From 813d04f596b6eb369265fdc80ced22f1c058d199 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 26 Jun 2026 09:54:53 +0000 Subject: [PATCH 1/3] [instructions] Sync instruction files with release 0.81.4 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/aw/cli-commands.md | 4 ++++ .github/aw/safe-outputs-automation.md | 2 +- .github/aw/syntax-agentic.md | 13 ++----------- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/aw/cli-commands.md b/.github/aw/cli-commands.md index 8d20cf06c00..840933e1332 100644 --- a/.github/aw/cli-commands.md +++ b/.github/aw/cli-commands.md @@ -161,6 +161,10 @@ Upgrade the repository's agentic workflows configuration to the latest gh-aw ver gh aw upgrade # Upgrade agent files + codemods + compile gh aw upgrade -v # Verbose output gh aw upgrade --no-fix # Skip codemods and compilation +gh aw upgrade --create-pull-request # Open a PR with the upgrade changes (alias: --pr) +gh aw upgrade --org my-org # Preview upgrade PRs across an organization +gh aw upgrade --org my-org --repos '*-service' # Limit org mode to matching repos +gh aw upgrade --org my-org --create-issue # Open issues in org repos with agentic workflows (requires --org) ``` **MCP equivalent**: `upgrade` tool diff --git a/.github/aw/safe-outputs-automation.md b/.github/aw/safe-outputs-automation.md index 0b1b9a9e6c7..c80b42e70b2 100644 --- a/.github/aw/safe-outputs-automation.md +++ b/.github/aw/safe-outputs-automation.md @@ -40,7 +40,7 @@ description: Safe-output reference for workflow dispatch, code scanning, checks, max: 10 # Optional: max assets (default: 10) ``` - Publishes files to an orphaned git branch for persistent storage and URL-addressable embedding. Default allowed extensions include common non-executable types. Maximum file size is 50MB (51200 KB). **Use this for images, charts, and screenshots that need embeddable URLs in issues/PRs/discussions.** + Publishes files to an orphaned git branch for persistent storage and URL-addressable embedding. Default allowed extensions include common non-executable types. Default max file size is 10MB (10240 KB), configurable via `max-size`. **Use this for images, charts, and screenshots that need embeddable URLs in issues/PRs/discussions.** - `upload-artifact:` - Upload files as run-scoped GitHub Actions artifacts (recommended for temporary run artifacts and attachment-style outputs) ```yaml diff --git a/.github/aw/syntax-agentic.md b/.github/aw/syntax-agentic.md index fd6f3ed3960..9c4e39f416f 100644 --- a/.github/aw/syntax-agentic.md +++ b/.github/aw/syntax-agentic.md @@ -24,7 +24,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - Example: `bots: [dependabot[bot], renovate[bot], github-actions[bot]]` - Bot must be active (installed) on repository to trigger workflow - **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`) - - Must be `true` + - Set `strict: false` to disable enhanced validation - **`max-turns:`** - AWF turn cap applied consistently across all agentic engines (integer or expression, e.g. `${{ inputs.max-turns }}`). The engine-level `engine.max-turns` is a deprecated alias kept for backward compatibility — prefer this top-level field. Not supported by the `gemini` engine. - **`max-runs:`** - Deprecated legacy alias for the AWF invocation cap (`apiProxy.maxRuns`, defaults to `500` when omitted). Use `max-turns` instead; run `gh aw fix` to migrate. - **`max-ai-credits:`** - Per-run AI Credits (AIC) budget enforced by the AWF firewall (integer or `K`/`M` short-form string like `100M`; default `1000`). Set a negative value to disable enforcement and token steering. See [token-optimization.md](token-optimization.md). @@ -321,18 +321,9 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - "blocked-domain.com" - "*.untrusted.com" - python # Block ecosystem identifiers - firewall: true # Optional: Enable AWF (Agent Workflow Firewall) for Copilot engine ``` - - **Firewall configuration** (Copilot engine only): - - ```yaml - network: - firewall: - version: "v1.0.0" # Optional: AWF version (defaults to latest) - log-level: debug # Optional: debug, info (default), warn, error - args: ["--custom-arg", "value"] # Optional: additional AWF arguments - ``` + - **Firewall (AWF) configuration** is set under `sandbox.agent`, not `network`. Use `sandbox.agent.version` to pin the AWF version (see below). The legacy `network.firewall` field is deprecated; run `gh aw fix` to migrate. - **`sandbox:`** - Sandbox configuration for AI engines (string or object) - String format: `"default"` (default sandbox), `"awf"` (Agent Workflow Firewall) From c78fe7a975aeb714c58769573d066a15feb6df11 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 26 Jun 2026 11:40:25 +0000 Subject: [PATCH 2/3] [instructions] Strongly recommend strict true guidance Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/aw/syntax-agentic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/aw/syntax-agentic.md b/.github/aw/syntax-agentic.md index 9c4e39f416f..e0299de36f5 100644 --- a/.github/aw/syntax-agentic.md +++ b/.github/aw/syntax-agentic.md @@ -23,8 +23,8 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - **`bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array) - Example: `bots: [dependabot[bot], renovate[bot], github-actions[bot]]` - Bot must be active (installed) on repository to trigger workflow -- **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`) - - Set `strict: false` to disable enhanced validation +- **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`; strongly recommended) + - Prefer `strict: true`; set `strict: false` only when you intentionally need to disable enhanced validation - **`max-turns:`** - AWF turn cap applied consistently across all agentic engines (integer or expression, e.g. `${{ inputs.max-turns }}`). The engine-level `engine.max-turns` is a deprecated alias kept for backward compatibility — prefer this top-level field. Not supported by the `gemini` engine. - **`max-runs:`** - Deprecated legacy alias for the AWF invocation cap (`apiProxy.maxRuns`, defaults to `500` when omitted). Use `max-turns` instead; run `gh aw fix` to migrate. - **`max-ai-credits:`** - Per-run AI Credits (AIC) budget enforced by the AWF firewall (integer or `K`/`M` short-form string like `100M`; default `1000`). Set a negative value to disable enforcement and token steering. See [token-optimization.md](token-optimization.md). From 6d1937de5f19aca3bdfa80045c37b9f28627015e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 26 Jun 2026 11:54:18 +0000 Subject: [PATCH 3/3] [instructions] Warn that strict false is dangerous Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/aw/syntax-agentic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/aw/syntax-agentic.md b/.github/aw/syntax-agentic.md index e0299de36f5..368858a841a 100644 --- a/.github/aw/syntax-agentic.md +++ b/.github/aw/syntax-agentic.md @@ -24,7 +24,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - Example: `bots: [dependabot[bot], renovate[bot], github-actions[bot]]` - Bot must be active (installed) on repository to trigger workflow - **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`; strongly recommended) - - Prefer `strict: true`; set `strict: false` only when you intentionally need to disable enhanced validation + - Prefer `strict: true`; `strict: false` is dangerous, should be extremely rare, and must be carefully security reviewed before use - **`max-turns:`** - AWF turn cap applied consistently across all agentic engines (integer or expression, e.g. `${{ inputs.max-turns }}`). The engine-level `engine.max-turns` is a deprecated alias kept for backward compatibility — prefer this top-level field. Not supported by the `gemini` engine. - **`max-runs:`** - Deprecated legacy alias for the AWF invocation cap (`apiProxy.maxRuns`, defaults to `500` when omitted). Use `max-turns` instead; run `gh aw fix` to migrate. - **`max-ai-credits:`** - Per-run AI Credits (AIC) budget enforced by the AWF firewall (integer or `K`/`M` short-form string like `100M`; default `1000`). Set a negative value to disable enforcement and token steering. See [token-optimization.md](token-optimization.md).