v0.72.1

🌟 Release Highlights

v0.72.1 delivers a new developer-facing lint command, critical compiler correctness fixes, and improved shared workflow ergonomics — all driven largely by community-reported issues.

✨ What's New

• gh aw lint — fast lock-file validation (#30704): New gh aw lint command runs actionlint directly against existing .lock.yml files — no recompile, no extra scanners. Perfect for a lightweight CI gate to catch syntax errors before pushing. Supports --dir, explicit file paths, and optional --shellcheck/--pyflakes checks.

• Import engine.mcp.tool-timeout from shared workflows (#30634): Shared workflows wrapping slow MCP servers (e.g. Repo Mind Light) can now declare engine.mcp.tool-timeout and engine.mcp.session-timeout once, and consumers inherit those values automatically — no more duplicating timeout configs in every consumer. Consumer-declared values still take precedence.

• First-party coding-agent skill for gh aw (#27259): Added a router skill that gives coding agents (Copilot, Claude, etc.) structured guidance on creating, debugging, and updating agentic workflows using the gh aw CLI.

• Shared skip-if-match dedup component: The common "open issue/PR by title prefix" deduplication query is now a shared compiler-imported component, eliminating copy-paste duplication across dozens of workflows.

🐛 Bug Fixes & Improvements

• && preserved in compiled workflow expressions (#30695): Go's HTML escaping was converting && to \u0026\u0026 inside AWF config JSON embedded in .lock.yml files, corrupting ${{ ... && ... }} expressions and causing workflow parse failures. Fixed by switching to json.Encoder with SetEscapeHTML(false).

• safe-outputs permission regression fixed (#30733): When update-project appeared alongside add-comment/add-labels, the minted App token was incorrectly downgraded to issues:read instead of issues:write, silently failing issue mutations.

• Conclusion comment now reflects safe_outputs failures (#30662): The conclusion job was reporting ✅ success even when safe_outputs failed (e.g., 422 on PR review submission). The job now correctly propagates safe_outputs status.

• Firewall binary version corrected (#30705, #30191): v0.71.1 was referencing a non-existent gh-aw-firewall version, causing 404s on AWF binary install. This release ships with the correct firewall v0.25.29 (which also includes the healthcheck fix).

• Playwright mode: cli recognized by compiler (#30088): gh aw compile now correctly accepts mode: cli in Playwright tool configuration.

• COPILOT_API_KEY dummy key no longer triggers over-billing (#30324): The dummy byok-key placeholder introduced in v0.71 was causing 10–100x premium request over-billing compared to v0.68. Fixed.

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• Bug: mode: cli for Playwright not recognized during gh aw compile (direct issue)

@bryanchen-d

• feat: lightweight gh aw lint — actionlint-only over existing .lock.yml files (no recompile, no zizmor/poutine) (direct issue)
• Compiler JSON-encodes && to \u0026\u0026 inside ${{ }} expressions in AWF config printf, breaking workflow parse (direct issue)

@haavamoa

• Release new gh-aw CLI version with firewall v0.25.29 (healthcheck fix) (direct issue)

@jonathanpeppers

• Conclusion comment shows success when safe_outputs fails to submit PR review (direct issue)

@lpcox

• Support importing engine.mcp.tool-timeout from shared workflows (direct issue)

@norrietaylor

• safe-outputs: update-project co-presence regresses handler-derived issues:write to issues:read in minted App token (direct issue)

@tore-unumed

• v0.71 COPILOT_API_KEY dummy-byok-key causes 10-100x premium request over-billing vs v0.68 (direct issue)

@verkyyi

• First-party coding-agent skills wrapping the gh aw CLI (direct issue)

@yskopets

• gh aw v0.71.1 compiles workflows referencing non-existent gh-aw-firewall v0.25.28, causing 404 on AWF binary install (direct issue)

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• #30705 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #30088 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #30324 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release · ● 14.1M

