chore(deps): update github/gh-aw action to v0.71.5

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	minor	v0.67.1 → v0.71.5

---

Release Notes

github/gh-aw (github/gh-aw)

v0.71.5

Compare Source

🌟 Release Highlights

This release focuses on reliability and correctness across the engine.env compilation pipeline, the security check layer, and the Claude engine — with five community-reported issues resolved.

🐛 Bug Fixes & Improvements

• Claude engine stability — Workflows using the claude engine no longer crash mid-session with "Fast mode unavailable". CLAUDE_CODE_DISABLE_FAST_MODE=1 is now set automatically to suppress an incompatible server-side flag introduced in Claude Code 2.1.120+.

• engine.env multi-line values — Block-scalar engine.env values (written with >- and extra-indented continuation lines) previously compiled to broken YAML with embedded newlines. These now compile correctly into valid multi-line env: entries. (Reported by @jeffhandley in #​30204)

• engine.env needs expressions — Custom job references in engine.env values (e.g. ${{ needs.my_job.outputs.value }}) were silently dropped from the agent job's needs list, causing those expressions to evaluate to empty strings at runtime. The compiler now correctly wires these dependencies. (Reported by @jeffhandley in #​30232)

• gh aw upgrade false BYOK warning — gh aw upgrade was incorrectly warning "Remove unsafe secrets from engine.env" for COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BEARER_TOKEN, silently stripping legitimate BYOK configuration. gh aw upgrade now matches gh aw compile in allowing these keys. (Reported by @MauroDruwel in #​30178)

• pull_request_review activation signal — Workflows triggered by pull_request_review events no longer silently skip the 👀 reaction and run-started comment. The buildReactionLikeCondition allowlist now includes this event type. (Reported by @mason-tim in #​30336)

• Confused-deputy false positive for bot-menu patterns — The security check introduced in v0.71.4 was blocking the legitimate pattern where a bot posts a checkbox-menu comment and a human maintainer edits it to tick a box (issue_comment:edited). The check now automatically detects [bot]-authored comments and skips the guard for that path, while keeping all other issue_comment:created paths fully protected. (Reported by @theletterf in #​30327)

✨ What's New

• allow-bot-authored-trigger-comment frontmatter option — For bots that don't follow the standard [bot] naming convention, you can now opt into the confused-deputy bypass explicitly:

  on:
    issue_comment:
      types: [edited]
    allow-bot-authored-trigger-comment: true

• MCP progress notifications — The logs, audit, and audit-diff MCP tools now stream real-time progress updates to AI clients (Copilot, Claude) during long-running operations, eliminating silent 30+ second waits.

• MCP Gateway bump to v0.3.6 — The embedded MCP gateway has been updated to ghcr.io/github/gh-aw-mcpg:v0.3.6 with pinned digest for supply-chain safety.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@jeffhandley

• Agent 'needs' does not incorporate jobs in engine.env expressions (direct issue)
• Multi-line expressions unsupported in engine.env values (direct issue)

@mason-tim

• Activation comment / reaction not posted for pull_request_review triggers — buildReactionLikeCondition allowlist is incomplete (direct issue)

@MauroDruwel

• gh aw upgrade: still warns 'Remove unsafe secrets from engine.env' despite fix in #​29378 for compile (direct issue)

@theletterf

• Confused-deputy check denies legitimate bot-posted-menu / user-checks-box pattern on issue_comment(edited) (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.7M

---

What's Changed

• [spec-enforcer] Enforce specifications for cli by @​github-actions[bot] in #​30141
• [docs] Update documentation for features from 2026-05-04 by @​github-actions[bot] in #​30136
• [docs] Update glossary - weekly full scan by @​github-actions[bot] in #​30133
• feat: auto-allow playwright-cli bash command when playwright cli mode is enabled by @​Copilot in #​30126
• Add mattpocock-skills-reviewer agentic workflow by @​Copilot in #​30122
• [architecture] Update architecture diagram - 2026-05-04 by @​github-actions[bot] in #​30117
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @​github-actions[bot] in #​30112
• [specs] Update layout specification - 2026-05-04 by @​github-actions[bot] in #​30105
• Fix stale $INSTRUCTION assertion in TestEngineArgsIntegrationCodex by @​Copilot in #​30100
• [schema-coverage] feat: Add schema coverage demo for metadata field by @​github-actions[bot] in #​30099
• [schema-coverage] feat: Add schema coverage demo for labels field by @​github-actions[bot] in #​30098
• [spec-review] Update Safe Outputs conformance checker for recent spec changes by @​github-actions[bot] in #​30074
• [log] add debug logging to 5 Go packages by @​github-actions[bot] in #​30061
• Add GitHub Copilot billing multipliers collection to daily-model-inventory workflow by @​Copilot in #​30060
• Fix missing safe-output calls in Schema Consistency Checker and Multi-Device Docs Tester by @​Copilot in #​30109
• fix: resolve 3 claude-engine workflow failures (safe-output misses + blocked commands) by @​Copilot in #​30110
• chore: reduce per-engine boilerplate in domains.go public API by @​Copilot in #​30072
• [dead-code] chore: remove dead functions — 4 functions removed by @​github-actions[bot] in #​30167
• [docs] Consolidate developer specifications v9.0 — tone fix and engine domain registry docs by @​github-actions[bot] in #​30157
• docs: fix spec audit — add Public API, Usage Examples, and Dependencies to 17 packages by @​Copilot in #​30155
• fix(workflow): normalize report formatting in copilot-pr-nlp-analysis by @​Copilot in #​30160
• deps: update github.com/modelcontextprotocol/go-sdk v1.5.0 → v1.6.0 by @​Copilot in #​30164
• fix: 4 CLI consistency issues in mcp, logs, and init commands by @​Copilot in #​30158
• feat: Add daily Grafana OTel Instrumentation workflow by @​mnkiefer in #​30190
• fix: replace hardcoded mcpToolParams() with reflection-based extraction by @​Copilot in #​30166
• [jsweep] Clean add_reaction_and_edit_comment.cjs by @​github-actions[bot] in #​30062
• fix: add actions: read permission to smoke-water.yml (#investigate-smoke-water-failure) by @​Copilot in #​30197
• fix: format Go code with go fmt by @​Copilot in #​30199
• feat: delegate Phase 6 & 7 of daily-security-red-team to haiku inline sub-agents by @​Copilot in #​30195
• Add service.version to setup job spans via compiler env injection by @​Copilot in #​30198
• fix: gh aw upgrade strips BYOK credentials from engine.env by @​Copilot in #​30194
• fix: add missing noop calls to 4 workflows causing silent failures by @​Copilot in #​30210
• feat: merge all OTLP endpoints from shared agentic workflow imports by @​Copilot in #​30209
• fix: remove empty parent block after last child is removed by codemod by @​Copilot in #​30216
• perf: fix ~28% BenchmarkYAMLGeneration regression by eliminating reflection hot path by @​Copilot in #​30208
• fix(otlp): add standard resource attributes to logSpan tool spans by @​Copilot in #​30215
• feat: model alias inventory update 2026-05-05 by @​Copilot in #​30238
• Bump firewall to v0.25.38 and mcpg to v0.3.6 by @​Copilot in #​30230
• test(parser): improve import_cache_test.go quality per testify-expert criteria by @​Copilot in #​30218
• Fix mcp list-tools tab completion offering completions for second positional arg by @​Copilot in #​30221
• chore(deps): update fsnotify v1.9.0 → v1.10.0 by @​Copilot in #​30222
• Add MCP server unit tests using InMemoryTransport (no subprocess) by @​Copilot in #​30223
• refactor: eliminate near-duplicate string utilities, promote general-purpose helpers to pkg/stringutil by @​Copilot in #​30249
• fix: set CLAUDE_CODE_DISABLE_FAST_MODE=1 to prevent mid-session crash in Claude engine by @​Copilot in #​30255
• fix: add chatgpt.com to CodexDefaultDomains and recompile all workflows by @​Copilot in #​30207
• Add MCP progress notifications to logs, audit, and audit-diff tools by @​Copilot in #​30247
• fix: handle multi-line engine.env values as YAML literal block scalars by @​Copilot in #​30240
• Fix agent job needs not populated from engine.env needs expressions by @​Copilot in #​30239
• Remove APM testing from smoke-claude by @​Copilot in #​30257
• fix: two-checkpoint pre-flight validation + PR closure reason labeling by @​Copilot in #​30253
• [log] Add debug logging to five pkg/ files by @​github-actions[bot] in #​30266
• [docs] fix: correct spelling errors in docs (American English conventions) by @​github-actions[bot] in #​30265
• fix: remove duplicate repoConfigLog declaration breaking wasm build by @​Copilot in #​30268
• docs: generate model alias & multiplier reference tables from JSON data by @​Copilot in #​30256
• docs: add FAQ entry on forwarding agent/detection artifacts post-conclusion by @​Copilot in #​30278
• feat: emit gh-aw.detection.conclusion and gh-aw.detection.reason as OTLP span attributes by @​Copilot in #​30273
• [jsweep] Clean expired_entity_cleanup_helpers.cjs by @​github-actions[bot] in #​30271
• feat: handle local directory arguments in compile command by @​Copilot in #​30295
• Bump AWF firewall version to v0.25.39 by @​Copilot in #​30263
• Auto-switch push_to_pull_request_branch to bundle transport when merge commits are detected by @​Copilot in #​30287
• [docs] Update glossary - daily scan by @​github-actions[bot] in #​30334
• [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @​github-actions[bot] in #​30318
• build(deps): Bump github.com/fsnotify/fsnotify from 1.10.0 to 1.10.1 by @​dependabot[bot] in #​30329
• Add stale-pr-cleanup workflow to triage 30+ day PR backlog by @​Copilot in #​30317
• [architecture] Update architecture diagram - 2026-05-05 by @​github-actions[bot] in #​30323
• feat: enable checksum validation by default in install-gh-aw.sh by @​Copilot in #​29223
• chore: remove dead parameters from findIncludesInContent and findPreviousSuccessfulWorkflowRuns by @​Copilot in #​30311
• Change architecture diagram workflow from daily to weekly by @​Copilot in #​30349
• feat: split github-agentic-workflows.md into focused sub-files and update instructions-janitor by @​Copilot in #​30351
• chore: centralize BUG panic for invalid model in domain computation by @​Copilot in #​30310
• fix(otel): eliminate gen_ai.usage.* double-counting and gen_ai.request.model duplicate on agent span by @​Copilot in #​30350
• [instructions] Sync instruction files — fix cli-proxy and reduce safe-outputs.md by @​github-actions[bot] in #​30359
• fix: explicitly default sandbox.agent to awf in strict mode when id is not specified by @​Copilot in #​30355
• Normalize report formatting in approach-validator, agent-performance-analyzer, and q workflows by @​Copilot in #​30362
• feat: add elseif handler syntax support in template expression rendering (#elseif, #else-if, #else_if variants) by @​Copilot in #​30358
• fix: include pull_request_review in reaction/status-comment conditions by @​Copilot in #​30354
• Move dictation prompt to root DICTATION.md by @​Copilot in #​30366
• fix: allow bot-posted-menu / user-checks-box pattern to bypass confused-deputy check by @​Copilot in #​30352
• fix: emit model aliases under apiProxy.models instead of top-level config.models by @​Copilot in #​30367
• build(deps-dev): Bump @​actions/github from 9.1.0 to 9.1.1 in /actions/setup/js by @​dependabot[bot] in #​30331
• docs: add Autoloop callout to landing page by @​Copilot in #​30399
• fix: reduce contribution-check token usage via truncation, concurrency, and turn cap by @​Copilot in #​30387
• [docs] Update Astro dependencies - 2026-05-05 by @​github-actions[bot] in #​30388
• Add agentic-ops workflows by @​mnkiefer in #​30379
• Add redirect from shared/apm.md to microsoft/apm upstream and update docs by @​Copilot in #​30397
• fix: use require.Error for error assertion in compile_args_test.go by @​Copilot in #​30394
• feat: Update OTel instrumentation workflow to support multiple endpoints by @​mnkiefer in #​30309
• chore: update source reference in token optimizer workflows by @​mnkiefer in #​30420
• Rename MustBeWithin → ValidatePathWithinBase in pkg/fileutil by @​Copilot in #​30421
• Add MCP Gateway v0.3.6 container pin to lock data and embedded pin maps by @​Copilot in #​30408
• Fix js-typecheck failure in template_branch.cjs null-else branch typing by @​Copilot in #​30424
• Fix CJS shard failures caused by template_branch.cjs integration gaps by @​Copilot in #​30425
• Bump default AWF firewall image set to v0.25.40 by @​Copilot in #​30406

Full Changelog: github/gh-aw@v0.71.4...v0.71.5

v0.71.4

Compare Source

🌟 Release Highlights

This release delivers a major A/B experimentation infrastructure, significant performance optimizations, improved security hardening, and a growing set of engine/model improvements.

✨ What's New

🧪 A/B Experiments CLI & Infrastructure
A full experiment lifecycle is now supported: define variants, run them round-robin, collect per-run state, and analyze results statistically. New commands include gh aw experiments to read experiment state from storage branches and gh aw experiments analyze for statistical computation (significance testing, sample-size tracking). Workflows can now store experiment state in either cache or a dedicated repo branch.

• #​30020 Add experiments command for reading experiment state
• #​30029 Extend experiments analyze with statistical computation
• #​29985 Experiment schema additions, per-run state, OTEL attributes, audit accuracy
• #​29996 Add storage option (cache | repo, default repo) to experiments
• #​29988 Select randomly on cache miss instead of always picking first variant

🤖 Codex Engine: Default Harness with Retry Logic
Codex workflows now get a default codex_harness.cjs with built-in retry logic, making Codex-engine workflows more resilient out of the box. (#​30035)

🔬 AWF /reflect Endpoint Integration
Agent harnesses now fetch the /reflect endpoint before and after running the agent, surfacing model introspection data in step summaries for better observability. (#​29420, #​30028)

🔐 Pull Request Security: pwn-request Detection
The compiler now validates pull_request_target workflows and detects patterns that could expose secrets to untrusted code — protecting repositories from confused-deputy attacks. (#​29433)

📊 Multiple OTLP Endpoints
The endpoint field in OTLP observability config is now polymorphic — supply a single endpoint string or an array to fan out telemetry to multiple backends simultaneously. (#​30021)

🏷️ Model Aliases & Validation
New builtin aliases gpt-4.1, reasoning (o1/o3/o4 families), and gpt-5-nano; fixed gpt-5-mini multiplier placeholder (was 0). Model aliases are now validated against the Model Alias Format spec. GitHub Actions expressions are now supported in alias parsers. (#​30003, #​30000, #​29995)

🔒 Minimal Secrets Inheritance by Default
Workflows no longer use secrets: inherit by default — the compiler now infers the minimal set of secrets actually needed, reducing the blast radius of any token compromise. (#​29455)

⏱️ --cool-down Flag for update Command
gh aw update now accepts --cool-down (default 7d) to avoid re-updating workflows that were recently refreshed. (#​29454)

🖼️ <img> Tags in Safe Outputs
Safe-outputs HTML rendering now allows <img> tags, enabling richer formatted output in issue/PR comments. (#​29401)

⚡ Performance

• YAML generation: -7% latency, -10% allocations on hot paths (#​29409)
• Validation: 73% reduction in allocations — 11 → 3 allocs/op (#​29408)
• Compiler: Eliminated redundant frontmatter re-parse in buildJobs (#​29410)

