Skip to content

[drift] docs: update gh-aw skill for v0.71.2–v0.71.4#826

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
drift/gh-aw-v0.71.4-db4d8eca2380cf0b
Draft

[drift] docs: update gh-aw skill for v0.71.2–v0.71.4#826
github-actions[bot] wants to merge 1 commit intomainfrom
drift/gh-aw-v0.71.4-db4d8eca2380cf0b

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 4, 2026

Updates the gh-aw-guide skill and architecture reference to cover new features and security fixes in v0.71.2, v0.71.3, and v0.71.4.

P1 (Security) Changes

Item File/Section Updated
pull_request_target pwn-request detection — compiler now validates and flags dangerous patterns at compile time (v0.71.4+). Recompile workflows for protection. SKILL.md → Security-Critical Patterns #7
Bot-filtering dependabot confused deputy guard — skip-bots: now guards against dependabot confused deputy attack vectors (v0.71.4+). Recompile for fix. SKILL.md → Security-Critical Patterns #8

P2 (Author-Facing) Changes

Item File/Section Updated
\{\\{\#import}} deprecated → \{\\{\#runtime-import}} (v0.71.2+) SKILL.md → Anti-Patterns table; architecture.md → Prompt Rendering
push-to-pull-request-branch: cross-repo now supported (no longer same-repo only) + new check-branch-protection option (v0.71.2+) architecture.md → Safe Outputs Quick Reference
Threat detection: CAUTION alert injected at top of output + agentic-threat-detected label applied (v0.71.2+) architecture.md → Safe Outputs Quick Reference
engine.mcp.session-timeout frontmatter option to control MCP session lifetime (v0.71.3+) SKILL.md → Frontmatter Features
Parameterized safe-outputs for workflow_call inputs — control threat-detection, boolean flags, PR policy fields (v0.71.3+) SKILL.md → Frontmatter Features
Auto-inject create_issue safe output for workflows without explicit safe-output config (v0.71.3+) SKILL.md → Frontmatter Features
on.labels: filter — workflow only fires when issue/PR has specified labels (v0.71.4+) SKILL.md → Frontmatter Features
<img> tag added to safe-outputs HTML allowlist (v0.71.4+) SKILL.md → Frontmatter Features
COPILOT_PROVIDER_* in strict-mode allowlist + BYOK token validation bypass (v0.71.4+) SKILL.md → Frontmatter Features
add_reviewer now supports team_reviewers (v0.71.3+) SKILL.md → Frontmatter Features
tools.bash can now be parameterized for workflow_call reusable workflows (v0.71.3+) SKILL.md → Frontmatter Features
Copilot driver resilience: restarts fresh on null-type tool_call 400 error instead of using --continue (v0.71.3+) architecture.md → Troubleshooting
gh aw run --repeat wait extended from 30 min to 6 hours (v0.71.3+) architecture.md → Troubleshooting
MCP connection drops in long workflows: engine.mcp.session-timeout workaround architecture.md → Troubleshooting

P3 (Skipped — Internal Only)

  • Stale WASM golden files / serena.md test fixture fixes (internal test infrastructure)
  • shared/daily-pr-base.md and shared/daily-issue-base.md shared workflows (internal gh-aw use)
  • FUZZY:DAILY pool spread 3h→18h to reduce rate-limit thundering herd (internal scheduler)
  • repo-mind-light.md shared workflow (internal)
  • Community attribution cap + token budget guardrails (internal)
  • AWF JSON config file replaces CLI flag strings (internal compiler output format)
  • Copilot session insights orphaned branch detection (internal monitoring)
  • MCP "Did you mean?" schema error messages (internal UX)
  • Multiple performance optimizations (buildJobs, YAML generation, BenchmarkValidation) — internal
  • OTLP trace github.workflow_ref resource attribute — internal observability
  • safe_output_summary shows final posted body for add_comment — internal display fix
  • AWF /reflect endpoint fetch in agent harness — internal tooling
  • jsweep / spec-enforcer cleanups — internal
  • daily-cache-strategy-analyzer workflow — internal
  • Architecture diagram updates — internal
  • Gemini API routing fix / CLI bump — internal dependency

Versions Covered

v0.71.2, v0.71.3, v0.71.4

Generated by Instruction Drift Check · ● 2M ·

  • expires on May 18, 2026, 9:09 AM UTC

@github-actions
docs: update gh-aw skill for v0.71.2–v0.71.4
4740a21 
P1 security fixes:
- pull_request_target pwn-request detection (v0.71.4+)
- Bot filtering dependabot confused deputy guard (v0.71.4+)

P2 new features and behavior changes:
- {{#import}} deprecated → {{#runtime-import}} (v0.71.2+)
- push-to-pull-request-branch: cross-repo support + check-branch-protection option (v0.71.2+)
- Threat detection: CAUTION alert at top + agentic-threat-detected label (v0.71.2+)
- engine.mcp.session-timeout frontmatter option (v0.71.3+)
- Parameterized safe-outputs for workflow_call inputs (v0.71.3+)
- Auto-inject create_issue safe output for unconfigured workflows (v0.71.3+)
- on.labels filter for trigger events (v0.71.4+)
- <img> tag added to safe-outputs HTML allowlist (v0.71.4+)
- COPILOT_PROVIDER_* strict-mode allowlist + BYOK support (v0.71.4+)
- add_reviewer now supports team_reviewers (v0.71.3+)
- tools.bash parameterization (v0.71.3+)
- Copilot driver resilience: fresh restart on null-type tool_call 400 (v0.71.3+)
- gh aw run --repeat wait extended to 6 hours (v0.71.3+)

Updated last_reviewed_release to v0.71.4.

Co-authored-by: copilot-agentic-workflow[bot] <224017+copilot-agentic-workflow[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation instruction-drift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants