Skip to content

[gh-aw-upgrade] gh-aw upgrade available: v0.80.9 → v0.81.6 #1449

Description

@github-actions

A new version of gh-aw is available. We are currently on v0.80.9, latest is v0.81.6.

Open issue #1429 already tracks the upgrade through v0.81.4; this report is distinct because v0.81.5 and v0.81.6 add runtime/sandbox changes that are not covered there.

Upgrade Assessment

Urgency: Recommended

Relevant Changes

v0.81.6

Bug Fixes

  • Token usage collection restored (github/gh-aw#41823): release notes say TokenUsage had reported 0 fleet-wide since June 20 and is now fixed. This repo’s workflows run in non-interactive CI and generated outputs include AIC usage footers, so upgrading restores accurate usage observability.
  • Tool allowlist shell glob compile failure fixed (github/gh-aw#41840): release notes mention an exit code 126 from unsafe shell glob expansion in workflow tool allowlists. All 52 local .github/workflows/gh-aw-*.md files declare tools: frontmatter, so this is relevant compiler hardening even if no current failure is known.

v0.81.5

Breaking / Compatibility

  • GH_AW_POLICY_STRICT enforced at runtime (github/gh-aw#41682): non-strict compiled workflows now respect the strict policy flag at runtime. A repo-wide scan found every gh-aw-*.md workflow currently sets strict: false (for example .github/workflows/gh-aw-scheduled-audit.md:83, .github/workflows/gh-aw-internal-gemini-cli.md:89, and .github/workflows/gh-aw-internal-gemini-cli-web-search.md:91). Before upgrading, decide whether the runtime environment may set GH_AW_POLICY_STRICT=true; if so, these workflows need strict-mode cleanup rather than relying on strict: false.

New Features Worth Adopting

  • Sandbox sudo hardening baseline (github/gh-aw#41786): release notes say eligible agentic workflows now use sandbox.agent.sudo: false to reduce blast radius. Local workflows currently do not declare sandbox.agent.sudo; only the two intentional no-sandbox workflows disable the agent sandbox (.github/workflows/gh-aw-mention-in-issue-no-sandbox.md:78-81, .github/workflows/gh-aw-mention-in-pr-no-sandbox.md:92-93). Eligible sandboxed workflows should add:
sandbox:
  agent:
    sudo: false

Bug Fixes

  • Harness exits cleanly after expected safe outputs (github/gh-aw#41675): release notes say the harness exits 0 when expected safe outputs were already produced even if later cleanup hits permission-denied errors. This is relevant because all 52 local gh-aw-*.md workflows declare safe-outputs:.

Upgrade Steps

  • Update GH_AW_VERSION, GH_AW_BUILD_VERSION, and GH_AW_COMPAT_VERSION in Makefile:4-6 from v0.80.9 to v0.81.6.
  • Decide the strict-mode policy for this repo: keep GH_AW_POLICY_STRICT unset, or remove/fix strict: false usage before enabling it.
  • Add sandbox.agent.sudo: false to eligible sandboxed workflows; keep the two documented no-sandbox workflows unchanged unless their Docker requirement is removed.
  • Run make compile and verify 0 errors, 0 warnings.
  • Review generated lockfile diffs for compiler/runtime changes and close or supersede [gh-aw-upgrade] gh-aw upgrade available: v0.80.9 → v0.81.4 #1429 once this newer upgrade issue is adopted.

Generated by Internal: Upgrade Check · 989.4 AIC · ⌖ 11.6 AIC · ⊞ 24.9K ·

  • expires on Jul 6, 2026, 3:01 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions