Weekly Update – April 13, 2026

Apr 13, 2026

It was a busy week in github/gh-aw — five releases shipped between April 6 and April 10, addressing everything from a critical Copilot CLI reliability crisis to shiny new workflow composition features. Here’s the full rundown.

Release Highlights

v0.68.1 — April 10

The headline of this patch is a critical Copilot CLI reliability hotfix. Workflows using the Copilot engine were hanging indefinitely or producing zero-byte output due to an incompatibility introduced in v1.0.22 of the Copilot CLI. v0.68.1 pins the CLI back to v1.0.21 — the last confirmed-working version — and gets everyone’s workflows running again (#25689).

Beyond the hotfix, this release also ships:

engine.bare frontmatter field (#25661): Set bare: true to suppress automatic context loading — AGENTS.md and user instructions for Copilot, CLAUDE.md memory files for Claude. Great when you want the AI to start from a clean slate.
Improved stale lock file diagnostics (#25571): When the activation job detects a stale hash, it now emits step-by-step [hash-debug] log lines and opens an actionable issue guiding you to fix it.
actions/github-script upgraded to v9 (#25553): Scripts now get getOctokit as a built-in context parameter, removing the need for manual @actions/github imports in safe-output handlers.
Squash-merge fallback in gh aw add (#25609): If a repo disallows merge commits, the setup PR now automatically falls back to squash merge instead of failing.
Security: agent-stdio.log permissions hardened — Log files are now pre-created with 0600 permissions before tee writes, preventing world-readable exposure of MCP gateway bearer tokens.

v0.68.0 — April 10

This release brings distributed tracing improvements and a cleaner comment API:

OpenTelemetry cross-job trace hierarchy (#25540): Parent span IDs now propagate through aw_context across jobs, giving you end-to-end distributed trace visibility for multi-job workflows in backends like Tempo, Honeycomb, and Datadog.
Simplified discussion comment API (#25532): The deprecated add-comment.discussion boolean has been removed in favor of the clearer discussions: true/false syntax. Run gh aw fix --write to migrate existing workflows.
Security: heredoc content validation (#25510): ValidateHeredocContent checks now cover five user-controlled heredoc insertion sites, closing a class of potential injection vectors.

v0.67.4 — April 9

This one led with five new agentic workflow templates: approach-validator, test-quality-sentinel, refactoring-cadence, architecture-guardian, and design-decision-gate. These expand the built-in library for code quality, ADR enforcement, and architectural governance. The release also included Copilot driver retry logic and a --runner-guard compilation flag.

v0.67.3 — April 8

The star of this release is the new pre-steps frontmatter field — inject steps that run before checkout and the agent inside the same job. This is the recommended pattern for token-minting actions (e.g., actions/create-github-app-token, octo-sts) that need to check out external repos. Because the minted token stays in the same job, it never gets masked when crossing a job boundary. Also shipped: ${{ github.aw.import-inputs.* }} expression support in the imports: section, and assignees support on create-pull-request fallback issues.

v0.67.2 — April 6

Reliability-focused: cross-repo workflow hash checks, checkout tokens no longer silently dropped on newer runners, curl/wget flag-bearing invocations now allowed in network.allowed workflows, and a timeout-minutes schema cap at 360.

Notable Merged Pull Requests

Beyond the releases, the past week also delivered:

#25923: Image artifacts can now be uploaded without zip archiving using skip-archive: true, and the resulting artifact URLs are surfaced as outputs — enabling workflows to embed images directly in Markdown comments.
#25908: A new scheduled cleanup-cache-memory job was added to the agentics maintenance workflow to prune outdated cache-memory entries automatically (and can be triggered on demand).
#25914 + #25972: OTel exception span events now emit exception.type alongside exception.message and individual error attributes are queryable — no more digging through pipe-delimited strings in Grafana.
#25960: Fixed a sneaky bug where push_repo_memory would run on every bot-triggered no-op because always() bypassed skip propagation.
#25971: Raw subprocess output from gh aw compile --validate is now sanitized before being embedded into issue bodies, closing a Markdown injection vector.

Agent of the Week: auto-triage-issues

The quiet backbone of issue hygiene — reads every new issue and applies the right labels so the right people see it.

This week auto-triage-issues proved it’s doing its job almost too well. In the scheduled run on April 13, it scanned all open issues and found exactly zero unlabeled issues — reporting a 100% label coverage rate with zero action required. It had already handled the labeling in near-real-time as issues arrived, including one run on April 12 where it correctly tagged a freshly opened issue with enhancement, mcp, compiler, and security in a single pass. Four labels, zero hesitation.

That “security” label is doing a lot of work — the workflow spotted MCP and compiler concerns that genuinely deserved the tag, not just keyword-matched on it. We’ll take it.

Usage tip: Pair auto-triage-issues with label-based notification rules so your team gets automatically paged for security or critical issues without anyone having to babysit the issue tracker.

→ View the workflow on GitHub

Try It Out

Update to v0.68.1 today to get the Copilot CLI hotfix and the new engine.bare control. As always, contributions and feedback are welcome in github/gh-aw.