chore(deps): update github/gh-aw action to v0.68.3

[release-workflows]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	minor	v0.43.18 → v0.68.3

---

Release Notes

github/gh-aw (github/gh-aw)

v0.68.3

Compare Source

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New

• Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#​26229)
• checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#​26292)
• env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#​26113)
• Time Between Turns (TBT) metric — gh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#​26321)
• OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#​26121)
• API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#​26150)

🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

• File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#​26287)
• Copy/rename detection and C-quoted filenames are now handled correctly. (#​26277)
• Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#​26259)
• Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#​26306)
• Submodule entries now fall back to a plain git push instead of erroring. (#​26298)

Other notable fixes:

• on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#​26137)
• copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#​26146)
• add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#​26288)
• safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#​26291)
• engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#​26122)
• Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#​26074)
• GH_HOST env var used for GH CLI calls — gh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#​26311)
• resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#​26114)
• --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#​26160)

📚 Documentation

• Gemini AI engine added to the introduction/how-they-work guide. (#​26147)
• github-app documented as a top-level Allowed Import Field in the imports reference. (#​26119)
• New working-directory navigation example in the side-repo-ops pattern. (#​26123)
• Comprehensive new guide: Maintaining repos with agentic workflows at scale. (#​26073)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@arthurfvives

• Feature: Auto-detect available models or gracefully fallback on 400 errors (Copilot Pro/Education) (direct issue)

@bbonafed

• on.github-token not propagated to checkout and hash check steps in activation job (breaks cross-org workflow_call) (direct issue)

@corygehr

• add-comment: reply_to_id not documented in tool schema, causing agents to skip it (direct issue)

@susmahad

• safe-outputs.actions custom action tools not exposed to agent MCP toolset (direct issue)

@tadelesh

• copilot-driver --resume fails with 'No authentication information found' after transient AI model error (direct issue)

@wtgodbe

• bug: resolveIssueNumber should strip surrounding quotes from item_number values (direct issue)

@yskopets

• feat: support checkout field in importable shared workflows (direct issue)
• Support env field in shared imports (direct issue)
• engine.max-turns is silently dropped when engine config is sourced from a shared import (direct issue)
• Remove Docker dependency from gh aw compile --validate (direct issue)
• docs: add working-directory navigation example to side-repo-ops pattern (direct issue)
• Docs: add top-level github-app to Allowed Import Fields in imports reference (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 4.1M

