PureWeen · github-actions · Apr 24, 2026
diff --git a/.claude/skills/gh-aw-guide/SKILL.md b/.claude/skills/gh-aw-guide/SKILL.md
@@ -276,7 +276,7 @@ tools:
 | `all` | `approved` | **Two-layer defense.** Any actor triggers, but agent only sees trusted content |
 | `all` | `none` | **Widest exposure.** Must pair with minimal `safe-outputs` — only remaining constraint |
 
-> ⚠️ **Compiler bug (v0.62.2)**: Hardcoded `min-integrity` in source emits an incomplete guard policy (missing `repos` field) that crashes the MCP Gateway. Rely on the automatic `determine-automatic-lockdown` step instead, which applies `approved` for public repos by default. This may be fixed in newer compiler versions — test before hardcoding.
+> ⚠️ **Compiler bug**: Hardcoded `min-integrity` in source emits an incomplete guard policy (missing `repos` field) that crashes the MCP Gateway (first observed in v0.62.2; unconfirmed whether fixed in later versions — test before hardcoding). Rely on the automatic `determine-automatic-lockdown` step instead, which applies `approved` for public repos by default.
 
 **4. CI triggering + protected file safety** for agent-created PRs — `GITHUB_TOKEN` pushes don't trigger CI; a PAT/App token is required. `protected-files` controls what happens when the agent modifies package manifests or `.github/`:
 

diff --git a/.github/instructions/gh-aw-workflows.instructions.md b/.github/instructions/gh-aw-workflows.instructions.md
@@ -19,7 +19,7 @@ When working on gh-aw workflow files, use the **`gh-aw-guide`** skill for the co
 7. **Always use `github-token-for-extra-empty-commit:`** (PAT/App token) on `create-pull-request` — `GITHUB_TOKEN` pushes do not trigger CI
 8. **Set `protected-files: fallback-to-issue`** on `create-pull-request` when the agent may touch package manifests or `.github/` — prevents PR creation from failing silently
 9. **Use `Checkout-GhAwPr.ps1`** for `workflow_dispatch` workflows that check out a PR — it verifies write access and restores trusted `.github/` from base branch
-10. **Do NOT set `min-integrity` explicitly** — compiler v0.62.2 emits an incomplete guard policy that crashes the MCP Gateway. Rely on the automatic `determine-automatic-lockdown` runtime step instead, which applies appropriate integrity levels based on event type and actor trust.
+10. **Do NOT set `min-integrity` explicitly** — a known compiler bug emits an incomplete guard policy (missing `repos` field) that crashes the MCP Gateway. Rely on the automatic `determine-automatic-lockdown` runtime step instead, which applies appropriate integrity levels based on event type and actor trust. (Bug was present as of v0.62.2; verify it is resolved before hardcoding in your compiler version.)
 
 ## Quick Anti-Pattern Check (Critical Subset)
 

diff --git a/.github/instructions/gh-aw-workflows.sync.yaml b/.github/instructions/gh-aw-workflows.sync.yaml
@@ -1,6 +1,7 @@
 # Drift tracking manifest for gh-aw-guide skill
 # Used by the instruction-drift skill to detect when upstream sources change.
 # See .claude/skills/instruction-drift/SKILL.md for details.
+# last_reviewed: 2026-04-24 (v0.71.0)
 
 target: ../skills/gh-aw-guide/SKILL.md
 secondary_targets: