v0.58.0
π Release Highlights
v0.58.0 is a substantial release focused on cross-repo workflow reliability, custom AI endpoint support, and a wave of community-driven bug fixes. 92 PRs merged.
β¨ What's New
-
Custom API Endpoints for Agentic Engines β You can now point workflows at custom OpenAI and Anthropic API targets (e.g., Azure OpenAI, proxies, private deployments) via the
enginefrontmatter. Both the sandbox and engine configuration support custombase_urland authentication settings. (#20730, #20631) -
Auto-derived Safe Outputs Guard Policy β The
safeoutputsguard policy is now automatically derived from the GitHub MCP guard policy, eliminating redundant configuration. Paired with a bump to MCP gateway v0.1.14. (#20467) -
Redirect Failure Issues to a Different Repo β New
safe-outputs.failure-issue-repofrontmatter field lets you route workflow failure issues to a central repository instead of the workflow's own repo. (#20429) -
Unified Agent Artifact β Agent job artifacts are now merged into a single
agentartifact, making it easier to download and inspect workflow outputs. (#20507) -
APM Artifact Pack/Unpack Support Reimplemented β APM (Artifact Package Manager) dependency workflows now correctly pack and unpack artifacts across jobs. (#20564)
-
Compile-time Warnings for
push-to-pull-request-branchβ The compiler now emits warnings whenpush-to-pull-request-branchis configured withtarget: "*", helping catch potentially unintended broad-scope writes before deployment. (#20580) -
--skip-secretFlag foradd-wizardβ A new--skip-secretflag bypasses the API key prompt duringgh aw add, useful for CI environments and workflows that manage secrets externally. (#20598)
π Bug Fixes & Improvements
-
Fixed "Exceeded max expression length 21000" β Compiled workflows with large toolsets (e.g.,
toolsets: [all]) combined withcreate-pull-request.base-branchno longer fail GitHub Actions YAML validation. (#20751) -
Cross-repo relay activation checkout β A series of fixes resolves checkout failures in event-driven relay workflows where
event_namepropagation caused the wrong repo/ref to be checked out. (#20583) -
dispatch_workflownow honorstarget-repoβ Cross-repo relay workflows usingdispatch_workflowcorrectly dispatch to the configuredtarget-repoinstead of always targetin 8000 gcontext.repo. (#20708) -
submit_pull_request_reviewcross-repo support β Addedtarget-reposupport tosubmit_pull_request_reviewso review submissions work correctly in cross-repo workflows. (#20678) -
gh aw logsactionable errors β Fixed a bug where an invalidpathfield ingh run listcaused errors to be misclassified as authentication failures. The CLI now surfaces the real cause. (#20684) -
Codex web search disabled by default β Codex no longer uses web search unless the
web-searchtool is explicitly configured, preventing unintended external lookups. (#20607) -
Fixed
push-to-pull-request-branchdefaultmax: 1β The default value was incorrectly set to0instead of the documented1. (#20582) -
Fixed git fetch auth after
clean_git_credentials.shβpush_to_pull_request_branchno longer fails with authentication errors after credential cleanup. (#20581, #20524) -
Fixed PR creation fallback status β
create-pull-requestno longer incorrectly reports a PR as created when it fell back to creating a review issue instead. (#20602) -
Improved merge conflict failure issues β When
create_pull_requestorpush_to_pull_request_branchfail due to merge conflicts, the resulting failure issue now includes actionable context. (#20421) -
reply_to_pull_request_review_commentregistered in config β The tool was missing fromconfig.json, preventing it from being used. (#20525) -
Custom safe-output job types now recognized β Fixed a regression where custom safe-output job types were not recognized in the
safe_outputsjob. (#20682) -
Artifact name prefix for
workflow_callβ Prevents artifact name collisions when multiple callers invoke the same reusable workflow concurrently. (#20685) -
actionlintintegration failures distinguished from lint findings βgh aw compile --actionlintnow correctly differentiates tool failures (non-zero exit with no findings) from actual lint errors. (#20637)
π Documentation
-
Debug logging troubleshooting guide β Added a common-issues page section on using
DEBUG=*to diagnose workflow problems. (#20725) -
allowed-filesclarified as exclusive allowlist β Documented thatallowed-filesis a strict allowlist, not an additive exception list. (#20606) -
Dedicated APM Dependencies reference page β Added a reference page covering APM dependency workflows and configuration. (#20674)
π Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release:
@grahame-whitefor Bug: Exceeded max expression length in compiled workflows with large toolsets (#20719) and compile --actionlint exits nonzero with zero findings (#20629)@johnwilliams-12for cross-repo activation checkout bugs in event-driven relays (#20697, #20696, #20658, #20567)@rabo-unumedforgh aw logsmisclassifies errors as authentication failures (#20679)@alexsiilvaaforsubmit_pull_request_reviewlacks target-repo support (#20664)@tspascoalfor PR creation fallback still claims PR was created (#20597)@mcantrellfor Option to skip API secret prompt foradd-wizard(#20592)@eaftanfor Codex uses web search even when tool is not configured (#20457)@NicoAvanzDevforpush_to_pull_request_branchgit fetch failure (#20540) and incorrect defaultmax: 0(#20528)@arezeroforreply_to_pull_request_review_commentmissing from config.json (#20512) andclean_git_credentials.shbreakingpush_to_pull_request_branch(#20511)@dsymefor push-to-pull-request-branch warnings (#20578) and better merge conflict failure issues (#20420)@bmerklefor missing Prerequisites section in CONTRIBUTING.md (#20646) and cleanup contributions
For complete details, see CHANGELOG.
Generated by Release
What's Changed
- fix: propagate
environment:frontmatter field to all safe-output jobs by @Copilot in #20384 - Recompile workflows to sync lock files with markdown sources by @Copilot in #20396
- refactor: split pkg/cli/remote_workflow.go into 5 focused modules by @Copilot in #20377
- fix(cli): standardize --help flag descriptions and "agentic workflow" terminology by @Copilot in #20375
- fix(wasm): update golden files for GH_AW_PHASE, GH_AW_VERSION, GITHUB_AW env vars by @Copilot in #20408
- [code-simplifier] Simplify duplicate alt-path blocks in fetch.go; fix add_command test broken by #20375 by @github-actions[bot] in #20410
- [docs] Self-healing documentation fixes from issue analysis - 2026-03-10 by @github-actions[bot] in #20412
- fix: prevent test suite timeout caused by real network calls in force-overwrite test by @Copilot in #20428
- fix: only emit GH_AW_VERSION with real version in release builds, use "dev" otherwise by @Copilot in #20433
- [aw] Updates available by @github-actions[bot] in #20430
- [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #20435
- feat: add
safe-outputs.failure-issue-repoto redirect failure issues to a different repo by @Copilot in #20429 - [docs] docs: reduce bloat in data-ops.md by @github-actions[bot] in #20437
- Phase 1: Introduce EngineDefinition, EngineCatalog, and ResolvedEngineTarget by @Copilot in #20459
- chore(docs): bump mermaid 11.12β11.13 and @astrojs/starlight 0.37.6β0.37.7 by @Copilot in #20464
- Phase 2: Make EngineCatalog the single source of truth for engine metadata by @Copilot in #20462
- [docs] Update documentation for features from 2026-03-11 by @github-actions[bot] in #20468
- Phase 3: Extend schema and parser for inline and catalog-defined engine definitions by @Copilot in #20469
- Phase 4: Add AuthDefinition and RequestShape for provider-owned auth and request shaping by @Copilot in #20473
- Phase 5: Add RenderConfig hook to CodingAgentEngine interface by @Copilot in #20477
- [docs] Update glossary - daily scan by @github-actions[bot] in #20493
- deps: update google.golang.org/grpc from v1.75.0 to v1.79.2 by @Copilot in #20498
- fix(step-names): Align AWF capitalization and Safe Output Items Manifest casing by @Copilot in #20504
- Add gh-aw-actions to Related Projects in README by @Copilot in #20509
- Fix
push_to_pull_request_branchfailing afterclean_git_credentials.shcleans.git/configby @Copilot in #20524 - fix: bots allowlist slug fallback in checkBotStatus by @Copilot in #20526
- cleanup left over files (again)... by @bmerkle in #20529
- fix: reply_to_pull_request_review_comment missing from config.json by @Copilot in #20525
- Merge agent job artifacts into single
agentartifact by @Copilot in #20507 - Rename threat detection artifact from
threat-detection.logtodetectionby @Copilot in #20541 - Sync gh-aw-actions before creating the GitHub release by @Copilot in #20537
- Improve failure issue for patch apply failures (merge conflicts) in create_pull_request / push_to_pull_request_branch by @Copilot in #20421
- Fix safe_outputs: skip PR review comments outside PR context, register custom safe job types by @Copilot in #20548
- feat: automatically derive safeoutputs guard-policy from GitHub MCP guard-policy and bump gateway to v0.1.14 by @claude in #20467
- [dead-code] chore: remove dead functions β 7 functions removed by @github-actions[bot] in #20565
- [code-simplifier] refactor: simplify default case in buildSafeOutputJobsEnvVars by @github-actions[bot] in #20568
- [ca] fix: update test expectations for actions/download-artifact v8.0.1 by @github-actions[bot] in #20566
- [docs] Self-healing documentation fixes from issue analysis - 2026-03-11 by @github-actions[bot] in #20569
- feat: Reimplement APM artifact pack/unpack support (#20385) by @Copilot in #20564
- Replace inlined Go builtin engine definitions with embedded shared agentic workflow files by @Copilot in #20500
- fix(safe-outputs): add standardized error code to handle_noop_message.cjs (USE-001) by @Copilot in #20579
- fix: push-to-pull-request-branch default max should be 1, not 0 by @Copilot in #20582
- Fix git fetch auth in generateGitPatch after clean_git_credentials.sh by @Copilot in #20581
- Fix wasm golden tests and lint error after mcpg version bump to v0.1.14 by @Copilot in #20588
- refactor: eliminate semantic duplicates, delete stub files, split commands.go by @Copilot in #20577
- docs: add READ-ONLY caution to MCP Scripts reference by @Copilot in #20600
- Add
--skip-secretflag toadd-wizardto bypass API key prompt by @Copilot in #20598 - Fix misleading status when create-pull-request falls back to a review issue by @Copilot in #20602
- Add compile-time warnings for push-to-pull-request-branch with target: "*" by @Copilot in #20580
- docs: clarify
allowed-filesis an exclusive allowlist, not an additive exception list by @Copilot in #20606 - [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #20609
- [docs] docs: remove bloat from custom-safe-outputs reference page by @github-actions[bot] in #20612
- fix: grant contents/pull-requests write to sync_actions reusable workflow call by @Copilot in #20613
- Disable Codex web search by default; enable only when
web-searchtool is configured by @Copilot in #20607 - fix: enforce
draftas policy increate-pull-request, not agent-overridable fallback by @Copilot in #20608 - Fix cross-repo activation checkout for event-driven relay workflows by @Copilot in #20583
- fix: logs MCP tool surfaces actionable error instead of cryptic "exit status 1" by @Copilot in #20616
- [docs] Update documentation for features from 2026-03-12 by @github-actions[bot] in #20632
- fix: distinguish actionlint integration failures from lint findings by @Copilot in #20637
- [fp-enhancer] Improve pkg/cli: add sliceutil.Any and replace for-break patterns by @github-actions[bot] in #20651
- [docs] Update glossary with security scanner terms - daily scan by @github-actions[bot] in #20655
- Add dedicated APM Dependencies reference page by @Copilot in #20674
- refactor: split safe_outputs_config.go into focused modules by @Copilot in #20639
- [jsweep] Clean messages_core.cjs by @github-actions[bot] in #20630
- feat: support custom OpenAI and Anthropic API targets in AWF sandbox by @claude in #20631
- fix: add Prerequisites section to CONTRIBUTING.md, point to Dev Container by @Copilot in #20681
- Track CLI version bumps: Claude Code 2.1.74, Copilot CLI 1.0.4 by @Copilot in #20680
- Normalize report formatting: add shared/reporting.md import to 16 workflows by @Copilot in #20683
- Fix custom safe-output job types not recognized in
safe_outputsjob by @Copilot in #20682 - fix: add target-repo support to submit_pull_request_review for cross-repo workflows by @Copilot in #20678
- chore(deps): bump devalue from 5.6.3 to 5.6.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #20689
- chore(deps): bump hono from 4.12.5 to 4.12.7 in /.github/workflows in the npm_and_yarn group across 1 directory by @dependabot[bot] in #20690
- Fix lint-go: simplify
Anyusingslices.ContainsFuncby @Copilot in #20701 - fix: remove invalid
pathfield fromgh run list, fix error misclassification by @Copilot in #20684 - fix(IMP-003): relocate
generateCustomJobToolDefinitiontosafe_outputs_config_generation.goby @Copilot in #20706 - fix(sec-005): add SEC-005 compliance notes to target-repo handlers by @Copilot in #20707
- Add artifact name prefix for workflow_call to prevent multi-caller clashing by @Copilot in #20685
- fix: dispatch_workflow honors target-repo in cross-repo relays by @Copilot in #20708
- [docs] Self-healing documentation fixes from issue analysis - 2026-03-12 by @github-actions[bot] in #20716
- [dead-code] chore: remove dead functions β 10 functions removed by @github-actions[bot] in #20712
- [code-simplifier] refactor: simplify dispatch_workflow handler clarity (#20708 follow-up) by @github-actions[bot] in #20715
- docs: add debug logging to common-issues troubleshooting page by @Copilot in #20725
- fix(lint): remove unused
secretNamePatternvariable by @Copilot in #20735 - feat: add daily-function-namer agentic workflow by @Copilot in #20732
- Fix "Copy Safe Outputs" step name capitalization to match glossary term by @Copilot in #20734
- [docs] docs: reduce bloat in footers.md (-22%) by @github-actions[bot] in #20737
- Fix misleading Docker error and
compiled_filepopulated on failed compilation by @Copilot in #20750 - Fix "Exceeded max expression length 21000" in compiled workflows with large toolsets and create-pull-request base-branch by @Copilot in #20751
- Add Custom API Endpoint Configuration for Agentic Engines by @claude in #20730
- [jsweep] Clean hide_comment.cjs by @github-actions[bot] in #20754
- fix: use
-c web_search="disabled"instead of non-existent--no-searchflag for Codex by @Copilot in #20757 - release: replace sync_actions workflow_call with environment-gated manual approval job by @Copilot in #20761
Full Changelog: v0.57.2...v0.58.0