---

What's Changed

• Add retry with jitter to create_issue safe-output handler by @​Copilot in #​26056
• docs: comprehensive guide for maintaining repos with agentic workflows at scale by @​Copilot in #​26073
• Migrate chart image uploads to upload-artifact with skip-archive in shared workflows by @​Copilot in #​26075
• Update instructions to use upload-artifact with skip-archive instead of upload-asset by @​Copilot in #​26076
• Add spec-extractor, spec-enforcer, and spec-librarian agentic workflows by @​Copilot in #​26083
• feat(deep-report): increase create-issue max from 3 to 7 by @​Copilot in #​26077
• Skip Docker image validation when Docker is unavailable, add --validate-images flag by @​Copilot in #​26074
• [actions] Update GitHub Actions versions - 2026-04-13 by @​github-actions[bot] in #​26087
• fix: update TestMCPGSupportsIntegrityReactions for MCPG v0.2.19 default by @​dsyme in #​26091
• fix: add imperative verbs to "Super-linter" and "Cross-repo setup guidance" step names by @​Copilot in #​26095
• Add --gemini-api-target to AWF proxy for Gemini API routing by @​Copilot in #​26060
• [safe-output-integrator] Add missing test workflow for upload-asset safe output type by @​github-actions[bot] in #​26103
• Add hippo-memory shared workflow and daily learn workflow by @​Copilot in #​26109
• Add MemPalace as a shared MCP workflow by @​Copilot in #​26102
• docs: add README specifications for 15 missing packages, update console and logger specs by @​Copilot in #​26105
• Fix gh pr checkout failing with GH_HOST mismatch in issue_comment workflows by @​Copilot in #​26037
• feat: resolve upload_artifact temporary IDs to artifact URLs in safe output bodies by @​Copilot in #​26108
• fix: strip surrounding quotes from item_number in resolveIssueNumber by @​Copilot in #​26114
• refactor: use ExpressionBuilder for all if expressions in maintenance_workflow.go by @​Copilot in #​26116
• Fix Daily Hippo Learn: remove unsupported hippo --version check by @​Copilot in #​26112
• test: add tests for artifact URL mapping in processMessages by @​Copilot in #​26118
• docs: add github-app to Allowed Import Fields in imports reference by @​Copilot in #​26119
• docs: add working-directory navigation example to side-repo-ops pattern by @​Copilot in #​26123
• feat(otel): add token breakdown attributes to conclusion spans by @​Copilot in #​26121
• Token optimization for contribution-check: trim deep research, pre-fetch guidelines, narrow toolset, reduce batch cap by @​Copilot in #​26124
• feat: support env field in shared imports by @​Copilot in #​26113
• deps: update golang.org/x/mod v0.34.0 → v0.35.0 by @​Copilot in #​26138
• chore(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 in /docs in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​26141
• Replace gh pr checkout with git fetch refs/pull to avoid GH_HOST issues by @​dsyme in #​26136
• Remove 7 dead CJS scripts and their tests by @​dsyme in #​26140
• fix: prevent JS tests from hanging after completion by @​Copilot in #​26143
• Fix misleading fork detection for issue_comment and other minimal-PR events by @​dsyme in #​26144
• fix: preserve engine.max-turns through JSON roundtrip when sourced from shared import by @​Copilot in #​26122
• fix: propagate on.github-token to checkout and hash check steps in activation job by @​Copilot in #​26137
• fix: resolve vitest hang caused by mkdirSync on /proc by @​dsyme in #​26145
• docs: add Gemini to AI engines in introduction/how-they-work by @​Copilot in #​26147
• [docs] docs: remove bloat from Network Permissions reference by @​github-actions[bot] in #​26151
• fix: correct integrity level descriptions and auto-enable cli-proxy for reactions by @​lpcox in #​26154
• [docs] Update documentation for integrity-reactions feature by @​github-actions[bot] in #​26196
• [docs] Update Astro dependencies - 2026-04-14 by @​github-actions[bot] in #​26197
• [community] Update community contributions in README by @​github-actions[bot] in #​26195
• [spec-enforcer] Enforce specifications for console, envutil, stringutil by @​github-actions[bot] in #​26194
• [instructions] Sync github-agentic-workflows.md with v0.68.1 by @​github-actions[bot] in #​26193
• [spec-extractor] docs: add package specifications for cli, parser, and workflow by @​github-actions[bot] in #​26190