🐛 Bug Fixes & Improvements

• Compiler detects single-quoted bash commands that crash Copilot CLI and now sanitizes them automatically (#​30040)
• Action version downgrade prevention: UpdateActions no longer pins actions to older SHAs (#​29477)
• MCP stdin piping: mcp-cli-bridge now supports multiline tool arguments via stdin (#​29446)
• Schema validation errors: Raw schema errors are now transformed into actionable, human-readable messages (#​29406)
• Dependabot security: Bot filtering is now guarded against confused-deputy attacks via dependabot (#​29432)
• COPILOT_PROVIDER_ strict-mode*: Tokens are now allowed through strict-mode allowlist; BYOK mode documented (#​29411)
• Round-robin on cache miss: Starting item is now randomly selected to avoid thundering-herd on first run (#​30005)

📚 Documentation

• W3C-style A/B Experiments Specification — formal spec for experiment definitions
• Model Alias Format Specification
• COPILOT_PROVIDER_* variables and BYOK mode are now documented (#​29411)
• Updated tools instructions and builtin prompts for gh-proxy mode (#​29412)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bartul

• Upload activation artifact step missing include-hidden-files: true — silently drops .claude/.github from activation snapshot (direct issue)

@MauroDruwel

• docs: COPILOT_PROVIDER_* variables not documented and strict-mode allowlist not updated (direct issue)
• question: why is COPILOT_GITHUB_TOKEN still required when using an external provider? (direct issue)

@sg650

• Add <img> to safe-outputs HTML tag allowlist (direct issue)

@szabta89

• Proposal: make Repo Mind Light integration more reusable in gh-aw (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 1.1M

