v0.67.4

🌟 Release Highlights

This release delivers a critical Copilot engine reliability fix that restores all affected workflows, alongside a wave of new agentic workflow templates, meaningful security hardening, and a rich set of bug fixes driven by community reports.

🚨 Critical Fix: Copilot Engine Silent Startup Crash

All Copilot-engine workflows were silently failing for ~35+ hours starting April 8 due to a startup crash in Copilot CLI v1.0.21. This release pins DefaultCopilotVersion to 1.0.20 and recompiles all 187 workflow lock files to restore normal operation immediately.

✨ What's New

• Five new agentic workflow templates — approach-validator, test-quality-sentinel, refactoring-cadence, architecture-guardian, and design-decision-gate expand the built-in workflow library for code quality, ADR enforcement, and architectural governance.

• allowed-events filter for submit-pull-request-review — Workflows can now restrict which review types (APPROVE, COMMENT, REQUEST_CHANGES) the safe-output job may submit, giving maintainers tighter control over automated review actions. (#25484)

• Copilot driver retry logic — The Copilot driver now retries on partial session failures, reducing flaky workflow runs caused by transient CAPI errors. (#25329)

• --runner-guard compilation flag — gh aw compile now accepts --runner-guard to enforce runner constraints in the static-analysis-report workflow. (#25281)

• Version bumps — Firewall updated to v0.25.18 and MCP Gateway to v0.2.17 for all compiled workflows. (#25505)

🔒 Security Hardening

• NFKC normalization + homoglyph detection — SafeOutputs now normalizes Unicode input using NFKC and detects Cyrillic/Greek homoglyph substitutions. The Secret Leak threat detection check is also hardened to catch more patterns. (#25458)

• HTML comment bypass fix — removeXmlComments is now applied before mention neutralization, closing a potential injection path in safe-output processing. (#25462)

🐛 Bug Fixes & Improvements

• gh aw list false positive "Compiled: No" — The compiler now uses a frontmatter content hash instead of file mtime to detect compiled status, fixing incorrect results after git checkout. (#25364)

• safe-outputs type imports — Types declared in imported safe-outputs schemas are no longer silently dropped when the main workflow also defines safe-outputs. (#25402)

• gh aw add-wizard HTTPS auth fix — The wizard no longer fails authentication when the git remote uses an HTTPS URL with an embedded username. (#25375)

• Playwright MCP logs directory — chmod 777 applied to the playwright mcp-logs directory so non-root Docker containers can write logs correctly. (#25417)

• Stale actions-lock.json entries pruned — Compilation now removes stale gh-aw-actions entries from actions-lock.json, preventing stale pin accumulation across releases. (#25361)

• CLI proxy RUNNER_TEMP quoting — \$\{RUNNER_TEMP} in generated shell commands is now properly quoted and template expressions in run: blocks are handled correctly. (#25330)

📚 Documentation

• Developer docs consolidated (v5.6): broken README links fixed and tone updated. (#25446)
• Slash command guidance added for the SideRepoOps pattern.
• dispatch-ops.md condensed by 24% for easier reading. (#25423)

---

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@bryanknox

• gh aw add-wizard not logged in to GitHub CLI (direct issue)

@chrisfregly

• Bug in safe-outputs Frontmatter Merging Schematics (direct issue)

@deyaaeldeen

• Compiler v0.67.3 pins runtime setup action to v0.67.1, leaving stale entries in actions-lock.json (direct issue)

@JanKrivanek

• submit-pull-request-review: allow filtering allowed event types (APPROVE, COMMENT, REQUEST_CHANGES) (direct issue)

@pholleran

• Copilot CLI should retry on transient CAPIError 400 Bad Request during agentic workflow execution (direct issue)

@yskopets

• gh aw list: 'Compiled: No' false positive after git checkout due to mtime comparison (direct issue)
• Docs: No guidance on using slash commands in SideRepoOps pattern (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release · ● 909.5K

---

What's Changed

• Fix MCP integration tests broken by SDK v1.5.0 schema validation behavior change by @Copilot in #25310
• chore: verify and recompile agentic workflows after hono/node-server bump by @dependabot[bot] in #25212
• Add --runner-guard to compile; wire into static-analysis-report workflow by @Copilot in #25281
• fix: filter AWF infrastructure lines from engine failure context by @Copilot in #25314
• Fix Changeset Generator missing github network preset in allowed-domains config by @Copilot in #25333
• Add copilot driver with retry logic for partial session failures by @Copilot in #25329
• [slides] Add Staged Mode slide to presentation by @github-actions[bot] in #25343
• feat: add design-decision-gate agentic workflow for ADR enforcement by @Copilot in #25323
• feat: add architecture-guardian agentic workflow by @Copilot in #25334
• fix: use absolute node path in awf wrapper to survive sudo PATH stripping by @Copilot in #25341
• feat: add approach-validator agentic workflow by @Copilot in #25354
• fix: quote ${RUNNER_TEMP} in generated shell commands and replace template expressions in run: blocks by @Copilot in #25330
• Add refactoring-cadence agentic workflow by @Copilot in #25352
• Prune stale gh-aw-actions entries from actions-lock.json after compilation by @Copilot in #25361
• feat: add test-quality-sentinel agentic workflow by @Copilot in #25353
• fix: selectively git add known files in maintenance update command by @Copilot in #25370
• fix: use frontmatter hash instead of mtime to determine compiled status in gh aw list by @Copilot in #25364
• feat: migrate 50% of agentic workflows from upload-asset to upload-artifact by @Copilot in #25342
• Fix add-wizard auth failure when git remote uses HTTPS URL with embedded username by @Copilot in #25375
• build(deps-dev): bump basic-ftp from 5.2.0 to 5.2.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #25380
• Rename "Upload Safe Output Items" → "Upload Safe Outputs Items" for terminology consistency by @Copilot in #25378
• fix(spec+compiler): update MCP gateway OTLP headers to string-only (v1.13.0) by @Copilot in #25135
• feat: increase logging in copilot driver for silent startup failures by @Copilot in #25390
• [log] Add debug logging to 5 CLI files for improved troubleshooting by @github-actions[bot] in #25393
• docs: add slash command guidance for SideRepoOps pattern by @Copilot in #25401
• CLI proxy: start difc-proxy on host, pass --difc-proxy-host to AWF by @Copilot in #25366
• chore: set AWFCliProxyMinVersion to v0.25.17 by @lpcox in #25411
• Normalize report headers from h2 to h3 in 3 workflow templates by @Copilot in #25414
• fix: safe-outputs types from imports dropped when main workflow defines any safe-outputs by @Copilot in #25402
• Remove CodeMirror dependency from live editor playground by @Copilot in #25387
• fix: chmod 777 playwright mcp-logs dir to allow non-root Docker writes by @Copilot in #25417
• Fix failing tests: update expected string to match quoted path in generated YAML by @Copilot in #25421
• [docs] unbloat: condense dispatch-ops.md (24% line reduction) by @github-actions[bot] in #25423
• fix: always emit CLI_PROXY_POLICY env var for CLI proxy by @Copilot in #25419
• docs: update slide links and PDF files by @mnkiefer in #25437
• [docs] Update glossary - daily scan by @github-actions[bot] in #25442
• [docs] Consolidate developer docs v5.6: fix README broken links and tone by @github-actions[bot] in #25446
• refactor: relocate misplaced utility functions to semantically correct files by @Copilot in #25460
• fix: reorder removeXmlComments before mention neutralization to prevent HTML comment bypass by @Copilot in #25462
• Create shared/security-analysis-base.md for daily security scan workflows by @Copilot in #25459
• [code-simplifier] refactor: extract resolveProxyContainerImage helper in compiler_difc_proxy (#25419) by @github-actions[bot] in #25435
• [jsweep] Clean add_labels.cjs by @github-actions[bot] in #25428
• fix: discussion label updates truncated to 3 instead of max labels by @Copilot in #25430
• SafeOutputs: add NFKC + Cyrillic/Greek homoglyph normalization; harden threat_detection Secret Leak check by @Copilot in #25458
• fix: remove observability/OTLP import from smoke-claude and smoke-copilot workflows by @Copilot in #25481
• fix: correct test expectation for U+3000 ideographic space under NFKC normalization by @Copilot in #25490
• feat: bump firewall to v0.25.18 and MCPG to v0.2.17 by @lpcox in #25505
• feat(safe-outputs): add allowed-events filter to submit-pull-request-review by @Copilot in #25484
• Fix silent startup crash in Copilot engine by pinning CLI to v1.0.20 by @Copilot in #25499

Full Changelog: v0.67.3...v0.67.4