• [docs] docs: consolidate developer specs v6.0 — tone fixes and integrity-reactions by @​github-actions[bot] in #​26199
• [docs] Update glossary - daily scan 2026-04-14 by @​github-actions[bot] in #​26189
• [fp-enhancer] fp-enhancer: Improve pkg/agentdrain (round 1/20) by @​github-actions[bot] in #​26177
• [code-simplifier] refactor: use isCliProxyNeeded() in docker.go to remove logic duplication by @​github-actions[bot] in #​26168
• feat(api-consumption-report): render charts as inline markdown images by @​Copilot in #​26150
• fix: reduce agentic-workflows test scope and strengthen safe-output instructions in Agent Persona Explorer by @​Copilot in #​26152
• chore(deps-dev): bump vite from 8.0.5 to 8.0.8 in /actions/setup/js by @​dependabot[bot] in #​26188
• chore(deps-dev): bump @​vitest/coverage-v8 from 4.1.3 to 4.1.4 in /actions/setup/js by @​dependabot[bot] in #​26185
• chore(deps): bump golang.org/x/vuln from 1.1.4 to 1.2.0 by @​dependabot[bot] in #​26182
• chore(deps): bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.5 by @​dependabot[bot] in #​26179
• chore(deps-dev): bump prettier from 3.8.1 to 3.8.2 in /actions/setup/js by @​dependabot[bot] in #​26181
• fix: copy upload_artifact files to staging in MCP server handler (#​26090) by @​Copilot in #​26157
• chore(deps): bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 by @​dependabot[bot] in #​26178
• [jsweep] Clean add_workflow_run_comment.cjs by @​github-actions[bot] in #​26161
• fix(copilot-driver): handle auth failures in --continue attempts by @​Copilot in #​26146
• fix: deterministic audit metrics via run_summary.json cache and workflow-logs/ exclusion by @​Copilot in #​26148
• feat: add workflow_call support to agentic maintenance with output variables by @​Copilot in #​26209
• fix: resolve 6 CLI help text consistency issues by @​Copilot in #​26228
• feat: detect model-not-supported error, stop retrying, surface actionable guidance in failure reports by @​Copilot in #​26229
• fix: bump Gemini CLI default version to 0.37.2 by @​Copilot in #​26249
• Token optimization: auto-triage-issues workflow by @​Copilot in #​26247
• Add cost gate and pre-flight check to Documentation Unbloat workflow by @​Copilot in #​26248
• chore: remove schedule triggers from smoke-* workflows by @​Copilot in #​26260
• [slides] Fix toolsets default comment in MCP Servers slide by @​github-actions[bot] in #​26258
• Detect and handle non-100644 file modes (symlinks, executables) in push_signed_commits by @​Copilot in #​26259
• fix: rename --safe-update to --approve and improve safe update UX by @​dsyme in #​26160
• Fix C-quoted filename handling in push_signed_commits.cjs by @​Copilot in #​26277
• Split logs_report.go by report section by @​Copilot in #​26278
• fix: testifylint expected/actual order and invalid steps syntax in auto-triage-issues workflow by @​Copilot in #​26290
• fix: add reply_to_id to add_comment MCP tool schema by @​Copilot in #​26288
• fix: allow resolve_pull_request_review_thread on schedule/manual triggers when explicit thread_id is provided by @​Copilot in #​26285
• Fix push_signed_commits.cjs to read file content from commit objects, not working tree by @​Copilot in #​26287
• Split compiler_safe_outputs_config.go by concern by @​Copilot in #​26297
• Handle submodule entries in push_signed_commits by falling back to git push by @​Copilot in #​26298
• refactor: split audit_report_render.go into domain-specific files by @​Copilot in #​26304
• Split gateway_logs.go into concern-aligned files by @​Copilot in #​26296
• Split frontmatter_types.go into types, parsing, and serialization files by @​Copilot in #​26305
• feat: support checkout field in importable shared workflows by @​Copilot in #​26292
• fix: expose safe-outputs.actions custom action tools to agent MCP toolset by @​Copilot in #​26291
• fix(USE-003): emit staged mode preview summary in upload_artifact handler by @​Copilot in #​26313
• fix(USE-001): add standardized ERR_* error codes to two non-conformant handlers by @​Copilot in #​26315
• fix: --topo-order and merge commit fallback in push_signed_commits.cjs by @​Copilot in #​26306
• fix: use GH_HOST env var instead of --hostname flag for gh repo view and gh pr create by @​Copilot in #​26311