---

What's Changed

• fix: resolve stale wasm golden files and missing serena.md test fixture by @​Copilot in #​29370
• Introduce shared/daily-pr-base.md for automated code-improvement PR workflows by @​Copilot in #​29368
• Fix thundering-herd rate-limit failures: spread FUZZY:DAILY pool from 3h to 18h window by @​Copilot in #​29369
• [spec-enforcer] Enforce specifications for timeutil, tty, types by @​github-actions[bot] in #​29385
• fix(daily-community-attribution): cap Tier 3 lookups and add token budget guardrails to stop runaway by @​Copilot in #​29383
• fix(smoke-claude): resolve only unresolved review threads in test #​16 by @​Copilot in #​29373
• Introduce shared/daily-issue-base.md for scheduled issue-creating workflows by @​Copilot in #​29374
• feat(copilot-session-insights): add orphaned branch escalation detection for high-gate CI waste by @​Copilot in #​29384
• fix(design-decision-gate): add MCP keepalive-interval: 60 to prevent GitHub MCP HTTP connection drops by @​Copilot in #​29375
• [FAQ] Add: controlling the agent's working branch at runtime by @​chrizbo in #​29377
• feat: add label-triggered jobs (disable workflow, apply safe outputs) to maintenance workflow by @​Copilot in #​29269
• fix: replace deprecated {{#import}} with {{#runtime-import}} in workflow files by @​Copilot in #​29399
• feat: add <img> to safe-outputs HTML tag allowlist by @​Copilot in #​29401
• optimize: reduce repository-quality-improver token usage ~800K/run by @​Copilot in #​29407
• fix(mcp): transform raw schema validation errors into helpful "Did you mean?" messages by @​Copilot in #​29406
• perf: eliminate redundant file read and frontmatter re-parse in buildJobs by @​Copilot in #​29410
• perf: optimize YAML generation hot paths (-7% latency, -10% allocations) by @​Copilot in #​29409
• docs: update tools instructions and builtin prompts for gh-proxy mode by @​Copilot in #​29412
• perf: reduce BenchmarkValidation allocations 73% (11 → 3 allocs/op) by @​Copilot in #​29408
• fix: add COPILOT_PROVIDER_* to strict-mode allowlist, skip token validation in BYOK mode, and document Copilot BYOK by @​Copilot in #​29411
• feat(token-optimizer): migrate prompt to gh-proxy mode with bash+jq efficiency guidance by @​Copilot in #​29415
• Convert 55.8% of agentic workflows to use tools.github mode: gh-proxy and tools.cli-proxy by @​Copilot in #​29418
• Fix integration tests: update domain checks from CLI flags to JSON config keys by @​Copilot in #​29429
• Add pull_request_target security validation (pwn request detection) by @​Copilot in #​29433
• [jsweep] Clean add_reaction_and_edit_comment.cjs by @​github-actions[bot] in #​29439
• fix: safe_output_summary shows final posted body including footer for add_comment by @​Copilot in #​29435
• feat: add AWF /reflect endpoint fetch to agent harness and step summary by @​Copilot in #​29420
• security: guard bot filtering against dependabot confused deputy attacks by @​Copilot in #​29432
• fix(mcp-cli-bridge): add stdin piping support for multiline tool arguments by @​Copilot in #​29446
• fix(jsweep): resolve 100% cache miss by adding concrete state management by @​Copilot in #​29452
• [instructions] Add on.labels, comment-memory, allowed-base-branches by @​github-actions[bot] in #​29473
• [architecture] Update architecture diagram - 2026-05-01 by @​github-actions[bot] in #​29488
• fix: prevent action version downgrades in UpdateActions by @​Copilot in #​29477
• fix(cache): persist meaningful state and add hit-history tracking in Smoke Codex by @​Copilot in #​29479
• fix(go-fan): specify explicit cache file path to suppress false cache_memory_miss alerts by @​Copilot in #​29485
• [caveman] Optimize instruction verbosity — developer.instructions.md (2026-05-01) by @​github-actions[bot] in #​29490
• chore: bump CLI/MCP tool versions (Claude Code 2.1.126, Copilot 1.0.39, Codex 0.128.0, Playwright MCP 0.0.72, MCP Gateway v0.3.3) by @​Copilot in #​29484
• feat: add --cool-down flag to update command with 7d default by @​Copilot in #​29454
• feat: avoid secrets:inherit as default, infer minimal set automatically by @​Copilot in #​29455
• [spec-extractor] Update package specifications for agentdrain, cli, console, constants by @​github-actions[bot] in #​29500
• Add codemods to auto-remove deprecated sandbox.mcp.* and sandbox.agent: false keys by @​Copilot in #​29483
• fix: add include-hidden-files: true to activation artifact upload step by @​Copilot in #​29510
• refactor: extract shared MCP script handler execution envelope by @​Copilot in #​29497
• Add add-comment, noop, and staged safe-outputs to stale-repo-identifier by @​Copilot in #​29515
• docs: add refusal-labels to integrity filtering and MCP gateway spec (v1.14.0) by @​Copilot in #​29516
• [docs] Update glossary - daily scan by @​github-actions[bot] in #​29518
• fix(rgs-004): add author_association guard to pre_activation jobs for comment-triggered workflows by @​Copilot in #​29481
• Improve test quality: pkg/cli/update_cooldown_test.go by @​Copilot in #​29522
• fix: add mcp_handler_process.cjs to setup.sh file lists and fix TS type annotation by @​Copilot in #​29523
• Add TruffleHog shared agentic workflow for secret detection in smoke-codex by @​Copilot in #​29512
• fix: sanitize repo-memory filenames before artifact upload to prevent NTFS character failures by @​Copilot in #​29520
• [FAQ] Update: off-platform admission control for safe outputs by @​chrizbo in #​29535
• fix: resolve 8 CLI help text consistency issues by @​Copilot in #​29550
• [docs] Developer instructions v8.3 maintenance tone scan by @​github-actions[bot] in #​29569
• refactor: address four code organization findings from semantic analysis by @​Copilot in #​29549
• fix(scatter): eliminate concurrent schedule bursts via composite-seed two-hash scatter by @​Copilot in #​29565
• Fix silent safe-output write failures under installation token rate limiting by @​Copilot in #​29543
• feat: extend frontmatter with A/B experiments section by @​Copilot in #​29534
• feat: add schedule heatmap calendar to --stats output by @​Copilot in #​29587
• refactor: split LogAnalysis into read-only and mutable interfaces by @​Copilot in #​29579
• refactor: decompose generateMainJobSteps and buildConsolidatedSafeOutputsJob by @​Copilot in #​29567
• Remove top-level bots from main JSON schema by @​Copilot in #​29592
• test: add skip-path and generate-path coverage for generateInterpolationAndTemplateStep by @​Copilot in #​29590
• refactor: EngineRegistry.Register returns error instead of panicking on invalid port by @​Copilot in #​29580
• Improve side-repo maintenance workflow header with better explanation and doc link by @​Copilot in #​29595
• feat: add daily ab-testing-advisor workflow by @​Copilot in #​29599
• feat: add experiment information as OTLP telemetry attribute by @​Copilot in #​29593
• Fix docs nav dropdown rendering off-screen with large fonts on Android Chrome by @​Copilot in #​29583
• fix: surface frontmatter hash computation failure instead of silently continuing by @​Copilot in #​29578
• feat: detect known credential-leaking actions and clean their artifacts before agent execution by @​Copilot in #​29588
• Add daily-experiment-report workflow by @​Copilot in #​29606
• Add .github/aw/experiments.md instruction file for A/B testing experiments by @​Copilot in #​29601
• feat(claude): add retry harness for transient Anthropic API failures by @​Copilot in #​29581
• fix(claude_harness): don't retry error_max_turns exits via --continue by @​Copilot in #​29619
• docs: add ExpertOps pattern (#expert-ops) by @​Copilot in #​29624
• feat: enhance experiment frontmatter schema with metadata fields by @​Copilot in #​29618
• Enhance pick_experiment.cjs step summary with description and issue link by @​Copilot in #​29627
• feat(audit): add --experiment and --variant filter flags, surface experiment in overview, update MCP tool by @​Copilot in #​29628
• [ab-advisor] A/B experiment: prompt_style for daily-community-attribution by @​Copilot in #​29620
• docs: document {{#if}} / {{#else}} / {{#endif}} template syntax in instructions files by @​Copilot in #​29637
• feat(mcp-cli-bridge): stdin JSON payload mode for multi-argument tool calls by @​Copilot in #​29636
• docs: add otlp.cjs helper and guide for emitting custom OTLP attributes from shared workflows by @​Copilot in #​29623
• feat: rewrite daily-experiment-report workflow with statistical analysis, bar charts, and discussion output by @​Copilot in #​29635
• feat: Support configurable MCP gateway tool timeout via engine.mcp.tool-timeout by @​Copilot in #​29633
• [FAQ] Add: How agent actions are constrained (commenting, PRs, files, external tools) by @​chrizbo in #​29642
• Fix build failure in integration tests: missing coolDown arg in resolveLatestRef calls by @​Copilot in #​29643
• fix(daily-security-red-team): add cache-memory to enable scan state persistence by @​Copilot in #​29645
• fix(slide-deck-maintainer): persist cache-memory state for round-robin source tracking by @​Copilot in #​29644
• [docs] Self-healing documentation fixes from issue analysis - 2026-05-02 by @​github-actions[bot] in #​29649
• Fix failing JS Tests (shard 3/4): align create_issue retry test assertions with RATE_LIMIT_RETRY_CONFIG by @​Copilot in #​29647
• fix(tests): update TestAPITargetDomains tests to check AWF JSON config instead of CLI flags by @​Copilot in #​29646
• feat: add body-header message type to safe outputs by @​Copilot in #​29648
• fix: add file-redirection example for JSON stdin mode in mcp_cli_tools_prompt (#​29649) by @​Copilot in #​29653
• fix: add messages_header.cjs to SAFE_OUTPUTS_FILES in setup.sh by @​Copilot in #​29662
• fix: default sandbox agent type to AWF when not explicit; reject empty type in strict mode by @​Copilot in #​29663
• [community] Update community contributions in README by @​github-actions[bot] in #​29672
• [log] Add debug logging to AWF config, MCP validation, and experiment/chain metrics by @​github-actions[bot] in #​29677
• feat(experiments): extend schema with guardrails/hypothesis/min_samples, enrich reporting & OTEL by @​Copilot in #​29670
• [code-simplifier] Flatten nested if in sandbox strict-mode validation by @​github-actions[bot] in #​29676
• [architecture] Update architecture diagram 2026-05-02 by @​github-actions[bot] in #​29713
• [instructions] Sync github-agentic-workflows.md with recent ADRs by @​github-actions[bot] in #​29710
• [docs] Update editor preview screenshots – 2026-05-02 by @​github-actions[bot] in #​29707
• fix(sec-004): add safe-outputs-exempt annotations to 4 handler files by @​Copilot in #​29714
• [actions] Update GitHub Actions versions - 2026-05-02 by @​github-actions[bot] in #​29705
• fix(ci): pass github.token via env mapping instead of direct run interpolation by @​Copilot in #​29719
• feat: add gh-aw.trigger.comment_id to setup and conclusion OTLP spans by @​Copilot in #​29733
• fix: surface ReadDir error in detectFirewallAuditArtifacts instead of silently returning partial results by @​Copilot in #​29724
• refactor: decompose generatePostAgentCollectionAndUpload into focused helpers by @​Copilot in #​29721
• fix: remove --ignore-scripts for crush install and add crush --version step by @​Copilot in #​29735
• fix: include workflow ID in experiment artifact cache keys and artifact name by @​Copilot in #​29747
• fix: suppress GitHub REST API deprecation warnings by adding X-GitHub-Api-Version header by @​Copilot in #​29743
• fix: update TestFirewallArgsIntegration for --allow-domains→config file migration and strict mode id requirement by @​Copilot in #​29753
• [spec-enforcer] Enforce specifications for actionpins, agentdrain, cli by @​github-actions[bot] in #​29763
• feat: add inline sub-agent syntax using ## agent: \name`` / H2 boundary delimiters with per-engine placement (experimental) by @​Copilot in #​29668
• docs: AW harness design plan (Pi SDK + extensions) by @​pelikhan in #​29667
• fix(spec-enforcer): add enforce_all input to process all packages in one run by @​Copilot in #​29765
• [docs] Tone scan v8.4: fix

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[deepsource-io]

DeepSource Code Review

We reviewed changes in a4ccdc8...53b257c on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Python		May 6, 2026 11:42a.m.	Review ↗
Secrets		May 6, 2026 11:42a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-10 00:53 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-11 00:54 UTC · at 962ccd6975185fe90f9ffcf7f2c85630e810ca44

This pull request spent 1 day 33 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• .github/workflows/agentics-maintenance.yml - No issues
• .github/workflows/code-simplifier.lock.yml - No issues

---

Notes: This PR updates GitHub Actions versions from v0.71.1 → v0.71.5 (incremental update). The changes are consistent across 9 locations in 2 workflow files. This is a straightforward dependency update with no security, reliability, or logic concerns.

---

_{Reviewed by ling-2.6-1t-20260423:free · 143,175 tokens}

---

_{Reviewed by ling-2.6-1t-20260423:free · 161,699 tokens}

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-11 00:54 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-13 17:52 UTC · at 12bb3e3ff9585ab26910b80c10e5309e29b68450

This pull request spent 2 days 16 hours 57 minutes 39 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-13 17:52 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-13 20:31 UTC · at 989e44b1b5e600b4c29575debef4592dbf4a301f

This pull request spent 2 hours 39 minutes 5 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-13 20:32 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-15 01:25 UTC · at aa3aa42aa7fe2b49fe23b2ef31a7de0829aec225

This pull request spent 1 day 4 hours 53 minutes 29 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-21 18:19 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-21 22:53 UTC · at f0226e8a125c057b5af8da7975722c13c2d0b76e

This pull request spent 4 hours 34 minutes 17 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-21 22:54 UTC · Rule: Github Actions Updates
• 🚫 Left the queue — 2026-04-27 17:40 UTC · at 45c1e6143bc7974cfda7abda3f43e8d2076e3419

This pull request spent 5 days 18 hours 45 minutes 48 seconds in the queue, with no time running CI.

Reason

The pull request #369 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-27 17:41 UTC · Rule: Github Actions Updates
• ✅ Checks started · on draft merge queue: embarking main (a4ccdc8), #348, #337, #344, #370, #371, #372, #373, #349, #342 and #369 together #385
• ✅ All checks passed · ready to merge 🚀
• 🔜 Merge

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud