Weekly Update – June 1, 2026
It’s been a busy week in github/gh-aw! Five releases landed between May 28 and May 31, capped off by v0.77.4 — one of the biggest releases in recent memory. Here’s everything that shipped.
Release: v0.77.4
Section titled “Release: v0.77.4”v0.77.4 published on May 31st and packs in a ton of new capability.
What’s New
Section titled “ What’s New”-
Anthropic WIF Authentication (#35939): Claude-engine workflows can now authenticate via Workload Identity Federation. No more long-lived API key secrets stored in your repo — WIF handles it securely.
-
copilot-sdkEngine (#35936): A newengine: copilot-sdkfrontmatter option gives workflows direct access to the Copilot SDK runtime, opening up new integration patterns. -
aw.ymlManifest: Includes, Skills & Agents (#35778): Your repository manifest now supportsincludes,skills, andagentskeys so you can compose and share workflow components across repos. -
Per-Workflow 24-Hour Effective-Token Guardrail (#36042): A configurable token guardrail prevents runaway agent costs with enterprise-grade defaults and handy
ETshorthand support. -
search_commitsin GitHub MCP Search Toolset (#36115): Agents can now search commits directly via the GitHub MCP search toolset. -
New Skills:
copilot-reviewandgo-codemod(#36111, #36034): Two new skills help agents plan and address PR review feedback, and implement Go codemods for thegh aw fixcommand.
Notable Fixes
Section titled “ Notable Fixes”- Prefer toolcache Copilot CLI (#35992): Workflows now use the Actions toolcache copy of the Copilot CLI before downloading a release — faster setup for everyone.
- Reusable workflow timeout (#36107):
timeout-minutesis now correctly passed through reusable workflow callers. - Threat-detection hardening (#36113): Missing prompt artifacts no longer block safe-output execution.
on.needsYAML strip (#35965): Processedon.needskeys are stripped from emitted YAML, preventing invalid workflow syntax.
Release: v0.77.3
Section titled “Release: v0.77.3”v0.77.3 on May 29th brought sandbox improvements and better initialization:
authHeaderin sandbox agent targets (#35694): You can now specify custom authentication headers directly insandbox.agent.targetsfrontmatter.gh aw initcreates the Agentic Workflows custom agent (#35773): Runninggh aw initnow scaffolds a GitHub Copilot custom agent for Agentic Workflows right out of the box.- Stricter schema validation for
workflow_call/workflow_dispatch(#35788): Unknown input keys are now rejected at compile time.
Notable Merged PRs This Week
Section titled “Notable Merged PRs This Week”- Add project UTC offset support for rendered timestamps — Timestamps and expiration messages now render correctly for teams in non-UTC time zones.
- Optimize
api-consumption-reportwith inline small-model sub-agents — The API consumption report workflow is now faster and more efficient thanks to inline sub-agents. - Add structured diagnostics to the daily workflow ET guardrail — The effective-token guardrail now emits structured logs with a stable
[daily-workflow-et]prefix, making debugging much easier. - Enable
close_discussionsafe output in Daily Regulatory workflow — The regulatory compliance workflow can now close discussions as part of its cycle.
Agent of the Week: api-consumption-report
Section titled “ Agent of the Week: api-consumption-report”The bean counter who never sleeps — tracks every GitHub API call your workflows make and publishes a detailed report so you know exactly where your rate-limit quota is going.
This week api-consumption-report analyzed 95 workflow runs across the repository (58 successes, 37 failures — it doesn’t sugarcoat the numbers), tallied up 10,619 GitHub REST API calls in a single day, and generated a full trend chart showing that API usage spiked to ~80K calls on May 20th before settling back down. It also uploaded five charts as release assets — a trend line, a heatmap, a per-workflow breakdown, a “burners” donut chart, and a workflow-level trend — then published the whole package as a GitHub Discussion for everyone to browse.
Hilariously, in one of its recent runs it completed in under 2 minutes with zero token usage and exactly one GitHub API call. Turns out that was the run where the cache hadn’t warmed yet — it took a look around, shrugged, and went home early.
Usage tip: Schedule this workflow weekly to catch runaway API consumption before you hit rate limits — the per-workflow breakdown makes it easy to spot which agent is hogging the quota.
Try It Out
Section titled “Try It Out”Upgrade to v0.77.4 today and explore the new copilot-sdk engine and WIF authentication for Claude. As always, feedback and contributions are welcome at github/gh-aw.