by @Copilot in #35004
• feat: SPDD daily work items 2026-05-26 — spec sync, compliance tests, security norms by @Copilot in #35003
• feat: enable structured outputs for Codex detection job, update parser by @Copilot in #34999
• [caveman] Optimize instruction verbosity — token-optimization.md (2026-05-26) by @github-actions[bot] in #35057
• Add body hash to lock metadata; support on.stale-check: full by @Copilot in #34941
• [linter-miner] feat(linters): add ossetenvlibrary linter — flags os.Setenv/Unsetenv in library code by @github-actions[bot] in #35025
• Update ghs_ redaction regex for new stateless token format by @Copilot in #35063
• safe_outputs: treat locked add_comment targets as non-fatal skips by @Copilot in #35064
• Optimize dead-code-remover prompt to cut turn count and context growth by @Copilot in #35065
• safeoutputs: improve submit_pull_request_review description to prevent empty-invocation ERR_VALIDATION by @Copilot in #35060
• chore(deps): bundle Dependabot PRs for npm /actions/setup/js by @Copilot in #35072
• Remove estimated_cost from all reports by @Copilot in #35070
• Clarify .lock.yml purpose and edit model in Quick Start Step 2 by @Copilot in #35078
• Reduce BenchmarkValidation latency by caching permission-scope validation by @Copilot in #35076
• Use Codex structured outputs for threat detection parsing by @Copilot in #35061
• Strengthen fuzzy_match edge-case contracts in stringutil tests by @Copilot in #35077
• Guard Antigravity log parser in the setup action payload by @Copilot in #35102
• [compiler-threat-spec] spec: compiler threat detection spec v1.0.13 (2026-05-27 daily audit) by @github-actions[bot] in #35103
• Change compiler threat spec optimizer cadence to weekly by @Copilot in #35115
• [log] Add debug logging to 5 pkg files by @github-actions[bot] in #35119
• [code-simplifier] Simplify null check idiom and update stale comment in add_comment.cjs by @github-actions[bot] in #35118
• [community] Update community contributions in README by @github-actions[bot] in #35104
• Fix proxy container UID/GID mismatch causing MCP log write failures by @Copilot in #35069
• build(deps): bump astro from 6.3.5 to 6.3.8 in /docs by @dependabot[bot] in #35024
• [instructions] Sync safe-outputs.md with current code (v0.76.1) by @github-actions[bot] in https://github.com/github/gh-aw/pul...