v0.68.6
Pre-release
π Release Highlights
This release brings a major new AI engine, significant security hardening, and a wave of reliability fixes β many of them driven directly by community-reported issues.
β¨ What's New
-
OpenCode engine support β A new
engine: opencodeoption integrates OpenCode as a first-class AI coding agent in your agentic workflows, joining Copilot, Claude, and Codex. -
engine.baremode β Setengine.bare: trueon any workflow to skip loadingAGENTS.mdcontext. Ideal for non-code workflows (triage, reporting, ops) where the repository code context is irrelevant and you want a clean, fast agent start. -
Pre-agent steps β A new
pre-agent-stepsfrontmatter field lets you run custom GitHub Actions steps before the AI agent starts. Use this for authentication, environment setup, or any prerequisite work. Learn more -
Idle custom agent wiring β Idle custom agents are now automatically matched and connected to their corresponding workflows, reducing manual configuration for long-running agent sessions.
-
Detection caution alerts in all footers β When threat detection identifies issues in a workflow run, a mandatory caution alert is now included in every generated footer (issues, PR descriptions, comments, and more), ensuring reviewers are always informed.
-
Cache-memory working-tree sanitization β Before an agent run begins, the working tree is now sanitized to remove planted executables and disallowed files from cached memory. This prevents a class of supply-chain-style attacks via stale cache. Learn more
π Bug Fixes & Improvements
-
MCP gateway Docker socket access β Fixed two related bugs: the Docker socket GID is now pre-computed (not evaluated inside a non-shell
spawn()call), and the--group-addflag is correctly passed to the MCP gateway container β ensuring Docker-in-Docker tools work reliably inside the sandbox. -
BYOK Copilot model fallback β Fixed an issue where
COPILOT_MODELcould be set to an empty string in compiled workflows when using Bring Your Own Key (BYOK) Copilot configurations, causing unexpected model selection. -
Gemini proxy handler β Fixed
GEMINI_API_BASE_URLrouting issues: the AWF proxy now correctly handles Gemini API requests, resolvingAPI proxy enabled but no API keys founderrors for bothgemini-cliand the Gemini engine. -
Duplicate action SHA conflict β Fixed a compilation error where two different actions could resolve to the same commit SHA after a
gh aw update, causing "two different actions share the exact same commit SHA" failures. -
PR head branch handling β Gracefully handles deleted PR head branches in
push_to_pull_request_branch(checked both before fetch and after push failure). -
Scheduled Copilot run hardening β Scheduled Copilot runs are now resilient to transient exit-code-2 startup failures.
-
PR reaction activation permissions β Fixed incorrect permission derivation for workflows triggered by pull request reactions.
-
MCP gateway health check retry β The port 80 health check now retries on transient container startup delays instead of failing immediately.
-
AWF firewall updated to v0.25.22 and MCP gateway updated to v0.2.22.
π Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
@arthurfvives
- Gemini engine fails with AWF proxy: GEMINI_API_BASE_URL points to proxy but proxy has no Gemini handler (direct issue)
@bmerkle
@bryanchen-d
- MCP Gateway: port 80 health check fails with no retry on transient container startup delay (direct issue)
@dkurepa
@doughgle
@jaroslawgajewski
- bug: Copilot CLI 1.0.21 added a startup model validation step: when
COPILOT_MODELis set (direct issue)
@yskopets
For complete details, see CHANGELOG.
Note
π Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
- ae832fb
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved". - cc2e417
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by Release Β· β 1.5M
What's Changed
- Improve docs mobile table readability and homepage video accessibility metadata by @Copilot in #26660
- Add support for pre-agent-steps before agent execution by @Copilot in #26666
- Fix redact_secrets gateway-token tests after MCP config path refactor by @Copilot in #26681
- Add mandatory caution alert to all generated footers when detection finds issues by @Copilot in #26684
- Stabilize daily Copilot merged-PR report by switching to bounded pre-fetched filtering by @Copilot in #26680
- Align JavaScript MCP scripts log renderer with Copilot output style by @Copilot in #26692
- Add 6-hour [aw] failure investigation workflow by @Copilot in #26694
- Fix lint-go failure from testifylint violations in spec tests by @Copilot in #26686
- Fix
CaptureStderrrestoration timing in testutil to resolve CI unit test failure by @Copilot in #26687 - Fix audit tool type undercount for Copilot MCP-only runs by @Copilot in #26689
- Scope activation reactions like status-comment targets and compute activation permissions from both target sets by @Copilot in #26693
- docs: clarify MCP gateway API key is leaked by design by @Copilot in #26695
- Add
features.awf-diagnostic-logsto enable AWF failure diagnostics artifact collection by @Copilot in #26699 - Allow configuring conclusion failure issue expiration via aw.json by @Copilot in #26688
- Reduce Workflow Skill Extractor token overhead by removing unused tools and pre-indexing workflows by @Copilot in #26682
- Harden MCP Gateway startup health check against transient port-binding delays by @Copilot in #26697
- Fix JS workflow typecheck failure in MCP scripts log parser by @Copilot in #26703
- Always enable Copilot integration ID and remove feature flag gating by @Copilot in #26698
- Increase mcp-cli usage to 80% of agentic workflows by @Copilot in #26715
- Fix DIFC proxy shell integration test to use step-scoped proxy environment by @Copilot in #26704
- Handle deleted PR head branches in
push_to_pull_request_branchbefore fetch and after push failures by @Copilot in #26705 - Fix activation permissions for pull request reactions by @Copilot in #26720
- Harden scheduled Copilot runs against transient exit-code-2 startup failures by @Copilot in #26713
- [log] Add debug logging to 5 Go files by @github-actions[bot] in #26738
- [ubuntu-image] docs: update Ubuntu runner image analysis for 2026-04-16 by @github-actions[bot] in #26741
- Use
sort.StringsinGetAllScriptFilenamesand add focused ordering tests by @Copilot in #26731 - Use declaration-site blank identifiers in workflow validation paths by @Copilot in #26730
- Enable strict mode and sanitized PR title in
refinerinput-triggered workflow by @Copilot in #26744 - Fix setup-span staging attribution when aw_info is unavailable by @Copilot in #26742
- Enable
engine.barefor non-code workflows to skip AGENTS.md context loading by @Copilot in #26746 - Wire idle custom agents to matching workflows by @Copilot in #26745
- Update smoke Codex workflow to support workflow_dispatch with existing triggers by @Copilot in #26756
- chore: bump default AWF version to v0.25.22 by @Copilot in #26752
- Add Docker socket supplementary group to MCP gateway container command by @Copilot in #26750
- chore: bump default MCP gateway image to v0.2.22 and regenerate compiled artifacts by @Copilot in #26751
- Close package spec audit gaps across workflow/actionpins/stats and normalize README consistency by @Copilot in #26759
- fix: compute Docker socket GID separately for shell expansion by @lpcox in #26771
- Fix copilot_driver JSDoc callback typing to unblock JS CI typecheck by @Copilot in #26786
- feat: add OpenCode engine integration (re-apply PR #18403) by @Copilot in #25830
Full Changelog: v0.68.5...v0.68.6
