GitHub Agentic Workflows Files

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several subtle but impactful bugs in sandbox execution, bot identity matching, workflow compilation, and safe-output handling, alongside expanded documentation.

🐛 Bug Fixes & Improvements

• Bot identity canonicalization — on.bots allow-lists now correctly match GitHub App actors regardless of whether they appear as my-app or my-app[bot]. Previously, the exact-string mismatch silently blocked activations. (#20059)

• AWF sandbox git identity — The first git commit inside an AWF sandbox no longer fails with "Author identity unknown." Host Git identity environment variables are now injected into sandbox execution steps, preserving the caller's author/committer info. (#20056)

• dispatch-workflow compile-order independence — Workflows that dispatch other workflows in the same compile batch no longer require a specific compilation order. Targets that exist as .md files (without a pre-existing .lock.yml) are now accepted. (#20057)

• safe-outputs: failures now fail the workflow — When a safe-output handler returns {success: false}, the step now calls core.setFailed() and exits non-zero. Previously, failures were only emitted as warnings and the workflow continued as successful. (#20055)

• Gateway log truncation fix — Log lines exceeding 64 KB in gateway.jsonl (common with large AI tool call payloads) were silently truncated. Missing scanner.Buffer() calls have been added to prevent this. (#20074)

• Firewall analysis blocked domain display — The firewall log viewer now correctly shows the destination IP:port for iptables-dropped traffic instead of displaying "-". (#20016)

📚 Documentation

• Docker-based MCP server configuration — The MCP server reference now covers running gh-aw as an MCP server via Docker, for environments where the gh CLI is not installed locally. (#20053)

• Workflow status message style guide — A new .github/aw/messages.md establishes consistent conventions for tone and emoji usage in safe-outputs status messages across all workflows. (#20052)

• Updated feature documentation and permissions reference cleanup. (#20020, [#20003])

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @samuelkahessay for safe-outputs: handler failures never escalated to core.setFailed() (#20035)
• @strawgate for Agent sandbox git identity missing: first commit fails, then agent self-configures (#20033)
• @samuelkahessay for dispatch-workflow validation is compile-order dependent (#20031)
• @samuelkahessay for on.bots matching is exact-string only and fails for (slug) vs (slug)[bot] (#20030)

For complete details, see CHANGELOG.

Generated by Release

What's Changed

• [docs] docs: reduce bloat in permissions.md by @github-actions[bot] in https://github.com/github/gh-aw/pull/20003
• [docs] Update documentation for features from 2026-03-08 by @github-actions[bot] in https://github.com/github/gh-aw/pull/20020
• Fix firewall analysis showing "-" instead of actual blocked domains for iptables-dropped traffic by @Copilot in https://github.com/github/gh-aw/pull/20016
• fix: canonicalize bot identifiers so <slug> and <slug>[bot] match in on.bots by @Copilot in https://github.com/github/gh-aw/pull/20059
• docs: add Docker-based MCP server configuration by @Copilot in https://github.com/github/gh-aw/pull/20053
• safe-outputs: escalate handler failures to core.setFailed() by @Copilot in https://github.com/github/gh-aw/pull/20055
• Fix dispatch-workflow validation: accept .md-only targets in same compile batch by @Copilot in https://github.com/github/gh-aw/pull/20057
• Add workflow status message style guide by @Copilot in https://github.com/github/gh-aw/pull/20052
• Fix: Inject git identity env vars into AWF sandbox execution steps by @Copilot in https://github.com/github/gh-aw/pull/20056

Full Changelog: https://github.com/github/gh-aw/compare/v0.56.0...v0.56.1