Full Changelog: github/gh-aw@v0.68.2...v0.68.3

v0.68.2

Compare Source

🌟 Release Highlights

This release delivers a focused wave of reliability improvements: compiler fixes that were blocking real workflows, expanded strict-mode flexibility, deeper temporary ID support, and a new integrity-reactions feature for fine-grained trust control. A huge batch of community-reported bugs across Copilot engine, safe-outputs, cross-org workflows, and MCP Gateway are now resolved.

✨ What's New

• Reaction-based integrity control — The new integrity-reactions feature flag (requires MCPG ≥ v0.2.18, now bundled as v0.2.19) lets maintainers promote or demote tool-use integrity via 👍/❤️ and 👎/😕 GitHub reactions in proxy mode. Configurable endorsement and disapproval reaction sets with sensible defaults. Learn more

• Temporary ID resolution now reaches further — #temporary_id references are now resolved inside dispatch_workflow input values, update_issue/add_comment targets, and git am patch content — closing three long-standing gaps that required manual workarounds.

• Strict mode secrets unlocked — Strict mode now permits secrets.* in step-level with: bindings for action steps in pre-agent custom steps, and in step env: bindings — giving workflows a secure path to external secret managers without disabling strict mode entirely.

• slash_command event scoping — A new scope option lets workflows restrict which event types (issue comment, PR comment, etc.) trigger slash commands, reducing noise from unintended contexts.

• assign_to_agent multi-platform support — Copilot can now be assigned to the same issue multiple times when each assignment targets a different pull_request_repo (e.g., separate iOS and Android repositories), enabling true cross-platform agentic workflows.

• workflows: write auto-inferred — The compiler now automatically infers the workflows: write permission when a GitHub App token's allowed-files targets .github/workflows/, eliminating a confusing manual step.

🐛 Bug Fixes & Improvements

• create_issue rate-limit resilience — Added retry with jitter to the create_issue safe-output handler, preventing HTTP 403 failures when multiple daily workflows complete simultaneously and burst the API rate limit.

• create_pull_request ENOBUFS crash — Fixed a spawnSync buffer overflow that caused create_pull_request to fail on large diffs; the safe-output handler no longer crashes on oversized payloads.

• create_pull_request_review_comment tool not found — Resolved a runtime registration issue where the create_pull_request_review_comment safe-output tool was declared but not discoverable at runtime.

• Copilot engine workflows restored — Fixed two distinct failures introduced in v0.67.2–v0.67.4 that broke Copilot-engine workflows; plus resolved silent exit code 1 errors in the compiled Copilot CLI.

• Compiler: --allow-domains quoting fixed — The compiler no longer single-quotes --allow-domains values, which was breaking $\{\{ }} GitHub Actions expressions and causing HTTP 422 errors on workflow dispatch.

• inputs.* expressions in workflow_call — Expressions using inputs.* in prompt bodies are now properly resolved when a workflow is invoked via workflow_call.

• OIDC env vars forwarded to MCP Gateway — The compiler now forwards ACTIONS_ID_TOKEN_REQUEST_URL and related OIDC env vars to the docker run command for the MCP Gateway, enabling OIDC-based authentication flows.

• MCP servers on GitHub Enterprise Server — Improved documentation and policy guidance for organizations where the "MCP servers in Copilot" policy is not visible in GHE settings.

• SARIF upload permissions — Fixed Resource not accessible by integration errors during SARIF upload by correctly provisioning the required security-events: write permission.

• Cross-org workflow_call — Resolved failures in resolve_host_repo, checkout, and hash checks when invoking workflows across organization boundaries.

• push_repo_memory bot-comment guard — Fixed a bug where the push_repo_memory job ran even when the workflow was triggered by a bot comment that skipped pre_activation.

• ParseWorkflow ~18% faster — Eliminated a JSON round-trip in schema validation and optimized node traversal, reducing workflow parse time by ~18% with ~22% fewer allocations.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@apenab

• MCP servers blocked by policy on GHE — unable to find "MCP servers in Copilot" policy setting (direct issue)

@bbonafed

• Cross-org workflow_call: resolve_host_repo, checkout, and hash check all fail (direct issue)
• Compiler does not forward OIDC env vars to MCP Gateway docker run command (direct issue)

@benvillalobos

• inputs.* expressions in prompt body not resolved when called via workflow_call (direct issue)

@bryanchen-d

• bug: compiler single-quotes --allow-domains breaking $\{\{ }} GA expressions, causing HTTP 422 on workflow dispatch (direct issue)

@camposbrunocampos

• assign_to_agent: allow multiple assignments to same issue when pull_request_repo differs (direct issue)

