v0.50.0

🌟 Release Highlights

This release focuses on improving reliability and flexibility for agentic engine authentication — giving teams more control over how secrets are managed — alongside important fixes for CRLF repositories and token security.

✨ What's New

• Custom engine token secrets — You can now provide your own engine.env in workflow frontmatter to override the default agentic engine token expression. gh-aw automatically wires your secret into both the execution step and the secret validator, giving teams full control over credential naming conventions (#18017).

🐛 Bug Fixes & Improvements

• CRLF repository compatibility — Workflows like Code Simplification that push changes via safe_outputs were silently failing on repositories that normalize line endings with .gitattributes. The git am patch application step now correctly handles CRLF-encoded patches (#18029).

• GH_AW_CI_TRIGGER_TOKEN scoped correctly — The CI trigger token is now emitted only at the step level (instead of job level), ensuring it is available exclusively to the safe-outputs handler and not inadvertently exposed across all job steps (#18030).

• Dependency bumps — Claude Code updated to 2.1.51 and Copilot CLI to 0.0.415 across all 158 compiled workflows (#18046).

📚 Documentation

• Agent-focused quick-start links (llms.txt, Create, Debug, Update) added to the documentation site footer — visible on every page (#18032).
• README updated with instructions for agents to download llms.txt (#18031).
• Documentation updated for GH_AW_CI_TRIGGER_TOKEN and features.copilot-requests (#18051).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @AmoebaChant for Code Simplification agent silently fails to create PRs when the repo stores line endings as CRLF (#17975)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Update agentic engine token handling to use user-provided secrets by @Copilot in #18017
• Update README with llms.txt download instruction by @pelikhan in #18031
• Fix silent git am failure on CRLF repositories in safe_outputs patch application by @Copilot in #18029
• 🔧 Fix GH_AW_CI_TRIGGER_TOKEN emit scope and update docs by @dsyme in #18030
• Add agent-focused links to the docs footer by @Copilot in #18032
• Fix premature exit in conformance checker due to bash arithmetic increment bug by @Copilot in #18035
• [jsweep] Clean add_reaction.cjs by @github-actions[bot] in #18041
• Strengthen noop documentation and add explicit noop instructions to all workflow prompts by @Copilot in #18045
• [docs] Update documentation for features from 2026-02-24 by @github-actions[bot] in #18051
• Bump Claude Code to 2.1.51 and Copilot CLI to 0.0.415 by @Copilot in #18046
• refactor: extract applyFrontmatterLineTransform to eliminate duplicate codemod boilerplate by @Copilot in #18050
• Add features.copilot-requests feature flag for GitHub Actions token auth by @Copilot in #18028

Full Changelog: v0.49.7...v0.50.0

v0.49.7

🌟 Release Highlights

This release sharpens the developer experience with a cleaner CI token configuration, more accurate audit diagnostics, polished error messages, and a new self-hosted runners guide.

⚠️ Breaking Changes

• GH_AW_EXTRA_EMPTY_COMMIT_TOKEN renamed to GH_AW_CI_TRIGGER_TOKEN — If you set this environment variable to trigger CI pipelines on empty commits, update your secret name to GH_AW_CI_TRIGGER_TOKEN. (#17997)

✨ What's New

• Simplified CI trigger token configuration — GH_AW_CI_TRIGGER_TOKEN is now used automatically when github-token-for-extra-empty-commit is not explicitly set, removing the need for the default keyword. Less boilerplate, same power. (#17997)
• AI message footer in activation comments — Activation comments (PR/issue links and commit-pushed messages) now include a contextual AI message footer, giving collaborators clearer context about agent activity. (#18021)

🐛 Bug Fixes & Improvements

• audit now points to the right error — The audit command was extracting error details from the "Complete job" teardown step instead of the actual failing step. It now correctly surfaces ##[error] annotations from the step that failed, making debugging dramatically more straightforward. (#18010)
• Clearer max-turns error for Copilot engine — The error message for unsupported max-turns on the Copilot engine was self-contradictory (telling users to remove it while showing an example using it). The message is now clean and unambiguous. (#18009)
• Fixed IMP-002 conformance check false failure — A casing mismatch in check-safe-outputs-conformance.sh caused a permanent false HIGH failure on every run. Now fixed. (#18011)

