Skip to content

v0.67.2

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 06 Apr 19:42
· 535 commits to main since this release
v0.67.2
5fb582b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release focuses on reliability and correctness for cross-repo workflows, fixes network access issues with curl/wget, and improves import path resolution.

πŸ› Bug Fixes & Improvements

  • Cross-repo workflow hash check fixed β€” The lock file integrity check now correctly resolves GITHUB_WORKFLOW_REF and GITHUB_EVENT_NAME when workflows run cross-repo via org rulesets or workflow_call. Previously, ERR_CONFIG failures prevented reusable workflows from passing the timestamp check entirely.

  • Cross-repo checkout tokens no longer silently dropped β€” GitHub Actions runner v2.308+ suppresses masked job outputs, causing checkout app tokens forwarded from the activation job to be dropped before reaching the agent. Tokens are now minted directly in the agent job, ensuring cross-repo checkouts work reliably.

  • curl and wget now work with flags in network.allowed workflows β€” Copilot CLI's shell(curl) permission only matched a bare curl with no arguments. Any real invocation (curl -s …, curl --max-time 30 …) was denied even when the domain was explicitly listed in network.allowed. Both curl and wget are now registered as stem commands so flag-bearing invocations are permitted.

  • Runtime import resolver handles repo-root-absolute paths β€” Paths like /.agents/skills/my-skill/instructions.md or //.github/agents/planner.md (with one or more leading slashes) were incorrectly resolved to .github/workflows/…. The resolver now strips leading slashes before prefix checks, matching the existing compile-time behavior.

  • timeout-minutes capped at 360 in schema β€” The frontmatter schema now enforces a maximum value of 360 (GitHub's 6-hour runner limit), so workflows with values like 500 are caught at compile time rather than failing at runtime.

  • Dependency security patches β€” Updated vite across docs and setup scripts to address path traversal and server.fs bypass vulnerabilities (CVE-adjacent upstream fixes in vite 7.3.2 / 8.0.5).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bbonafed

@wtgodbe

@yskopets

For complete details, see CHANGELOG.

Generated by Release Β· ● 2.4M

What's Changed

  • [docs] Update glossary - weekly full scan by @github-actions[bot] in #24850
  • [specs] Update layout specification - 2026-04-06 by @github-actions[bot] in #24840
  • [code-simplifier] refactor: extract getActionInput() helper for hyphen/underscore input normalization (#24823) by @github-actions[bot] in #24836
  • [instructions] Sync github-agentic-workflows.md with v0.67.0 by @github-actions[bot] in #24854
  • [community] Update community contributions in README by @github-actions[bot] in #24852
  • [jsweep] Clean add_reviewer.cjs by @github-actions[bot] in #24828
  • [spec-review] Update Safe Outputs conformance checker for recent spec changes by @github-actions[bot] in #24857
  • fix: use Math.floor instead of Math.round for OTEL job start ms timestamp by @Copilot in #24859
  • spec(mcp-gateway): allow opentelemetry headers as name=value string (v1.12.0) by @Copilot in #24869
  • rename: awInfoHasMCPServers β†’ extractMCPServerNamesFromAwInfo by @Copilot in #24861
  • [blog] Weekly blog post – 2026-04-06 by @github-actions[bot] in #24893
  • test(agentdrain): migrate miner_test.go to testify, add coverage for TrainEvent/Clusters/Coordinator/persistence by @Copilot in #24871
  • Add validation: safe-outputs max field must be a positive integer or -1 (unlimited) by @Copilot in #24864
  • Convert Write Safe Outputs Tools step to actions/github-script with JSON env vars by @Copilot in #24872
  • refactor: consolidate duplicate logic in role_checks.go by @Copilot in #24870
  • Add run-install-scripts flag to disable npm pre/post install scripts by default by @Copilot in #24863
  • [rendering-scripts] fix: preserve fenced code blocks in template rendering by @github-actions[bot] in #24862
  • Add node runtime to daily-issues-report workflow by @Copilot in #24913
  • docs: fix stale status-comment description to reflect auto-enable behavior by @Copilot in #24915
  • fix: add network.allowed to schema-feature-coverage and ai-moderator Codex workflows by @Copilot in #24916
  • fix: mint checkout app tokens in agent job, not activation job by @Copilot in #24902
  • reduce token usage for daily-syntax-error-quality and dead-code-remover workflows by @Copilot in #24914
  • fix(runtime-import): handle repo-root-absolute paths with leading / or // by @Copilot in #24903
  • fix(tools): add curl and wget as stem commands to fix shell permission denial by @Copilot in #24923
  • [slides] Update monitoring slide with audit and format commands by @github-actions[bot] in #24929
  • fix(daily-syntax-error-quality): unblock /tmp/gh-aw compile path, remove unused GitHub toolset by @Copilot in #24925
  • build(deps-dev): bump vite from 8.0.3 to 8.0.5 in /actions/setup/js in the npm_and_yarn group across 1 directory by @dependabot[bot] in #24936
  • Add maximum: 360 to timeout-minutes schema to enforce GitHub Actions runner limit by @Copilot in #24931
  • Fix cross-repo reusable workflow hash check: remove workflow_call event gate and correct workflow_ref assumptions by @Copilot in #24924
  • build(deps): bump vite from 7.3.1 to 7.3.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #24937

Full Changelog: v0.67.1...v0.67.2

Contributors

dependabot
Assets 18
Loading