v0.64.3

🌟 Release Highlights

This release delivers significant security hardening, a major improvement to cache-memory integrity guarantees, and a wave of community-driven bug fixes across safe-outputs, the DIFC proxy, and workflow tooling.

✨ What's New

Integrity-Aware Cache-Memory with Git-Backed Branching

Cache-memory now enforces integrity isolation at the storage level using git branches — merged, approved, unapproved, and none. Each run reads only from its integrity tier and above, preventing lower-integrity agents from poisoning data consumed by higher-integrity runs. Cache keys now include the integrity level and a compile-time policy hash, so any change to your allow-only guard policy automatically invalidates stale cache entries.

⚠️ Migration note: existing caches will get a cache miss on first run after upgrading — intentional, since legacy data has no integrity provenance.

patch-format: bundle for Safe-Outputs Code-Push Flows

Code-push flows now support patch-format: bundle, which uses git bundle instead of git am/git format-patch. Bundle transport preserves the full commit graph including merge commits, authorship, and per-commit messages — resolving long-standing issues with merge-resolution-only content being silently dropped.

safe-outputs:
  create-pull-request:
    patch-format: bundle   # "am" (default) | "bundle"

🔒 Security Fixes

• Secret env var exclusion from agent container — AWF's --exclude-env flag now strips all secret-bearing environment variables (tokens, API keys, MCP secrets) from the agent container's visible environment, mitigating prompt-injection exfiltration vectors in pull_request_target workflows. Uses AWF v0.25.3+. (#23360)

• Argument injection fix in package validators — Package/image names in gh aw compile --validate-packages are now validated before being passed to npm view, pip index versions, uv pip show, and docker, preventing flag-injection attacks via maliciously crafted package names. (#23374)

🐛 Bug Fixes & Improvements

• Noop safe-output handling — Workflows no longer fail when the AI model returns a transient error after successfully capturing a noop safe-output. The conclusion job now correctly posts the noop message even when the agent job exits with code 1 in this scenario. (#23284)

• update-discussion label-only config — Configuring only allowed-labels on update-discussion no longer accidentally overwrites the discussion title or body with a JSON string. Field isolation is now enforced at both the tool schema level and at runtime. (#23279)

• DIFC proxy GHEC support — The DIFC proxy container now receives GITHUB_SERVER_URL, fixing integrity filtering for pre-agent gh CLI and actions/github-script steps on GitHub Enterprise Cloud tenants. (#23308)

• logs / audit fingerprint consistency — gh aw logs and gh aw audit now produce identical behavior_fingerprint values for the same workflow run. Previously, logs computed the fingerprint before populating run metrics from parsed log data. (#23420)

• AWF version corrected to v0.25.3 — The default firewall version was set to v0.26.0 (which was never released), causing "Install AWF binary" HTTP 404 errors. Corrected to v0.25.3, the actual release that shipped --exclude-env support. (#23396)

• update-discussion error diagnostics — GraphQL permission errors (e.g. missing discussions: write) now surface actionable messages with the exact error type, HTTP status, and remediation hint, instead of an opaque ERR_API: update discussion #N failed. (#23340)

---

🌍 Community Contributions — A huge thank you to the community members who reported issues resolved in this release!

@bryanchen-d

• Agent fails with "Failed to get response from the AI model; retried 5 times" after noop safe-output (direct issue)

@eaftan

• bug: missing-tool and missing-data have surprising create-issue behavior depending on implicit vs explicit enablement (direct issue)
• User feedback: Actions run page should link to .md file instead of .lock.yml (direct issue)

@look

• missing-tool: workflow completes successfully when MCP script tools fail (direct issue)

@strawgate

• safe-outputs: preserve merge/rebase commit history in code-push flow (direct issue)

⚠️ Attribution Candidates Need Review

The following community issue was closed during this release window but could not be automatically linked to a specific merged PR. Please verify whether it should be credited:

• @Henry-Shan for Add agentic workflow: Proactive Dependency Auto-Remediation for Dependabot PRs (#23268) — closed 2026-03-28 as NOT_PLANNED, no confirmed PR linkage found

---

For complete details, see CHANGELOG.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #18412 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #23257 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Release

---

What's Changed

• Remove URL fetch capability from editor.js playground by @Copilot in #23381
• ci: add integration-release-availability job to verify external dependencies by @Copilot in #23380
• fix: propagate assign-to-agent failure to step status and conclusion rendering by @Copilot in #23377
• fix: downgrade DefaultFirewallVersion and AWFExcludeEnvMinVersion from v0.26.0 to v0.25.3 by @Copilot in #23396
• [docs] docs: condense imports reference — consolidate merge-semantics table by @github-actions[bot] in #23414
• [ca] test: update wasm golden files for v0.25.3 downgrade by @github-actions[bot] in #23419
• [jsweep] Clean add_labels.cjs by @github-actions[bot] in #23417
• feat: reimplement tools.qmd as parameterized shared import, remove builtin presets by @Copilot in #23366
• Remove builtin tools.serena support; mark removed in schema by @Copilot in #23365
• fix: remove GHCR image checks from release availability CI (only verify GitHub release exists) by @Copilot in #23424
• fix: behavior_fingerprint inconsistency between logs and audit tools for the same run by @Copilot in #23420
• Add gh CLI install step for custom image runner in all workflows using gh by @Copilot in #23426
• [docs] Consolidate developer specifications into instructions file by @github-actions[bot] in #23429
• [community] Update community contributions in README by @github-actions[bot] in #23430
• Fix schema/code inconsistencies: remove engine.firewall dead code, error_patterns, and cleanup-script by @Copilot in #23423
• fix: handle uses:/path: map imports in fetchFrontmatterImportsRecursive by @Copilot in #23439
• docs: safe outputs spec v1.15.0 — cache memory integrity (git-backed branching) by @Copilot in #23443
• Remove emojis from agent failure messages by @Copilot in #23445
• feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys by @Copilot in #23425
• fix: format pkg/cli/remote_workflow_test.go with go fmt by @Copilot in #23450
• fix: correct serena-go.md import path to fix integration test failure by @Copilot in #23452
• refactor: consolidate semver utilities, merge single-function file, disambiguate MCP validator by @Copilot in #23448

Full Changelog: v0.65.0...v0.64.3