📚 Documentation

• New guide: Self-hosted runners — A comprehensive new guide covers all runs-on formats, shared runner configuration patterns, and detection job runner overrides. View guide (#17986)
• Streamlined triggers reference — The triggers reference page has been refactored for clarity, reducing size by 16% while preserving all essential information. (#18002)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @benvillalobos for Confusing error message: max-turns not supported example contradicts the error

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @github-actions[bot] in #17996
• [docs] Consolidate engine architecture, JS sanitization pipeline, activation output transforms into dev.md v2.9 by @github-actions[bot] in #17999
• Add documentation page on self-hosted runners configuration by @Copilot in #17986
• [docs] docs: unbloat triggers reference page by @github-actions[bot] in #18002
• fix: correct function name casing in IMP-002 conformance check by @Copilot in #18011
• 🔑 Rename env var to GH_AW_CI_TRIGGER_TOKEN and default its usage by @dsyme in #17997
• fix(audit): extract ##[error] annotations from all step logs instead of last-step content by @Copilot in #18010
• fix: simplify max-turns error message by removing contradictory example by @Copilot in #18009
• [WIP] Update activation comments with AI message footer by @Copilot in #18021

Full Changelog: v0.49.6...v0.49.7

v0.49.6

🌟 Release Highlights

This release focuses on authentication improvements, better self-hosted runner configurability, and a polished CLI experience — with significant documentation restructuring to make auth setup clearer than ever.

✨ What's New

• GH_AW_CI_TRIGGER_TOKEN magic secret support — Set github-token-for-extra-empty-commit: "default" to automatically use the GH_AW_CI_TRIGGER_TOKEN magic secret without manual token wiring. This simplifies CI trigger token configuration for most workflows. (#17990)

• Runner resolution for detection jobs — The detection job now inherits agent.runs-on by default and can be independently overridden via safe-outputs.detection.runs-on. The unlock job uses safe-outputs.runs-on, giving full control over runner placement in self-hosted environments. (#17979)

• Simplified secrets set CLI — The gh aw secrets set command now uses a single --repo owner/repo flag (replacing the separate --owner and --repo flags) and defaults to the current repository. (#17977)

🐛 Bug Fixes & Improvements

• Frontmatter hash extraction — extractHashFromLockFile now correctly reads the new JSON metadata format (# gh-aw-metadata: {...}) in addition to the legacy # frontmatter-hash: format, preventing false "workflow has changed" warnings. (#17971)

• Docs build — Fixed an unclosed code fence in auth.mdx that was silently swallowing the GH_AW_AGENT_TOKEN section, causing broken anchor links across the docs. (#17972)

📚 Documentation

Auth documentation has been substantially restructured with dedicated pages:

• GitHub Tools auth — New reference page at /reference/github-tools/
• GitHub Projects auth — New dedicated auth-projects page
• Copilot agent assignment — New assign-to-copilot auth guide
• Gemini auth + Copilot PAT setup — Step-by-step guides for Gemini engine authentication and improved Copilot personal access token setup (#17957, #17990)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: replace interface{} with any in WASM layout stub by @Copilot in #17960
• [code-simplifier] refactor: simplify permissions converter and sort pattern by @github-actions[bot] in #17966
• refactor: remove thin wrappers, move test helper to test file, consolidate formatDuration by @Copilot in #17964
• Fix docs build: unclosed code fence in auth.mdx swallows GH_AW_AGENT_TOKEN section by @Copilot in #17972
• 🔧 Simplify secrets set to use single --repo flag by @dsyme in #17977
• [log] Add debug logging to five pkg files for better troubleshooting by @github-actions[bot] in #17980
• Implement runner resolution strategy for unlock and detection jobs by @Copilot in #17979
• 🔧 Fix frontmatter hash extraction to support JSON metadata format by @dsyme in #17971
• 📚 Add Gemini auth docs and improve Copilot PAT setup by @dsyme in #17957
• 🔐 Refactor auth docs and add GH_AW_CI_TRIGGER_TOKEN magic secret support by @dsyme in #17990

Full Changelog: v0.49.5...v0.49.6

v0.49.5

🌟 Release Highlights

This release focuses on correctness and reliability — fixing propagation bugs in threat detection, stabilizing compiled output ordering, and expanding schema coverage so configurations behave exactly as documented.

✨ What's New

• Expanded runtime & permission schema coverage — RuntimeConfig and RuntimesConfig typed structs now cover all 11 supported runtimes (including bun, deno, uv, and more) plus action-repo/action-version fields. repository-projects and organization-projects permission scopes are now correctly included in the schema, preventing silent validation failures. (#17911, #17951)
• storage.googleapis.com added to node ecosystem — Deno and Bun workflows that depend on Google Cloud Storage (e.g., deno/fresh, deno/postgres) can now reach storage.googleapis.com without extra network configuration. (#17944)
• MCP observability pipeline alignment — The daily observability report now uses rpc-messages.jsonl as the canonical telemetry fallback, eliminating false 🔴 Critical alerts for Copilot-engine MCP runs. (#17950)
• MCPServerID semantic type — MCP server ID constants are now compile-time typed, preventing accidental mixing with arbitrary string values. (#17897)

🐛 Bug Fixes & Improvements

• Threat detection no longer inherits --agent flag — engine.agent was being propagated into the threat detection job via pointer copy, causing "No such agent" failures. The detection job now correctly ignores agent configuration. (#17949)
• Stable compiled lock file ordering — Non-deterministic import and job dependency ordering caused noisy, spurious diffs in .lock.yml files on each recompile. Output ordering is now stable. (#17927)
• Safe-outputs: 11 missing operation types restored — hasSafeOutputType() was missing cases for 11 operation types, plural YAML tags were mismatched, and meta fields were not being merged. All resolved. (#17908)
• Network/firewall schema fixes — Schema description no longer incorrectly states firewall is Copilot-only; cleanup-script is now included; log-level hyphen casing corrected. (#17909)

📚 Documentation

• Network docs updated for Codex & Gemini — The network.md reference now documents firewall and network feature support across all four engines. (#17910)
• Playwright allowed_domains removed from docs — This field was deprecated in v0.9.0; the docs now correctly direct users to the top-level network: field. (#17942)

🌍 Community Contributions

A huge thank you to the community member who reported an issue resolved in this release:

• @benvillalobos for Bug: engine.agent propagates to threat detection job, causing "No such agent" failure (#17943)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add MCPServerID semantic type for MCP server ID constants by @Copilot in #17897
• Fix "GitHub" capitalization in permissions_validation.go error message by @Copilot in #17901
• Expand RuntimeConfig and RuntimesConfig typed structs to cover all supported runtimes and fields by @Copilot in #17911
• [workflow-style] Normalize report formatting for cli-consistency-checker and repository-quality-improver by @Copilot in #17928
• docs: update network.md to document Codex and Gemini engine support for firewall/network features by @Copilot in #17910
• fix: sync test assertions with capitalized "GitHub toolsets" message by @Copilot in #17935
• Fix network/firewall schema description and engine support inconsistencies by @Copilot in #17909
• fix: stabilize compiled lock file output ordering by @Copilot in #17927
• [slides] Update AI Engines slide to include Gemini CLI by @github-actions[bot] in #17940
• docs: remove tools.playwright.allowed_domains, replaced by network: by @Copilot in #17942
• Add storage.googleapis.com to node ecosystem by @Mossaka in #17944
• Fix safe-outputs: missing op types in hasSafeOutputType, plural YAML tags, unmerged meta fields, Serena schema enum by @Copilot in #17908
• Align MCP observability pipeline: treat rpc-messages.jsonl as canonical telemetry fallback by @Copilot in #17950
• Add missing permission scopes to schema and handle all meta-key in scope converter by @Copilot in #17951
• Fix: engine.agent propagates to threat detection job causing "No such agent" failure by @Copilot in #17949

Full Changelog: v0.49.4...v0.49.5

v0.49.4

🔧 Release Highlights

This maintenance release delivers targeted bug fixes for Playwright integration and internal test reliability improvements.

🐛 Bug Fixes & Improvements

• Playwright --no-sandbox argument fix — Corrected the --no-sandbox flag handling so Playwright workflows launch reliably in sandboxed GitHub Actions runners. (#17861)
• Shell quoting for awf --allow-domains/--block-domains — Fixed SC1003 shell quoting issue: domain arguments are now correctly double-quoted, preventing unexpected word-splitting in firewall rules. (#17861)
• Test isolation for workflow ID env vars — GITHUB_RUN_ID and GH_AW_WORKFLOW_ID are now cleared between test cases in messages.test.cjs, eliminating intermittent test failures caused by leaked state. (#17857)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix(tests): clear GITHUB_RUN_ID/GH_AW_WORKFLOW_ID in messages.test.cjs beforeEach by @Copilot in #17857
• [specs] Update layout specification - 2026-02-23 by @github-actions[bot] in #17860
• [docs] Update glossary - weekly full scan by @github-actions[bot] in #17877
• Fix SC1003: use double quotes for awf --allow-domains/--block-domains arguments; fix playwright --no-sandbox arg by @Copilot in #17861

Full Changelog: v0.49.3...v0.49.4

v0.49.3

🌟 Release Highlights

This release brings a new workflow control option to quiet bot comments, improved engine icons, and reliability fixes for download scripts — plus two community-requested improvements.

✨ What's New

• Silence activation comments — The new activation-comments: false frontmatter flag lets you disable the bot comments gh-aw posts when activating or falling back on a workflow. Useful for keeping issue/PR comment threads clean. (#17834)
• Engine icons for Claude, Codex & Gemini — Local icon assets are now bundled for Claude, Codex, and Gemini alongside a Gemini author entry, giving workflow UIs a consistent visual identity across all supported engines. (#17837)
• Community contributor celebration in release highlights — The release highlight generator now cross-references community-labeled issues with merged PRs and explicitly calls out the issue authors. (#17842)

🐛 Bug Fixes & Improvements

• web-fetch MCP fix — The web-fetch MCP server was incorrectly generating a container format instead of the expected command/args structure, preventing it from initializing. (#17822)
• Duplicate code detector — The detector now correctly emits a noop safe output when no duplication is found, avoiding spurious failures. (#17836)
• Retry on transient download failures — Install scripts now pass --retry 3 --retry-delay 5 to curl when downloading the Copilot CLI and AWF binary, automatically recovering from the occasional 502 on public runners. (#17841)

📚 Documentation

• Clarified that CLAUDE_CODE_OAUTH_TOKEN is not a supported authentication method. (#17835)
• Updated reference documentation with the latest features. (#17830)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @strawgate for Feature request: add flag to disable activation/fallback comments (#17828)
• @strawgate for Retry downloads automatically (#17839)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix smoke-copilot golden file to include --browser-arg --no-sandbox in Playwright entrypointArgs by @Copilot in #17819
• [jsweep] Clean close_discussion.cjs by @github-actions[bot] in #17824
• fix: web-fetch MCP server generates container format instead of command/args by @Copilot in #17822
• [docs] Update documentation for features from 2026-02-23 by @github-actions[bot] in #17830
• docs: clarify CLAUDE_CODE_OAUTH_TOKEN is not supported by @Copilot in #17835
• Add Gemini author and local icons for Claude, Codex, and Gemini by @Copilot in #17837
• fix(duplicate-code-detector): require noop when no duplication found by @Copilot in #17836
• feat(release): celebrate community issue authors in release highlights by @Copilot in #17842
• feat: add activation-comments to disable activation/fallback bot comments by @Copilot in #17834
• Add --retry 3 with delay to curl downloads to handle transient 502s by @Copilot in #17841

Full Changelog: v0.49.2...v0.49.3

v0.49.2

🌟 Release Highlights

This release brings new workflow privacy controls, improved CI integration, key bug fixes in Playwright and safe-outputs conformance checks, and token-efficiency improvements in the safe-outputs prompt system.

✨ What's New

• Workflow privacy via private frontmatter (#17801) — Workflows marked with private: true are now hidden from the gh aw add command, giving teams a clean way to keep internal-only workflows out of the public catalogue.

• CI trigger token support for PR and branch pushes (#17803) — Workflows can now supply a dedicated token when triggering CI on PRs and branches, enabling richer automation pipelines that require elevated or scoped credentials.

