Skip to content

Update github/gh-aw action to v0.68.3#27334

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/github-gh-aw-0.x
Apr 18, 2026
Merged

Update github/gh-aw action to v0.68.3#27334
renovate[bot] merged 1 commit intomainfrom
renovate/github-gh-aw-0.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 10, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
github/gh-aw action minor v0.67.1v0.68.3

Release Notes

github/gh-aw (github/gh-aw)

v0.68.3

Compare Source

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New
  • Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#​26229)
  • checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#​26292)
  • env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#​26113)
  • Time Between Turns (TBT) metricgh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#​26321)
  • OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#​26121)
  • API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#​26150)
🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

  • File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#​26287)
  • Copy/rename detection and C-quoted filenames are now handled correctly. (#​26277)
  • Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#​26259)
  • Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#​26306)
  • Submodule entries now fall back to a plain git push instead of erroring. (#​26298)

Other notable fixes:

  • on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#​26137)
  • copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#​26146)
  • add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#​26288)
  • safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#​26291)
  • engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#​26122)
  • Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#​26074)
  • GH_HOST env var used for GH CLI callsgh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#​26311)
  • resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#​26114)
  • --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#​26160)
📚 Documentation
🌍 Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
@arthurfvives
@bbonafed
@corygehr
@susmahad
@tadelesh
@wtgodbe
@yskopets

For complete details, see CHANGELOG.

Generated by Release · ● 4.1M

What's Changed

Full Changelog: github/gh-aw@v0.68.2...v0.68.3

v0.68.2

Compare Source

🌟 Release Highlights

This release delivers a focused wave of reliability improvements: compiler fixes that were blocking real workflows, expanded strict-mode flexibility, deeper temporary ID support, and a new integrity-reactions feature for fine-grained trust control. A huge batch of community-reported bugs across Copilot engine, safe-outputs, cross-org workflows, and MCP Gateway are now resolved.

✨ What's New

  • Reaction-based integrity control — The new integrity-reactions feature flag (requires MCPG ≥ v0.2.18, now bundled as v0.2.19) lets maintainers promote or demote tool-use integrity via 👍/❤️ and 👎/😕 GitHub reactions in proxy mode. Configurable endorsement and disapproval reaction sets with sensible defaults. Learn more

  • Temporary ID resolution now reaches further#temporary_id references are now resolved inside dispatch_workflow input values, update_issue/add_comment targets, and git am patch content — closing three long-standing gaps that required manual workarounds.

  • Strict mode secrets unlocked — Strict mode now permits secrets.* in step-level with: bindings for action steps in pre-agent custom steps, and in step env: bindings — giving workflows a secure path to external secret managers without disabling strict mode entirely.

  • slash_command event scoping — A new scope option lets workflows restrict which event types (issue comment, PR comment, etc.) trigger slash commands, reducing noise from unintended contexts.

  • assign_to_agent multi-platform support — Copilot can now be assigned to the same issue multiple times when each assignment targets a different pull_request_repo (e.g., separate iOS and Android repositories), enabling true cross-platform agentic workflows.

  • workflows: write auto-inferred — The compiler now automatically infers the workflows: write permission when a GitHub App token's allowed-files targets .github/workflows/, eliminating a confusing manual step.

🐛 Bug Fixes & Improvements

  • create_issue rate-limit resilience — Added retry with jitter to the create_issue safe-output handler, preventing HTTP 403 failures when multiple daily workflows complete simultaneously and burst the API rate limit.

  • create_pull_request ENOBUFS crash — Fixed a spawnSync buffer overflow that caused create_pull_request to fail on large diffs; the safe-output handler no longer crashes on oversized payloads.

  • create_pull_request_review_comment tool not found — Resolved a runtime registration issue where the create_pull_request_review_comment safe-output tool was declared but not discoverable at runtime.

  • Copilot engine workflows restored — Fixed two distinct failures introduced in v0.67.2–v0.67.4 that broke Copilot-engine workflows; plus resolved silent exit code 1 errors in the compiled Copilot CLI.

  • Compiler: --allow-domains quoting fixed — The compiler no longer single-quotes --allow-domains values, which was breaking $\{\{ }} GitHub Actions expressions and causing HTTP 422 errors on workflow dispatch.

  • inputs.* expressions in workflow_call — Expressions using inputs.* in prompt bodies are now properly resolved when a workflow is invoked via workflow_call.

  • OIDC env vars forwarded to MCP Gateway — The compiler now forwards ACTIONS_ID_TOKEN_REQUEST_URL and related OIDC env vars to the docker run command for the MCP Gateway, enabling OIDC-based authentication flows.

  • MCP servers on GitHub Enterprise Server — Improved documentation and policy guidance for organizations where the "MCP servers in Copilot" policy is not visible in GHE settings.

  • SARIF upload permissions — Fixed Resource not accessible by integration errors during SARIF upload by correctly provisioning the required security-events: write permission.

  • Cross-org workflow_call — Resolved failures in resolve_host_repo, checkout, and hash checks when invoking workflows across organization boundaries.

  • push_repo_memory bot-comment guard — Fixed a bug where the push_repo_memory job ran even when the workflow was triggered by a bot comment that skipped pre_activation.

  • ParseWorkflow ~18% faster — Eliminated a JSON round-trip in schema validation and optimized node traversal, reducing workflow parse time by ~18% with ~22% fewer allocations.

🌍 Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
@apenab
@bbonafed
@benvillalobos
@bryanchen-d
@camposbrunocampos
@corygehr
@devantler
@JanKrivanek
@johnpreed
@kbreit-insight
@neta-vega
@susmahad
@theletterf
@wtgodbe
@yskopets

For complete details, see CHANGELOG.

Generated by Release · ● 1.6M

What's Changed

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • Only on Sunday and Saturday (* * * * 0,6)
    • Between 12:00 AM and 12:59 PM, only on Monday (* 0-12 * * 1)
    • Between 09:00 PM and 11:59 PM, Monday through Friday (* 21-23 * * 1-5)
    • Between 12:00 AM and 04:59 AM, Tuesday through Saturday (* 0-4 * * 2-6)
  • Automerge
    • Only on Sunday and Saturday (* * * * 0,6)
    • Between 12:00 AM and 12:59 PM, only on Monday (* 0-12 * * 1)
    • Between 10:00 PM and 11:59 PM, Monday through Friday (* 22-23 * * 1-5)
    • Between 12:00 AM and 04:59 AM, Tuesday through Saturday (* 0-4 * * 2-6)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Apr 10, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.39%. Comparing base (1cd5086) to head (7e011fe).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #27334      +/-   ##
==========================================
- Coverage   73.39%   73.39%   -0.01%     
==========================================
  Files        1553     1553              
  Lines      125017   125017              
  Branches    15097    15097              
==========================================
- Hits        91761    91757       -4     
- Misses      32232    32255      +23     
+ Partials     1024     1005      -19
Flag Coverage Δ
admin-tests 54.28% <ø> (-0.03%) ⬇️
e2e-tests 73.39% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch 5 times, most recently from cc44eef to 68b128f Compare April 12, 2026 07:04
@renovate renovate bot changed the title Update github/gh-aw action to v0.67.4 Update github/gh-aw action to v0.68.1 Apr 12, 2026
@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch 10 times, most recently from 2454881 to 5b10c33 Compare April 16, 2026 04:59
@renovate renovate bot changed the title Update github/gh-aw action to v0.68.1 Update github/gh-aw action to v0.68.3 Apr 16, 2026
@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch 3 times, most recently from a9227ff to ece0cf9 Compare April 16, 2026 10:54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

E2E Tests Failed

To view the Playwright test report locally, run:

REPORT_DIR=$(mktemp -d) && gh run download 24506367937 -n playwright-report -D "$REPORT_DIR" && npx playwright show-report "$REPORT_DIR"

@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch 7 times, most recently from 3427efb to 67c9412 Compare April 16, 2026 16:04
@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch 6 times, most recently from 2b08f5b to 5354fed Compare April 17, 2026 15:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026

E2E Tests Failed

To view the Playwright test report locally, run:

REPORT_DIR=$(mktemp -d) && gh run download 24573600298 -n playwright-report -D "$REPORT_DIR" && npx playwright show-report "$REPORT_DIR"

@renovate renovate bot force-pushed the renovate/github-gh-aw-0.x branch from 5354fed to 7e011fe Compare April 17, 2026 23:34
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot merged commit 5689cbe into main Apr 18, 2026
45 checks passed
@renovate renovate bot deleted the renovate/github-gh-aw-0.x branch April 18, 2026 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants