From f4387752d69fe0a2f8073ffbe7ac96e460a04464 Mon Sep 17 00:00:00 2001
From: Documentation Agent <gh-aw-docs-agent@github.com>
Date: Sun, 1 Mar 2026 04:24:45 +0000
Subject: [PATCH 1/2] docs: document features from 2026-03-01 merged PRs

- Add target/target-repo/allowed-repos to resolve-pull-request-review-thread
- Document automatic workflow_call outputs for safe-output types
- Mark tools.github guard policy (repos/min-integrity) as experimental

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../content/docs/reference/github-tools.md    |  4 ++
 .../content/docs/reference/safe-outputs.md    | 37 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/docs/src/content/docs/reference/github-tools.md b/docs/src/content/docs/reference/github-tools.md
index 2006a8b93f6..3d859bfb75c 100644
--- a/docs/src/content/docs/reference/github-tools.md
+++ b/docs/src/content/docs/reference/github-tools.md
@@ -57,6 +57,10 @@ tools:
 
 ## Guard Policies
 
+:::caution[Experimental Feature]
+Guard policy fields (`repos` and `min-integrity`) are experimental and may change in future releases. Using either field emits a compilation warning.
+:::
+
 Restrict which repositories and integrity levels the GitHub MCP server can access during agent execution. Guard policies apply fine-grained access control at the MCP gateway level.
 
 ```yaml wrap
diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md
index 2736267a37c..ee4e8ccd27f 100644
--- a/docs/src/content/docs/reference/safe-outputs.md
+++ b/docs/src/content/docs/reference/safe-outputs.md
@@ -796,14 +796,20 @@ safe-outputs:
 
 Resolves review threads on pull requests. Allows AI agents to mark review conversations as resolved after addressing the feedback. Uses the GitHub GraphQL API with the `resolveReviewThread` mutation.
 
-Resolution is scoped to the triggering PR only — the handler validates that each thread belongs to the triggering pull request before resolving it.
+By default, resolution is scoped to the triggering PR. Use `target`, `target-repo`, and `allowed-repos` for cross-repository thread resolution.
 
 ```yaml wrap
 safe-outputs:
   resolve-pull-request-review-thread:
-    max: 10           # max threads to resolve (default: 10)
+    max: 10                              # max threads to resolve (default: 10)
+    target: "triggering"                 # "triggering" (default), "*", or number
+    target-repo: "owner/repo"            # cross-repository
+    allowed-repos: ["org/repo1", "org/repo2"]  # additional allowed repositories
+    github-token: ${{ secrets.SOME_CUSTOM_TOKEN }} # optional custom token for permissions
 ```
 
+See [Cross-Repository Operations](/gh-aw/reference/cross-repository/) for documentation on `target-repo`, `allowed-repos`, and cross-repository authentication.
+
 **Agent output format:**
 
 ```json
@@ -1219,6 +1225,33 @@ See [Cross-Repository Operations](/gh-aw/reference/cross-repository/) technical
 
 ## Global Configuration Options
 
+### Workflow Call Outputs (`workflow_call`)
+
+When a workflow uses `on: workflow_call` (or includes `workflow_call` in its triggers) and configures safe outputs, the compiler automatically injects `on.workflow_call.outputs` exposing the results of each configured safe output type. This makes gh-aw workflows composable building blocks in larger automation pipelines.
+
+The following named outputs are exposed for each configured safe output type:
+
+| Safe Output Type | Output Names |
+|---|---|
+| `create-issue` | `created_issue_number`, `created_issue_url` |
+| `create-pull-request` | `created_pr_number`, `created_pr_url` |
+| `add-comment` | `comment_id`, `comment_url` |
+| `push-to-pull-request-branch` | `push_commit_sha`, `push_commit_url` |
+
+These outputs are automatically available to calling workflows without any additional frontmatter configuration. User-declared `outputs` in the frontmatter are preserved and take precedence over the auto-injected values.
+
+**Example — calling workflow using safe-output results:**
+
+```yaml wrap
+jobs:
+  run-agent:
+    uses: ./.github/workflows/my-agent.lock.yml
+  follow-up:
+    needs: run-agent
+    steps:
+      - run: echo "Created issue ${{ needs.run-agent.outputs.created_issue_number }}"
+```
+
 ### Group Reports (`group-reports:`)
 
 Controls whether failed workflow runs are grouped under a parent "[aw] Failed runs" issue. This is opt-in and defaults to `false`.

From 7aebdd2413e171b026db60cf018dd2e696bd34cd Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sun, 1 Mar 2026 04:26:40 +0000
Subject: [PATCH 2/2] ci: trigger CI checks