---

What's Changed

• Fix js-typecheck failure in OTLP payload guard by @Copilot in #30669
• Add daily SPDD spec-planning workflow that opens actionable issue queues by @Copilot in #30663
• fix: show failure in conclusion comment when safe_outputs job fails by @Copilot in #30666
• Remove cache option from Go setup step by @pelikhan in #30679
• Make bundle mode the default for safe-output patch packaging by @Copilot in #30626
• docs: move release process documentation to CONTRIBUTING.md by @Copilot in #30682
• Stabilize template conditional fuzz assertions to eliminate malformed-input false failures by @Copilot in #30678
• Stabilize codemod registry test by removing stale hardcoded count by @Copilot in #30677
• docs: SPDD spec improvements — multiplier registry, safeguards, conflict norms, error norms, sync notes, compliance stubs by @Copilot in #30681
• Fix lint-go failures in docker context tests and OTLP env assembly by @Copilot in #30676
• [caveman] Optimize instruction verbosity — cli-commands, experiments, github-mcp-server (2026-05-06) by @github-actions[bot] in #30690
• Add missing Agentic Ops pattern page by @Copilot in #30688
• Add retirement notice for releases 0.68.4–0.71.3 and FAQ upgrade instructions by @Copilot in #30698
• fix: skip COPILOT_API_KEY and /reflect when sandbox.agent is disabled by @Copilot in #30687
• Stabilize BenchmarkCompileMCPWorkflow by using Playwright CLI mode in benchmark fixture by @Copilot in #30697
• Align CLI help text semantics and terminology across mcp, project, pr, completion, logs, and init by @Copilot in #30696
• [workflow-style] Normalize report formatting guidance in workflow report prompts by @Copilot in #30702
• feat: support importing engine.mcp.tool-timeout and session-timeout from shared workflows by @Copilot in #30686
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-07 by @github-actions[bot] in #30709
• Consolidate Grumpy + PR Nitpick into single pr-code-quality-reviewer by @Copilot in #30708
• perf: fix 104% regression in ExtractWorkflowNameFromFile by reducing scanner buffer allocation by @Copilot in #30706
• Preserve && in AWF config JSON embedded in lock workflows by @Copilot in #30700
• perf: eliminate reflection in validateSafeOutputsMax (4.3x faster) by @Copilot in #30701
• docs(instructions): never suggest pull_request_target over pull_request by @Copilot in #30718
• build(deps): Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #30716
• Add compile release update checks by @Copilot in #30692
• Add W3C-driven compiler threat detection spec and daily coverage reconciler workflow by @Copilot in #30735
• Stabilize flaky MCP progress-notification tests in pkg/cli by @Copilot in #30727
• Enforce explicit safe-output completion in Resource Summarizer workflow by @Copilot in #30729
• feat: model alias inventory update 2026-05-07 by @Copilot in #30739
• Optimize jsweep workflow token footprint by trimming tool surface and prompt payload by @Copilot in #30730
• Remove cache-memory state from the Q workflow by @Copilot in #30731
• Add a lightweight agentic-workflows skill that routes to existing gh-aw prompts by @Copilot in #30734
• Preserve issues: write in safe-outputs App token when update-project is co-configured by @Copilot in #30738
• Unblock community attribution workflow by aligning restricted bash usage with prompt examples by @Copilot in #30766
• degrade: MCP guard policy auto-apply message from warning to info by @Copilot in #30774
• feat: enhance OTLP telemetry by @mnkiefer in #30800
• Add lightweight gh aw lint for lock-file-only actionlint checks and cancellation-aware execution by @Copilot in #30728
• [log] Add debug logging to 5 workflow pkg files by @github-actions[bot] in #30747
• [docs] docs: consolidate developer specs v9.2 (2026-05-07) by @github-actions[bot] in #30837
• [docs] Update documentation for features from 2026-05-07 by @github-actions[bot] in #30816
• fix: resolve 9 spec audit issues — add jsonutil spec, fix missing deps, standardize API table format by @Copilot in #30835
• [docs] Update glossary - daily scan by @github-actions[bot] in #30811
• [instructions] Sync mcp-servers stdio example with MCP Gateway v0.1.5 by @github-actions[bot] in #30801
• [spec-enforcer] Enforce specifications for agentdrain, cli by @github-actions[bot] in #30822
• Align workflow step names to Title Case in source and compiled workflows by @Copilot in #30788
• Refactor skip-if-match dedup into shared import and enable import-safe on field merging by @Copilot in #30787
• [ubuntu-image] Ubuntu Runner Image Analysis - 2026-05-07 by @github-actions[bot] in #30755
• [fp-enhancer] Improve pkg/actionpins: eliminate mutable shortSHA variable by @github-actions[bot] in #30808
• agentdrain: make NewAnomalyDetector consistent with package constructors by returning validated errors by @Copilot in #30786
• refactor: reorganize misplaced functions per semantic clustering analysis by @Copilot in #30770
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #30843
• [spdd] Tighten spec conformance and safeguards across five Draft reference specs by @Copilot in #30865
• docs: replace low-level cron with fuzzy scheduling in documentation by @Copilot in #30871
• [jsweep] Clean add_reaction_and_edit_comment.cjs by @github-actions[bot] in #30756
• Fix stale logging-level assertion causing JS Tests shard 2/4 failure by @Copilot in #30875

Full Changelog: v0.72.0...v0.72.1