[gh-aw-upgrade] gh-aw upgrade available: v0.68.3 → v0.75.0

[github-actions]

A new version of gh-aw is available. We are currently on v0.68.3, latest is v0.75.0.

Upgrade Assessment

Urgency: Recommended

Relevant Changes

v0.75.0

Breaking Changes (if any)

• Deprecated field removal (infer): v0.75.0 removes deprecated infer. We did not find this field in .github/workflows/gh-aw-*.md, so no immediate rewrite is required.

New Features Worth Adopting

• gh aw upgrade source sync fix: Upgrade now updates source .md workflow files in addition to lock artifacts, which is directly relevant because this repo stores source workflows in .github/workflows/gh-aw-*.md and compiles from them.
• create_pull_request.temporary_id support: Enables more reliable cross-references between safe outputs when creating PRs.

Bug Fixes

• Codex engine auth and model-flag fixes: Runtime stability improvements for Codex-based runs if/when used.

Security

• No new mandatory security config change identified for our current frontmatter, but this release line includes ongoing MCP/firewall hardening updates.

v0.74.9

Breaking Changes (if any)

• None requiring immediate changes in our current files.

New Features Worth Adopting

• Safe-output filters on all operations: required-labels and required-title-prefix are now available broadly and can reduce accidental issue/comment mutations.
• We currently use many mutation safe-outputs without these additional filters (for example .github/workflows/gh-aw-create-pr-from-issue.md:82-87 uses add-comment with target but no required-labels; .github/workflows/gh-aw-bug-hunter.md:78-83 uses create-issue.title-prefix but no required-title-prefix).

Bug Fixes

• Validation and safe-output behavior improvements in this release line improve authoring safety and reduce malformed output risk.

Security

• Additional safe-output guardrail improvements are included in this release line.

v0.74.5–v0.74.3

Breaking Changes (if any)

• Validation tightening was introduced in this range (deprecation coverage, stricter schema checks). Our current frontmatter appears compatible based on sampled checks, but upgrade should be compiled/linted to confirm no regressions.

New Features Worth Adopting

• tools.github.allowed-repos: current support (v0.74.5): useful for tightening repo-scoped access where applicable.

Bug Fixes

• Multiple safe-output reliability fixes in this range are relevant because safe-outputs are used across all 52 gh-aw workflow markdown files.

Security

• Safe-output threat-guardrail and MCP hardening improvements landed in this range and are relevant to our heavy safe-output usage.

Evidence from current repo

• Makefile:4-6 pins GH_AW_VERSION, GH_AW_BUILD_VERSION, and GH_AW_COMPAT_VERSION to v0.68.3.
• Top-level frontmatter usage across .github/workflows/gh-aw-*.md includes safe-outputs in all 52 files and strict: false in all 52 files.
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.md:93-97 shows safe-outputs with threat-detection: false in a no-sandbox workflow, where runtime/safe-output reliability improvements are especially important.

Upgrade Steps

• Update GH_AW_VERSION in Makefile from v0.68.3 to v0.75.0
• Update GH_AW_BUILD_VERSION in Makefile from v0.68.3 to v0.75.0
• Update GH_AW_COMPAT_VERSION in Makefile from v0.68.3 to v0.75.0 (or keep older compat intentionally with rationale)
• Add required-title-prefix where create-issue.title-prefix is used
• Add required-labels on selected mutation operations (add-comment, label/close operations) where label conventions already exist
• Run make compile and verify 0 errors, 0 warnings

Note

🔒 Integrity filter blocked 15 items

The following items were blocked because they don't meet the GitHub integrity level.

• #1128 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #537 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #312 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #504 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #540 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #240 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #640 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #600 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #93 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #643 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #703 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #599 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #687 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #235 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1067 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Internal: Upgrade Check · ◷

• expires on May 29, 2026, 2:56 PM UTC

[github-actions]

This issue was automatically closed because it expired on 2026-05-29T14:56:21.963Z.

Closed by Workflow