Weekly Update – March 18, 2026
It’s been a busy week in github/gh-aw — seven releases shipped between March 13 and March 17, covering everything from a security model overhaul to a new label-based trigger and a long-overdue terminal resize fix. Let’s dig in.
Releases This Week
Section titled “Releases This Week”v0.61.0 — March 17
Section titled “v0.61.0 — March 17”The freshest release focuses on reliability and developer experience:
- Automatic debug logging (#21406): Set
ACTIONS_RUNNER_DEBUG=trueon your runner and full debug logging activates automatically — no more manually addingDEBUG=*to every troubleshooting run. - Cross-repo project item updates (#21404):
update_projectnow accepts atarget_repoparameter, so org-level project boards can update fields on items from any repository. - GHE Cloud data residency support (#21408): Compiled workflows now auto-inject a
GH_HOSTstep, fixingghCLI failures on*.ghe.cominstances. - CI build artifacts (#21440): The
buildCI job now uploads the compiledgh-awbinary as a downloadable artifact — handy for testing PRs without a local build.
v0.60.0 — March 17
Section titled “v0.60.0 — March 17”This release rewires the security model. Breaking change: automatic lockdown=true is gone. Instead, the runtime now auto-configures guard policies on the GitHub MCP server — min_integrity=approved for public repos, min_integrity=none for private/internal. Remove any explicit lockdown: false from your frontmatter; it’s no longer needed.
Other highlights:
- GHES domain auto-allowlisting (#21301): When
engine.api-targetpoints to a GHES instance, the compiler automatically adds GHES API hostnames to the firewall. No more silent blocks after every recompile. github-app:auth in APM dependencies (#21286): APMdependencies:can now usegithub-app:auth for cross-org private package access.
v0.59.0 — March 16
Section titled “v0.59.0 — March 16”A feature-packed release with two breaking changes (field renames in safe-outputs.allowed-domains) and several new capabilities:
- Label Command Trigger (#21118): Activate a workflow by adding a label to an issue, PR, or discussion. The label is automatically removed so it can be reapplied to re-trigger.
gh aw domainscommand (#21086): Inspect the effective network domain configuration for all your workflows, with per-domain ecosystem annotations.- Pre-activation step injection — New
on.stepsandon.permissionsfrontmatter fields let you inject custom steps and permissions into the activation job for advanced scenarios.
Earlier in the Week
Section titled “Earlier in the Week”- v0.58.3 (March 15): MCP write-sink guard policy for non-GitHub MCP servers, Copilot pre-flight diagnostic for GHES, and a richer run details step summary.
- v0.58.2 (March 14): GHES auto-detection in
auditandadd-wizard,excluded-filessupport forcreate-pull-request, and clearerruncommand errors. - v0.58.1 / v0.58.0 (March 13):
call-workflowsafe output for chaining workflows,checkout: falsefor agent jobs, custom OpenAI/Anthropic API endpoints, and 92 merged PRs in v0.58.0 alone.
Notable Pull Requests
Section titled “Notable Pull Requests”- Top-level
github-appfallback (#21510): Define your GitHub App config once at the top level and let it propagate to safe-outputs, checkout, MCP, APM, and activation — instead of repeating it in every section. - GitHub App-only permission scopes (#21511): 31 new
PermissionScopeconstants cover repository, org, and user-level GitHub App permissions (e.g.,administration,members,environments). - Custom Huh theme (#21557): All 11 interactive CLI forms now use a Dracula-inspired theme consistent with the rest of the CLI’s visual identity.
- Weekly blog post writer workflow (#21575): Yes, the workflow that wrote this post was itself merged this week. Meta!
- CI job timeout limits (#21601): All 25 CI jobs that relied on GitHub’s 6-hour default now have explicit timeouts, preventing a stuck test from silently burning runner compute.
Agent of the Week: auto-triage-issues
Section titled “ Agent of the Week: auto-triage-issues”The first-ever Agent of the Week goes to the workflow that handles the unglamorous but essential job of keeping the issue tracker from becoming a swamp.
auto-triage-issues runs on a schedule and fires on every new issue, reading each one and deciding how to categorize it. This week it ran five times — three successful runs and two that were triggered by push events to a feature branch (which apparently fire the workflow but don’t give it much to work with). On its scheduled run this morning, it found zero open issues in the repository, so it created a tidy summary discussion to announce the clean state, as instructed. On an earlier issues-triggered run, it attempted to triage issue #21572 but hit empty results from GitHub MCP tools on all three read attempts — so it gracefully called missing_data and moved on rather than hallucinating a label.
Across its recent runs it made 131 search_repositories calls. We’re not sure why it finds repository searches so compelling, but clearly it’s very thorough about knowing its neighborhood before making any decisions.
Usage tip: Pair auto-triage-issues with a notify workflow on specific labels (e.g., security or needs-repro) so the right people get pinged automatically without anyone having to watch the inbox.
Try It Out
Section titled “Try It Out”Update to v0.61.0 to get all the improvements from this packed week. If you run workflows on GHES or in GHE Cloud, the new auto-detection and GH_HOST injection features are especially worth trying. As always, contributions and feedback are welcome in github/gh-aw.