🐛 Bug Fixes & Improvements

• Playwright MCP: Chromium sandbox disabled for localhost access (#17808) — Fixed a configuration issue that prevented Playwright MCP from accessing localhost-hosted services inside the runner container.

• Safe-outputs conformance: reduce SEC-003 false positives (#17790) — The conformance checker was incorrectly flagging valid safe-output patterns as SEC-003 violations; this is now resolved, reducing noise in security reports.

• Safe-outputs prompt: XML wrapping & template extraction (#17769) — The safe-outputs prompt has been refactored to use dedicated template files and XML-wrapped content, improving token efficiency and maintainability without changing observable behaviour.

🔧 Internal

• Shared components extracted for Serena Go analysis tooling and Copilot PR analysis base setup (#17797, #17798), improving reuse across workflows.
• Developer specifications consolidated into a single instructions file (#17794).

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Refactor safe outputs prompt: extract all content to template files, wrap in XML, optimize for token usage by @Copilot in #17769
• Fix SEC-003 false positives in safe-outputs conformance check by @Copilot in #17790
• [instructions] Sync github-agentic-workflows.md with release v0.49.1 by @github-actions[bot] in #17792
• [docs] Consolidate developer specifications into instructions file (2026-02-23) by @github-actions[bot] in #17794
• Extract Serena Go Analysis Tool Configuration into shared component by @Copilot in #17798
• Extract Copilot PR Analysis Base Setup into shared component by @Copilot in #17797
• 🔔 Add CI trigger token support for PR and branch pushes by @dsyme in #17803
• [q] fix: disable Chromium sandbox in Playwright MCP to allow localhost access by @github-actions[bot] in #17808
• Add private frontmatter field to block add command by @Copilot in #17801

Full Changelog: v0.49.1...v0.49.2

v0.49.1

🌟 Release Highlights

This patch release delivers targeted security hardening, reliability improvements, and documentation polish—keeping your agentic workflows running smoothly and securely.

🔒 Security

• Cross-repository allowlist validation (#17771): Flagged workflow handlers now enforce strict cross-repository allowlist checks, preventing unintended cross-repo access.

🐛 Bug Fixes

• add-wizard imports resolution (#17765): Frontmatter imports: dependencies are now fetched locally during add-wizard, fixing resolution failures in offline or restricted environments.
• Safe outputs expiry (#17737): All create-discussion safe output jobs across workflows now correctly set expires: 1d, avoiding stale output retention.
• Parser property ordering (#17754): Strict unknown-property ordering in the parser is now stable, eliminating non-deterministic compilation output.

📚 Documentation

• Quick Start guide hierarchy (#17745): Fixed heading levels in the Quick Start guide for improved navigation and accessibility.
• Feature docs update (#17741): Documentation updated to reflect the latest features from 2026-02-22.

✨ Improvements

• Archie workflow messaging (#17746): Workflow status messages from the Archie agent now use a more professional, consistent tone.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Set expires: 1d for create-discussion safe outputs across all workflows by @Copilot in #17737
• [docs] Update documentation for features from 2026-02-22 by @github-actions[bot] in #17741
• Improve test quality for pkg/parser/import_cache_test.go by @Copilot in #17742
• fix: correct heading hierarchy in Quick Start guide by @Copilot in #17745
• Elevate professional tone in Archie workflow messages by @Copilot in #17746
• parser: stabilize strict unknown-property ordering by @davidahmann in #17754
• fix: fetch frontmatter imports: dependencies locally during add-wizard by @Copilot in #17765
• refactor(workflow): Priority 1 semantic clustering — shared mount validation, copilot function relocation by @Copilot in #17768
• [code-simplifier] parser: add doc comment and assertion message to normalizeAdditionalPropertyList by @github-actions[bot] in #17772
• fix(IMP-003): move generateCustomJobToolDefinition to safe_outputs_config_generation.go by @Copilot in #17770
• SEC-005: Add cross-repository allowlist validation to flagged handlers by @Copilot in #17771

Full Changelog: v0.49.0...v0.49.1

v0.49.0

🌟 Release Highlights

This release focuses on security hardening, safe outputs flexibility, and code quality improvements — making workflows more robust and configurable.

🔒 Security Hardening

Critical security fixes and hardening across the codebase:

• Shell injection fix in upload_assets.cjs — closes an incomplete fix from a prior commit (#17736)
• Hardened exec.Command invocations for cross-platform compatibility and security across the codebase (#17729)

✨ What's New

• Templatable boolean & integer fields in safe outputs — workflow authors can now use template expressions for boolean flags and integer max fields, enabling dynamic configuration without recompilation (#17653, #17667, #17694)
• expires codemod — a migration helper that automatically converts integer expires values to the new day-string format, making upgrades seamless (#17695)
• Configurable bot trigger neutralization — safe-outputs.max-bot-mentions controls how many bot trigger references are preserved vs. escaped, with smarter handling for already-quoted entries (#17689)
• Source links in GitHub MCP tools report — the MCP tools report now includes direct links to source definitions, improving discoverability (#17709)
• MCP Gateway updated to v0.1.5 (#17697)

🐛 Bug Fixes & Improvements

• Fixed base64 executable not found on Windows during gh aw update (#17720)
• Resolved 22 actionlint expression errors caused by missing needs: declarations in 4 workflows (#17681)
• Fixed ci-doctor to pre-download logs and artifacts, applying generic error heuristics to reduce token usage (#17719)
• Replaced curl | sh uv install with pinned astral-sh/setup-uv action for more reliable CI (#17688)

🔧 Internal

• Enabled 16 additional Go linters + modernize and intrange linters with all issues resolved (#17714, #17705)
• Normalized report formatting across multiple internal workflows (#17727, #17698)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] Update dictation skill instructions by @github-actions[bot] in #17665
• Convert boolean safe output fields to templatable bools by @Copilot in #17653
• Add templatable integer support for safe output max fields by @Copilot in #17667
• Fix SC2129: use grouped redirect for prompt construction in compiler template by @Copilot in #17687
• Replace curl | sh uv install with pinned astral-sh/setup-uv action by @Copilot in #17688
• Update safe outputs spec with templatable boolean and integer fields by @Copilot in #17694
• Normalize report formatting for step-name-alignment and bot-detection workflows by @Copilot in #17698
• Add codemod to migrate expires integer values to day-string format by @Copilot in #17695
• fix: rename "Upload Assets to Orphaned Branch" step to "Push assets" across 23 workflows by @Copilot in #17696
• Fix missing needs: declarations causing 22 actionlint expression errors in 4 workflows by @Copilot in #17681
• Add modernize and intrange linters and fix all issues by @Copilot in #17705
• Update MCP Gateway to v0.1.5 by @Copilot in #17697
• Add source links to GitHub MCP tools report by @Copilot in #17709
• fix(ci-doctor): pre-download logs and artifacts, apply generic error heuristics to reduce token usage by @Copilot in #17719
• Fix base64 executable not found on Windows in gh aw update by @Copilot in #17720
• neutralizeBotTriggers: allow first n references unchanged then escape excess, skip already-quoted entries, configurable via safe-outputs.max-bot-mentions by @Copilot in #17689
• Normalize report formatting in org-health-report and daily-safe-outputs-conformance workflows by @Copilot in #17727
• fix: use strings.Cut to resolve stringscut lint violation in known_needs_expressions by @Copilot in #17728
• Enable 16 additional Go linters and fix all reported issues by @Copilot in #17714
• Review and harden all exec.Command invocations for cross-platform compatibility and security by @Copilot in #17729
• fix: close shell injection in upload_assets.cjs (incomplete fix from d07e64c) by @Copilot in #17736

Full Changelog: v0.48.4...v0.49.0

v0.48.4

🌟 Release Highlights

This release promotes Google Gemini CLI to general availability, improves validation error quality, and consolidates network configuration with a migration codemod for Playwright users.

⚠️ Breaking Changes

• Playwright allowed_domains/allowed_hosts removed — These fields have been moved from tools.playwright to the unified network.allowed configuration. Run the migration codemod to update your workflows automatically:

  gh aw fix --write

  The codemod playwright-allowed-domains-migration handles the conversion. (#17629)

✨ What's New

• Google Gemini CLI is now GA — The Gemini engine graduates from experimental status and is ready for production workflows. Gemini gains /tmp/gh-aw/ read access outside the workspace, neutral tool mappings for settings compatibility, and improved diagnostics (DEBUG env var support, error log artifacts). (#17656, #17642, #17612, #17558)

• Repo-memory branch scoped by workflow ID — Default repo-memory branches are now qualified with the workflow ID, preventing collisions when multiple workflows share the same repository memory. (#17657)

• Smarter schema validation errors — Validation failures now include caret (^) pointers to the exact problem location, plain-English constraint descriptions, and contextual examples — making it much easier to fix frontmatter issues at a glance. (#17551)

• Parent author allowed in add_comment — Workflows can now mention the author of the parent issue, PR, or discussion when posting comments, enabling more targeted notifications. (#17628)

🐛 Bug Fixes & Improvements

• Audit surfaces pre-agent step errors — gh aw audit now reports errors that occur before the agent executes (e.g., setup failures), so investigations no longer require manual log digging. (#17623)
• Standardized error codes in safe-output handlers — All safe output handlers now emit structured error codes (e.g., USE-001) for consistent error tracking and automation. (#17557)
• PR triage scoped to fork PRs — Triage workflows now correctly restrict processing to fork-originated pull requests, reducing noise on internal PRs. (#17576)
• Preserve expression-based draft boolean — The create-pull-request handler no longer drops expression values for the draft field during config compilation. (#17597)
• Status comments enabled on all smoke workflows — All smoke-* workflows now post status comments, improving end-to-end validation coverage. (#17566)

📚 Documentation

• Workflow Editors reference page — A new Workflow Editors page consolidates all available editors including the Agentic Prompt Generator. (#17570, #17574)
• Supported runners table — The frontmatter reference now includes a table of supported runner types. (#17361)
• Create Workflows page enhanced — Scenario-based AstroTabs examples replace the single prompt, giving new users concrete starting points. (#17560)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix schema validation error quality: caret pointer, duplicate path prefix, plain-English constraints, contextual examples by @Copilot in #17551
• fix(workflows): add Python network preset to shared/trending-charts-simple.md by @Copilot in #17554
• docs: replace single prompt with AstroTabs scenario examples on Create Workflows page by @Copilot in #17560
• Enable status-comment on all smoke-* workflows by @Copilot in #17566
• docs: convert Compiler Playground sidebar link into Workflow Editors reference page by @Copilot in #17570
• feat(triage): restrict PR triage to fork PRs only by @Copilot in #17576
• docs: add Agentic Prompt Generator to reference/editors page by @Copilot in #17574
• Improve Gemini engine diagnostics: DEBUG env var, error log artifacts, and remove model fallback by @Copilot in #17558
• Copilot/weekly workflow editor checks by @pelikhan in #17585
• Copilot/update firewall access editors by @pelikhan in #17599
• fix(USE-001): add standardized error codes to all safe output handlers by @Copilot in #17557
• Copilot/update parser log javascript by @pelikhan in #17605
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #17622
• Allow parent issue/PR/discussion author as an allowed mention in add_comment by @Copilot in #17628
• [docs] docs: unbloat dispatch-ops by condensing bullet lists and thin sections by @github-actions[bot] in #17626
• [jsweep] Clean add_copilot_reviewer.cjs by @github-actions[bot] in #17641
• fix(audit): surface pre-agent step errors when agent never executed by @Copilot in #17623
• [docs] Update documentation for features from 2026-02-22 by @github-actions[bot] in #17647
• Refactor: Extract shared missing issue handler logic into missing_issue_helpers.cjs by @Copilot in #17644
• fix: preserve expression-based draft boolean in create-pull-request handler config by @Copilot in #17597
• Remove tools.playwright allowed_domains/allowed_hosts; add codemod to migrate to network.allowed by @Copilot in #17629
• feat(gemini): fix /tmp/ access and add neutral tool mapping for Gemini CLI settings by @Copilot in #17642
• docs: add supported runners table to frontmatter reference by @Mossaka in #17361
• Promote Google Gemini CLI from experimental to GA by @Copilot in #17656
• Qualify default repo-memory branch by workflow ID by @Copilot in #17657

Full Changelog: v0.48.3...v0.48.4