v0.67.0
π Release Highlights
This release delivers a major observability milestone with full OTLP trace export support, resolves critical GitHub MCP App token authentication bugs, expands the environment variable reference documentation, and addresses a wave of community-reported issues across self-hosted runners, cross-repo workflows, and the Codex engine.
β¨ What's New
π‘ OTLP Trace Export (observability.otlp)
Workflows can now export structured OpenTelemetry spans to any OTLP-compatible backend (e.g. Honeycomb, Grafana Tempo, Sentry) with a single frontmatter block:
observability:
otlp:
endpoint: $\{\{ secrets.GH_AW_OTEL_ENDPOINT }}
headers: $\{\{ secrets.GH_AW_OTEL_HEADERS }}Every job emits setup and conclusion spans with rich attributes (gh-aw.job.name, gh-aw.workflow.name, gh-aw.engine.id, token usage, and more). Cross-job trace correlation is wired automatically β all jobs in a run share a single trace ID originating from the activation job. Dispatched child workflows inherit the parent's trace context via aw_context, giving you end-to-end visibility across composite workflow chains. When a static endpoint URL is provided, its hostname is automatically added to the AWF firewall allowlist.
π Environment Variable Reference
A new comprehensive Environment Variables reference section covers CLI configuration (DEBUG, GH_AW_FEATURES, β¦), per-phase model override variables (GH_AW_MODEL_AGENT_*), and guard policy fallback variables (GH_AW_GITHUB_BLOCKED_USERS, GH_AW_GITHUB_TRUSTED_USERS) β previously discoverable only by reading source code.
π Bug Fixes & Improvements
-
GitHub MCP App token always empty β
actions/create-github-app-tokenmasks its output token and GitHub Actions runner v2.308+ silently drops masked values from job outputs, causinggithub_mcp_app_tokento always arrive empty in the agent job (GitHub MCP server ran unauthenticated). The token is now minted directly in the agent job to avoid the cross-job output masking issue. (closes #24569) -
Duplicate "Generate GitHub App token" step β when multiple
checkout:entries fell back to the top-levelgithub-app:, the compiler produced steps with the same name, causing a duplicate-step validation error. Each step is now uniquely named. (closes #24573) -
Tavily MCP docs and
mcp inspectmissing servers β the web-search guide referenced the wrong npm package (@tavily/mcp-serverβ@tavily/mcp) and a dead GitHub URL. Additionally,gh aw mcp inspectnow correctly reports MCP servers defined in imported workflows and handleson: issuesstring triggers. (closes #24567) -
repo-memoryfile-glob patterns silently skipping files β documentation and several built-in workflow templates incorrectly instructed agents to prefixfile-globpatterns with the branch path (e.g.memory/branch-name/*.json). Patterns are matched against relative paths from the artifact directory, so bare extension patterns (*.json) are correct. All affected workflows and the reference docs have been fixed. -
Remote workflow calls β fixed a regression that broke
workflow_calltriggers in cross-repository setups. (closes #24422) -
workflow_callmissingref:in cross-repo checkout β activation job now correctly passesref:when checking out a target repository forworkflow_calltriggers. (closes #20508) -
setup.shcreate_dir()fails on self-hosted Linux runners βcreate_dir()now usessudowhen the runner user lacks write access to/opt/. (closes #20283) -
Codex engine on self-hosted runners β the vendored
codex-x86_64-unknown-linux-muslbinary now correctly supports--dangerously-bypass-approvals-and-sandbox. (closes #20157) -
GH_AW_SAFE_OUTPUTS_CONFIG_PATH/GH_AW_SAFE_OUTPUTS_TOOLS_PATHnot available as env vars β these paths are now written to bothGITHUB_OUTPUTandGITHUB_ENVso downstream jobs can reference them as environment variables. (closes #23092) -
agent_version: latestcauses 400 Bad Request with Gemini models β version resolution now correctly handleslatestfor model/version combinations that do not support it. (closes #20833) -
Runtime parameterization of frontmatter fields β compile-time frontmatter fields can now be overridden at runtime via
$\{\{ vars.* }}or$\{\{ secrets.* }}expressions in supported fields. (closes #23724)
π§ Internal
- Shared OTLP observability config extracted into
shared/observability-otlp.md, adopted by 54 workflows (30% of the repo). hourly-ci-cleanerswitched to the Claude engine withmax-turns: 20, scopedmake recompileto only when.mdfiles changed, and added exit guardrails to eliminate the previous ~43% failure rate.- Token optimizer data loading moved to deterministic pre-agentic steps, removing dependency on the unreliable
agentic-workflowsMCP container.
π Community Contributions β A huge thank you to the community members who reported issues that were resolved in this release!
@bbonafed
@Esomoire-consultancy-Company
- β¨ Set up Copilot instructions (direct issue)
@glitch-ux
- docs: add CLI and operator environment variable reference (direct issue)
@grahame-white
@jaroslawgajewski
- feat: OTLP trace export from agent runtime (direct issue)
@johnwilliams-12
@MattSkala
- Invalid tavily MCP search link and config in docs (direct issue)
@microsasa
@Rubyj
- setup.sh: create_dir() does not use sudo on Linux, breaks self-hosted runners where runner user lacks write access to /opt/ (direct issue)
@straub
- Bug:
github_mcp_app_tokenactivation output silently skipped β regression introduced in #24251 (direct issue)
@strawgate
- Remote workflow call still broken (direct issue)
@tomasmed
@yskopets
For complete details, see CHANGELOG.
Generated by Release Β· β 2.5M
What's Changed
- fix: handle null token_usage in optimizer jq aggregations by @lpcox in #24400
- feat: create shared/token-logs-24h.md to ensure log cache reuse across token workflows by @Copilot in #24417
- docs: add CLI and operator environment variable reference by @Copilot in #24407
- fix: strip surrounding quotes from --allow-domains value in agent log firewall parsing by @Copilot in #24409
- chore: update drain3 default log pattern weights by @github-actions[bot] in #24423
- feat(logs): query GitHub API rate limit before each batch iteration by @Copilot in #24424
- feat: show dedicated message for cyber_policy_violation engine failures by @Copilot in #24428
- feat: add missing OpenAI GPT model multipliers by @Copilot in #24430
- Comment out
stale-checkin generated lock.yml by @Copilot in #24435 - feat: add Python trending charts to Copilot Token Usage Analyzer by @Copilot in #24434
- fix: install gh-aw CLI in shared token-logs-24h before fallback download by @lpcox in #24438
- Fix stale lock check to resolve callee repo for cross-repo reusable workflows by @Copilot in #24433
- [docs] Remove redundant Safe Output Operations section from project-tracking by @github-actions[bot] in #24432
- Update Token Usage step summary and convert to JavaScript by @Copilot in #24436
- fix: add rate limit and error logging to shared token-logs step by @lpcox in #24444
- fix: guard gh-aw-logs commands against set -e errexit by @lpcox in #24447
- chore: update drain3 default log pattern weights by @github-actions[bot] in #24446
- [code-simplifier] refactor: extract duplicate GitHub repo path regex to named constant by @github-actions[bot] in #24449
- chore: remove token usage analyzers, optimizers, and shared deps by @lpcox in #24448
- docs: enhance existing pages with audit cross-references and glossary entries by @Copilot in #24453
- chore(deps): bump defu from 6.1.4 to 6.1.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #24455
- Improve test quality: pkg/cli/awinfo_steps_test.go by @Copilot in #24452
- Add compiler check disallowing secrets expressions in custom steps by @Copilot in #24450
- [docs] docs: document secrets-in-custom-steps compiler check (dev.md v5.2) by @github-actions[bot] in #24466
- [instructions] Sync github-agentic-workflows.md with v0.66.1 by @github-actions[bot] in #24463
- [architecture] Update architecture diagram - 2026-04-04 by @github-actions[bot] in #24459
- [community] Update community contributions in README by @github-actions[bot] in #24464
- test(agentdrain): rewrite anomaly_test.go with testify and table-driven tests by @Copilot in #24470
- [dead-code] chore: remove dead functions β 6 functions removed by @github-actions[bot] in #24476
- [docs] Self-healing documentation fixes from issue analysis - 2026-04-04 by @github-actions[bot] in #24493
- docs: add guide for consuming audit reports with agents by @Copilot in #24454
- fix: correct invalid anchor hash in glossary link to audit reference by @Copilot in #24494
- fix: fail-open on API rate limit in check_skip_if_check_failing; sudo for AWF binary verification on GPU runners by @Copilot in #24482
- feat: list secrets & custom actions in lock file header; move gh-aw-metadata to first line by @Copilot in #24495
- refactor: remove dead code, thin wrappers, and duplicate logic identified in semantic clustering analysis by @Copilot in #24497
- fix: remove bold tags from details/summary sections by @Copilot in #24502
- fix: filter aw_context from user-facing workflow inputs by @Copilot in #24521
- Fix repo-root-relative import path resolution in
ResolveIncludePathby @Copilot in #24501 - feat: add copilot-token-audit and copilot-token-optimizer workflows by @lpcox in #24528
- fix: use gh aw --version to check CLI availability by @lpcox in #24535
- fix: recompile token audit and optimizer lock files by @lpcox in #24543
- docs: document import path resolution modes (relative, repo-root-relative, cross-repo) by @Copilot in #24536
- fix: spinner consumes stdin causing double-Enter required in add-wizard by @Copilot in #24523
- fix: reduce token audit scope to last 24 hours by @lpcox in #24547
- fix: skip
engine: copilotin add/add-wizard; add blank line separator before source by @Copilot in #24539 - feat: support token usage diff and multiple comparison runs in audit diff command by @Copilot in #24544
- [ca] test: add missing exportVariable and setOutput mocks to parse_mcp_gateway_log test by @github-actions[bot] in #24559
- Improve action log step summary: 2-line tool previews and nicer agent messages by @Copilot in #24558
- Add
DefaultEngineconstant and replace semantic-default uses ofCopilotEngineby @Copilot in #24554 - fix: handle partial results from gh aw logs on rate limit by @lpcox in #24571
- [docs] Update documentation for features from 2026-04-04 by @github-actions[bot] in #24574
- fix(step-names): align Fetch step names and capitalize Write Gemini Settings by @Copilot in #24578
- fix: replace broken gh-aw install step in token audit workflow by @lpcox in #24590
- [log] add debug logging to agentdrain and parser packages by @github-actions[bot] in #24586
- fix: mint GitHub MCP App token in agent job, not activation job by @Copilot in #24585
- feat: OTLP trace export via observability.otlp frontmatter config by @Copilot in #24441
- fix: replace broken gh-aw install step in token optimizer workflow by @lpcox in #24598
- cleanup: remove legacy daily-copilot-token-report workflow by @lpcox in #24599
- fix: revert minting tokens for mcp-servers github-app from activation job back to agent job by @Copilot in #24600
- fix: change token optimizer output from discussion to issue by @lpcox in #24605
- feat: extend MCP gateway specification with optional OpenTelemetry configuration (v1.11.0) by @Copilot in #24602
- feat: propagate pre-activation trace-id to activation job and reduce setup.sh verbosity by @Copilot in #24604
- fix: remove branch-name prefix from repo-memory glob filter by @lpcox in #24613
- fix: unique step names for checkout GitHub App token minting steps by @Copilot in #24609
- fix: update stale anchor in glossary for
gh aw audit diffby @Copilot in #24620 - fix: correct file-glob pattern docs and workflows for repo-memory by @Copilot in #24621
- fix: move optimizer data loading to pre-agentic steps by @lpcox in #24625
- fix: token optimizer step ordering β move selection to agent by @lpcox in #24637
- refactor: extract shared OTLP observability config, import in 30% of workflows by @Copilot in #24626
- Fix invalid Tavily MCP package name/link in docs and mcp inspect missing servers bug by @Copilot in #24610
- ci-cleaner: switch to Claude with max-turns, scope recompile, add exit guardrails by @Copilot in #24623
Full Changelog: v0.66.1...v0.67.0
