v0.64.1

🌟 Release Highlights

This release delivers a major expansion of the gh aw audit observability surface, a batch of important security hardening fixes, and two community-reported issues resolved — including a long-standing GHES host configuration bug.

✨ What's New

• gh aw audit diff — Compare firewall behavior, MCP tool invocations, token usage, and run duration across two workflow runs to detect regressions and behavioral drift (gh aw audit diff <run1> <run2> [--format markdown|json]). #22996, #23118

• Expanded gh aw audit report — Five new audit sections give you a single pane of glass: Engine Configuration, Prompt Analysis, Session & Agent Performance, Safe Output Summary, and MCP Server Health. Now also surfaces MCP Gateway guard policy enforcement blocks (integrity, repo-scope, access-denied) per tool and server. #22932, #22962

• Safe Outputs replay via maintenance workflow — When a safe_outputs job fails or is skipped, you can now replay it manually: trigger the Agentic Maintenance workflow with operation: safe_outputs and a run URL or ID. #22973

• Stable heredoc delimiters — Lock files no longer diff on every recompile for unchanged workflows. Heredoc delimiters are now derived from a frontmatter hash (HMAC-SHA256), making them both stable and injection-resistant. #23030

• Agentic fraction & action minutes — New agentic_fraction (0.0–1.0) and action_minutes fields in the Agentic Observability Kit surface cost-of-goods-sold (COGS) visibility and identify workflows where data-gathering turns could be moved to deterministic shell steps. #23074

• Post-job cleanup — actions/setup now automatically removes /tmp/gh-aw/ after every job via a runs.post lifecycle hook, reducing artifact surface on shared runners. #22938

🔒 Security Fixes

• Heredoc delimiter injection → RCE — Randomized heredoc delimiters prevent attackers from embedding the delimiter in workflow markdown to inject shell commands into generated lock files. #23004
• Shell injection via agent file path — Closed a shellEscapeArg pre-quoted bypass that allowed crafted agent filenames (a";id;"b.md) to execute arbitrary shell commands. #23023
• Path traversal hardening — Added MustBeWithin boundary checks to three code paths that joined user-influenced paths without validating the result stays within the base directory. #23044
• Argument injection prevention — Compiler now rejects package/image names starting with - before invoking npm, pip, uv, or Docker, preventing flag injection via frontmatter MCP configs. #23045
• XSS attribute stripping — on* event handlers and style attributes are now stripped from allowlisted HTML tags in sanitized content, closing a bypass via <details ontoggle="...">. #22988
• Allocation overflow fix — Fixed a potential runtime panic in buildDomainItems where len(allowed)+len(blocked) could overflow int on pathological inputs (CodeQL #558). #23059
• Web Worker origin guard — Added origin validation to the wasm compiler worker's onmessage handler to prevent cross-origin message injection (CodeQL #546). #23063
• Extracted log directory permissions — Replaced os.ModePerm (0777) with 0750 in extractZipFile to prevent world-readable log directories on systems with a permissive umask. #23036
• Security dependency updates — picomatch patched for CVE-2026-33671 and CVE-2026-33672; smol-toml patched for GHSA-v3rj-xjv7-4jmq. #22990

🐛 Bug Fixes & Improvements

• GHES host propagation fixed — GH_HOST is now written to GITHUB_ENV instead of GITHUB_OUTPUT, making it available to all generated steps (checkout, safe-outputs, etc.) — not just user-typed steps. #22974
• Cross-label concurrency — Concurrency groups for label-triggered workflows now include $\{\{ github.event.label.name }}, preventing simultaneous label additions from cancelling each other's runs. #23021
• Rate limit resilience — gh aw update and gh aw health no longer fail fatally on transient GitHub API rate limit errors; both emit a warning and continue cleanly. #23032
• Noop-after-failure — When the AI model server returns a transient error after the agent has already called noop, spurious failure issues are no longer filed. #23050
• Claude audit tool duration — MaxDuration for Claude engine bash tools now correctly shows N/A instead of stamping the total job time onto every tool call. #23049
• Threat detection robustness — THREAT_DETECTION_RESULT payloads with literal newlines in reason strings are now correctly parsed without truncation. #22982
• AWF firewall updated to v0.25.1. #23022

📚 Documentation

• New Token Reference page — all tokens and secrets in one place, including precedence chains, fallback logic, and App vs PAT guidance. #22916
• New Research → Plan → Assign → Merge design pattern page. #23031
• Added Replaying Safe Outputs guide to the safe-outputs reference. #22995
• skip-if-check-failing and label-command triggers are now documented in the instructions file. #23086

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@deyaaeldeen

• Compiled lock files hardcode GH_HOST=github.com and ghes-host-config output is unused (direct issue)
• Concurrency group should include label name to prevent cross-label cancellation (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add download.jetbrains.com to kotlin ecosystem domain allowlist by @Copilot in #22942
• Add maven-central.storage-download.googleapis.com to java ecosystem domains by @Copilot in #22943
• feat: expand gh aw audit with engine config, prompt, session, safe-output, and MCP server health sections by @Copilot in #22932
• Davidslater/fix detection compiler by @davidslater in #22969
• fix: write GH_HOST to GITHUB_ENV instead of GITHUB_OUTPUT by @lpcox in #22974
• [docs] Update documentation for features merged 2026-03-25 by @github-actions[bot] in #22972
• [log] Add debug logging to 5 previously unlogged files by @github-actions[bot] in #22983
• feat: add apply_safe_outputs workflow-dispatch job to agentic-maintenance by @Copilot in #22973
• feat: reduce Detection Job firewall domain allowlist to Copilot-API-only set and enable Bash * in detection job by @Copilot in #22948
• feat: add post cleanup script to actions/setup to erase /tmp/gh-aw/ by @Copilot in #22938
• build(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #22990
• fix: strip on* event handlers and style attributes from allowlisted HTML tags in convertXmlTags() by @Copilot in #22988
• feat: surface MCP Gateway guard policy events in gh aw audit by @Copilot in #22962
• docs: add Replaying Safe Outputs section to safe-outputs reference by @Copilot in #22995
• fix: robustly parse THREAT_DETECTION_RESULT with literal newlines in reasons (#issue) by @Copilot in #22982
• Fix heredoc delimiter injection enabling code-review bypass → RCE by @Copilot in #23004
• feat: gh aw audit diff — compare firewall behavior across runs by @Copilot in #22996
• Include label name in concurrency group to prevent cross-label cancellation by @Copilot in #23021
• docs: add consolidated token reference page by @lpcox in #22916
• docs: add ResearchPlanAssignOps pattern by @Copilot in #23031
• fix: ignore GitHub API rate limit errors in update and health commands by @Copilot in #23032
• Use frontmatter hash for stable heredoc EOF marker identifiers by @Copilot in #23030
• Bump DefaultFirewallVersion to v0.25.1 by @Copilot in #23022
• fix: use 0750 instead of os.ModePerm for extracted log directories by @Copilot in #23036
• fix: resolve broken documentation links causing Doc Build CI failure by @Copilot in #23039
• fix: update wasm golden files for firewall version v0.25.1 by @Copilot in #23038
• [jsweep] Clean apply_safe_outputs_replay.cjs by @github-actions[bot] in #23040
• fix: set FrontmatterHash in TestMCPScriptsStepCodeGenerationStability for deterministic heredoc delimiters by @Copilot in #23041
• security: harden filesystem path operations against path traversal by @Copilot in #23044
• fix: reject package/image names starting with '-' to prevent argument injection (#23070) by @Copilot in #23045
• fix: normalize heredoc delimiters in wasm golden test script by @Copilot in #23052
• fix: skip failure issue when agent exits non-zero after successfully calling noop by @Copilot in #23050
• fix(security): close shellEscapeArg pre-quoted bypass → shell injection via agent file path by @Copilot in #23023
• fix(audit): Claude engine bash tools show total job time as MaxDuration instead of per-tool timing by @Copilot in #23049
• fix: update wasm golden files for refactored awf command format by @Copilot in #23053
• Remove unused devices import in docs/test-mobile.mjs by @Copilot in #23060
• Remove unused basename import in test-wasm-golden.mjs by @Copilot in #23062
• Remove unused outputContainer variable in editor.js by @Copilot in #23061
• Fix missing origin check in postMessage handler (CodeQL alert 546) by @Copilot in #23063
• Fix allocation-size-overflow in buildDomainItems (CodeQL #558) by @Copilot in #23059
• chore: add agentic fraction & action minutes tracking by @mnkiefer in #23074
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #23086
• [community] docs: update community contributions by @github-actions[bot] in #23085
• feat(audit): upgrade audit diff with MCP tool invocations, token usage, and duration diffs by @Copilot in #23118
• ci-doctor: switch to codex engine, drop model override, add analysis steps disclosure by @Copilot in #23119
• [docs] Self-healing documentation fixes from issue analysis - 2026-03-26 by @github-actions[bot] in #23124

Full Changelog: v0.64.0...v0.64.1