Skip to content

v0.65.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 31 Mar 03:45
· 910 commits to main since this release
v0.65.0
7c193ac
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

v0.65.0 is a feature-rich release focused on MCP Gateway security controls, GitHub App org-level API access, and workflow lifecycle management β€” alongside a new Microsoft APM shared workflow and significant compiled output improvements.

✨ What's New

πŸ” GitHub App Token: Org-Level Permissions

You can now grant org-scoped API access (e.g. members: read, organization-administration: read) directly in your workflow frontmatter β€” no more silent null responses when calling org-level GitHub APIs:

tools:
  github:
    toolsets: [orgs, users]
    github-app:
      app-id: $\{\{ vars.APP_ID }}
      private-key: $\{\{ secrets.APP_PRIVATE_KEY }}
      permissions:
        members: read

πŸ›‘οΈ MCP Gateway: Trusted Users & OIDC Authentication

Two powerful new MCP Gateway security features ship in this release:

  • trusted-users β€” Elevate specific GitHub usernames to approved integrity without lowering the global min-integrity policy. Useful for contractors or partner developers who need elevated access without becoming repo collaborators.
  • GitHub OIDC authentication β€” HTTP MCP servers can now authenticate using GitHub Actions OIDC tokens, enabling secure server-to-server trust without static credentials:
tools:
  mcp-servers:
    my-server:
      type: http
      url: "(myserver.example.com/redacted)
      auth:
        type: github-oidc
        audience: "(myserver.example.com/redacted)"

πŸ”„ Version Update Check on Activation

Workflows now check at runtime whether the compiled gh-aw version is still supported. Blocked versions fail fast; below-recommended versions emit a warning. This protects against running workflows compiled with revoked or outdated versions. Disable with check-for-updates: false (emits a compile-time warning).

πŸ“¦ Microsoft APM via shared/apm.md

APM package support is now available as a clean shared workflow import, replacing the deprecated dependencies: field:

imports:
  - uses: shared/apm.md
    with:
      packages:
        - microsoft/apm-sample-package

🧹 Cleaner Compiled Lock Files

The prompt heredoc consolidation refactor reduces compiled .lock.yml output by ~900 lines across the repo, making diffs dramatically easier to review when prompt content changes.

πŸ› Bug Fixes & Improvements

  • Fix actions/setup restore after cross-repo checkout in safe_outputs and upload_assets jobs β€” prevents runner post-step failures in dev mode (#23587, #23604)
  • Fix add_labels schema β€” labels field is now correctly marked required in the safe-outputs inputSchema, preventing silent omission by JSONL-mode agents (#23610)
  • Fix Daily Doc Updater β€” cookie-labeled issues (filed by automation workflows) are now surfaced correctly with approval-labels: [cookie] (#23613)
  • Remove unused APM constants from pkg/constants and CI checks (#23624)

πŸ“š Documentation

  • Fixed sitemap (sitemap-index.xml) and RSS feed (blog/rss.xml) 404s on the docs site (#23585)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

@dholmes

For complete details, see CHANGELOG.

Generated by Release

What's Changed

  • feat: group all concatenations in "Create prompt with built-in context" into a single section by @Copilot in #23588
  • fix(step-names): align cache-memory git setup step with Setup <component> convention by @Copilot in #23586
  • docs: fix sitemap and RSS feed 404s by @Copilot in #23585
  • fix: restore actions/setup after cross-repo checkout in safe_outputs job by @Copilot in #23587
  • [log] add debug logging to 5 pkg files (batch 2) by @github-actions[bot] in #23593
  • feat: add version update check for compile-agentic activation by @Copilot in #23575
  • [actions] Update GitHub Actions versions - 2026-03-30 by @Copilot in #23599
  • fix: restore actions/setup in upload_assets job after git branch switch (dev mode) by @Copilot in #23604
  • feat: Allow extra permissions on tools.github.github-app token for org-level API access by @Copilot in #23600
  • fix(daily-doc-updater): add cookie-label approval and Step 1d to surface automation-filed doc gaps by @Copilot in #23613
  • feat: add shared/apm.md shared workflow with Microsoft APM support by @Copilot in #23509
  • feat: add trusted-users to MCP Gateway guard policy by @Copilot in #23608
  • MCP Gateway: Add upstream OIDC authentication to schema, spec, and compiler by @Copilot in #23611
  • fix(safeoutputs): add required: ["labels"] to add_labels inputSchema by @Copilot in #23610
  • fix(instructions-janitor): use GitHub MCP get_latest_release instead of git describe by @Copilot in #23625
  • fix: remove unused APM constants and references by @Copilot in #23624
  • Add release alias map to releases.json by @Copilot in #23626

Full Changelog: v0.64.5...v0.65.0

Assets 18
Loading