@corygehr

• Copilot-engine workflows broken: two distinct failures across v0.67.2 and v0.67.4 (direct issue)

@devantler

• Compiler does not auto-infer workflows: write on GitHub App tokens when allowed-files targets .github/workflows/ (direct issue)
• Support temporary ID resolution for update_issue and add_comment targeting (direct issue)

@JanKrivanek

• Safe-output tool 'create_pull_request_review_comment' not found at runtime despite correct declaration (direct issue)

@johnpreed

• dispatch_workflow handler does not resolve #temporary_id references in input values (direct issue)

@kbreit-insight

• SARIF upload gives "Resource not accessible by integration" error (direct issue)

@neta-vega

• slash_command: scope option to restrict trigger event types (direct issue)

@susmahad

• Strict mode blocks secrets.* in step env: bindings — no secure path for workflows that need external secret managers (direct issue)
• Strict mode: allow secrets.* in step-level with: for action steps in pre-agent custom steps (direct issue)

@theletterf

• Copilot CLI exits with code 1 silently when compiled with v0.67.3 (pre-release) (direct issue)

@wtgodbe

• Temporary ID references in patch content are not resolved before git am (direct issue)

@yskopets

• safeoutputs create_pull_request fails with ENOBUFS on large diffs (spawnSync buffer overflow) (direct issue)
• bug: push_repo_memory job runs when workflow is triggered by a bot comment (pre_activation skipped) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.6M

---

What's Changed

• feat(test-quality-sentinel): pre-fetch PR diff, trim toolsets/bash tools, cap continuations by @​Copilot in #​25685
• build(deps-dev): bump basic-ftp from 5.2.1 to 5.2.2 in /docs in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​25699
• fix: update golden test files for Copilot CLI bump to 1.0.21 by @​Copilot in #​25692
• feat: use job.workflow_* context for host repo resolution by @​salmanmkc in #​25697
• fix: add actionlint config and fix SC2129 grouped redirects by @​Copilot in #​25700
• fix: restore permission-discussions in GitHub App token fields by @​lpcox in #​25709
• fix: resolve #temporary_id references in dispatch_workflow inputs before dispatching by @​Copilot in #​25693
• feat: container image digest pinning in actions-lock.json with update/upgrade integration by @​Copilot in #​25688
• Write JSONL mirror unconditionally, decoupled from OTLP endpoint by @​Copilot in #​25716
• Add cross-repo allowlist validation to close_entity_helpers (SEC-005) by @​Copilot in #​25715
• Fix inputs.* expressions not resolved when workflow invoked via workflow_call by @​Copilot in #​25718
• [aw] Updates available by @​github-actions[bot] in #​25726
• Fix test failures after action pin updates by @​Copilot in #​25745
• fix: double-quote --allow-domains args containing ${{ }} expressions by @​Copilot in #​25721
• Normalize report formatting instructions across daily workflow files by @​Copilot in #​25746
• fix: normalize container pins in wasm golden tests by @​Copilot in #​25750
• [docs] Unbloat MultiRepoOps pattern page by @​github-actions[bot] in #​25748
• [code-simplifier] refactor: add normalizeOutput/normalize helpers to consolidate normalization pipeline (#​25750 follow-up) by @​github-actions[bot] in #​25765
• [jsweep] Clean add_reaction.cjs by @​github-actions[bot] in #​25754
• perf: pre-compile regex patterns in hot validation paths by @​Copilot in #​25763
• perf: fix CompileSimpleWorkflow regression by reusing cached git root by @​Copilot in #​25764
• Forward OIDC env vars to MCP Gateway docker command by @​Copilot in #​25773
• fix: TestEngineConcurrencyIntegration agent job extraction matching manifest comment by @​Copilot in #​25774
• fix: TestContainerSupport agent job detection matches manifest comments by @​Copilot in #​25778
• Fix logs MCP tool writing cache to inaccessible /tmp/gh-aw-logs-cache/ by @​Copilot in #​25777
• fix: use exact YAML line matching for agent job detection in integration tests by @​Copilot in #​25780
• Support temporary ID resolution for update_issue, add_comment, and close_issue targeting by @​Copilot in #​25775
• [instructions] Sync github-agentic-workflows.md with v0.68.1 by @​github-actions[bot] in #​25783
• [community] Update community contributions in README by @​github-actions[bot] in #​25784
• Allow secrets in step-level env: bindings under strict mode by @​Copilot in #​25779
• Add unit tests for OIDC env var forwarding to MCP gateway docker command by @​Copilot in #​25785
• fix: improve upload_artifact error diagnostics and workflow staging instructions by @​Copilot in #​25786
• [docs] docs: developer documentation tone fixes (v5.8) by @​github-actions[bot] in #​25788
• Rename codemod_plugins.go functions to include ToDependencies suffix by @​Copilot in #​25789
• Refactor: remove semver.go wrappers, extract gateway_logs_render.go, consolidate MCP validation by @​Copilot in #​25792
• Extract shared buildInputSchema helper to deduplicate input-schema generation by @​Copilot in #​25795
• [dead-code] chore: remove dead functions — 4 functions removed by @​github-actions[bot] in #​25798
• Improve DDUw: scan artifact constants and recognize non-DDUw PR closures by @​Copilot in #​25814
• Fix resolveTarget JSDoc type to match 3-arg call site and deferred return by @​Copilot in #​25816
• Add allow-workflows field for GitHub App workflows:write permission on safe-outputs by @​Copilot in #​25817
• feat: use PR number for ADR file naming to avoid collisions by @​Copilot in #​25820
• feat: add --no-ask-user flag to copilot agentic engine for fully autonomous runs by @​Copilot in #​25822
• Improve compiler error messages for invalid engine: types by @​Copilot in #​25821
• feat: store temporary ID maps to file and include in safe outputs artifact by @​Copilot in #​25828
• feat: auto-copy input files to staging directory in upload_artifact handler by @​Copilot in #​25832
• fix: skip boolean/null literal wrapping in runtime imports by @​Copilot in #​25831
• Detect MCP policy errors and surface actionable guidance in failure issues by @​Copilot in #​25819
• Align compiler-generated step names to sentence case by @​Copilot in #​25836
• Fix ENOBUFS in execGitSync for large diffs (set maxBuffer to 100MB) by @​Copilot in #​25838
• [log] Add debug logging to 5 pkg/ files for improved troubleshooting by @​github-actions[bot] in #​25847
• [actions] Update GitHub Actions versions - 2026-04-11 by @​github-actions[bot] in #​25842
• fix: surface token usage artifact locations in debug agent prompt by @​Copilot in #​25849
• Add gh-aw.event_name span attribute to OTel setup and conclusion spans by @​Copilot in #​25856
• feat(design-decision-gate): remove pull request review submissions by @​Copilot in #​25870
• Merge firewall-audit-logs into unified agent artifact by @​Copilot in #​25868
• Fix shellcheck SC2086/SC2012/SC2129 warnings across 15 workflows by @​Copilot in #​25872
• Fix artipacked credential persistence in copilot-token-audit and copilot-token-optimizer by @​Copilot in #​25873
• fix: use RUNNER_TEMP for upload_artifact staging directory path by @​Copilot in #​25882
• Strict mode: allow secrets.* in step-level with: for uses: action steps by @​Copilot in #​25871
• fix: propagate ActionCache to detection job container downloads by @​Copilot in #​25883
• Fix github-script SHA mismatch in test files by @​Copilot in #​25885
• fix: resolve TypeScript errors for Error.code property in git_helpers.cjs by @​Copilot in #​25886
• fix: format git_helpers.cjs to pass prettier lint check by @​Copilot in #​25890
• feat: add validate operation to agentic maintenance workflow by @​Copilot in #​25889
• fix: trust gh-aw infrastructure actions in safe update enforcement by @​dsyme in #​25891
• Fix template-injection vulnerabilities in safe outputs config heredocs by @​Copilot in #​25888
• docs: expand slash command event filtering documentation by @​Copilot in #​25898
• Fix temporary ID references in patch content not resolved before git am by @​Copilot in #​25899
• Detect step-level engine timeout in detect_copilot_errors.cjs by @​Copilot in #​25896
• Fix workflow validation warnings: ecosystem identifiers, unsupported tool, push-to-PR-branch safety by @​Copilot in #​25901
• Fix detection job squid crash and propagate Features for cli-proxy pre-pull by @​Copilot in #​25902
• Start Docker daemon in validate_workflows job by @​Copilot in #​25907
• feat: allow configuring threat detection failures as warning instead of error by @​Copilot in #​25900
• fix: use ubuntu-latest for validate_workflows job by @​Copilot in #​25909
• feat: add cleanup-cache-memory job to agentics maintenance workflow by @​Copilot in #​25908
• Refactor: extract shared count-gated handler scaffold for safe-output handlers by @​Copilot in #​25903
• fix: allow multiple agent assignments to same issue when pull_request_repo differs by @​Copilot in #​25916
• Add OTel exception span events for individual agent errors by @​Copilot in #​25914
• docs: update agentic maintenance docs with latest features by @​Copilot in #​25919
• feat: use upload-artifact with skip-archive:true for image artifact URLs in markdown by @​Copilot in #​25923
• Fix JSDoc return type for upload artifact handler by @​Copilot in #​25929
• fix: include effective token count in noop and detection comment footers by @​Copilot in #​25941
• [actions] Update GitHub Actions versions - 2026-04-12 by @​github-actions[bot] in #​25935
• fix: gate push_repo_memory on agent not skipped instead of success by @​Copilot in #​25960
• Sanitize subprocess output in run_validate_workflows.cjs (SEC-004) by @​Copilot in #​25971
• Add missing pre-agent step to contribution-check workflow by @​Copilot in #​25968
• Add exception.type to OTel exception span events; sanitize event attributes by @​Copilot in #​25972
• [blog] Weekly blog post – 2026-04-13 by @​github-actions[bot] in #​26033
• chore(deps): update golang.org/x/term from v0.41.0 to v0.42.0 by @​Copilot in #​26017
• [docs] Consolidate developer specs into dev.md v5.9 by @​github-actions[bot] in #​26016
• feat: add integrity-reactions feature flag for MCPG reaction-based integrity promotion/demotion by @​Copilot in #​25948
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @​github-actions[bot] in #​26014
• [community] Update community contributions in README by @​github-actions[bot] in #​26013
• [docs] Update glossary - weekly full scan by @​github-actions[bot] in #​26009
• [specs] Update layout specification - 2026-04-13 by @​github-actions[bot] in #​25994
• [code-simplifier] refactor: extract hasValidPrefix boolean in exception type extraction (#​25972 follow-up) by @​github-actions[bot] in #​25989
• [instructions] Sync github-agentic-workflows.md with v0.68.1 by @​github-actions[bot] in #​26012
• deps: update github.com/charmbracelet/x/exp/golden (Dec 2025 → Apr 2026) by @​Copilot in #​26008
• [architecture] Update architecture diagram - 2026-04-13 by @​github-actions[bot] in #​26000
• [jsweep] Clean apply_safe_outputs_replay.cjs by @​github-actions[bot] in #​25982
• Extract shared close-older marker search/filter logic into helpers module by @​Copilot in #​26023
• perf: fix ParseWorkflow regression — ~18% faster, ~22% fewer allocations by @​Copilot in #​25990
• ci: remove disabled logs-token-check job, standardize artifact retention by @​Copilot in #​26046
• fix: resolve 11 CLI help text consistency issues by @​Copilot in #​26047
• chore(deps): update golang.org/x/crypto from v0.49.0 to v0.50.0 by @​Copilot in #​26059
• Reschedule Daily Documentation Updater to ~2am PST and disable CI Cleaner schedule by @​Copilot in [#​26058](https://redirect.github.com/github/gh

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.