Skip to content

[blog] Weekly blog post – 2026-03-23 #22515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
github-actions wants to merge 1 commit into from
Closed

[blog] Weekly blog post – 2026-03-23 #22515

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions docs/src/content/docs/blog/2026-03-23-weekly-update-2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
title: "Weekly Update – March 23, 2026"
description: "Four releases this week: security hardening, custom Actions as safe-output tools, a 20-second speed boost per run, and timezone-aware cron schedules."
authors:
- copilot
date: 2026-03-23
---

It's been a busy week in [github/gh-aw](https://github.com/github/gh-aw) — four releases shipped between March 19 and March 21, each stacking up security, performance, and extensibility wins. Here's the full rundown.

## Releases This Week

### [v0.62.5](https://github.com/github/gh-aw/releases/tag/v0.62.5) — March 21

The headline release this week leads with two important security fixes:

- **Supply chain protection** ([#22007](https://github.com/github/gh-aw/pull/22007), [#22065](https://github.com/github/gh-aw/pull/22065)): The Trivy vulnerability scanner action was removed after a supply chain compromise was discovered. Scanning continues via a safer alternative.
- **Public repo integrity hardening** ([#21969](https://github.com/github/gh-aw/pull/21969)): GitHub App authentication no longer exempts public repositories from the minimum-integrity guard policy. Previously, same-repo untrusted content could bypass integrity checks on public repos — that gap is now closed.

New features in v0.62.5:

- **Timezone support for scheduled workflows** ([#22018](https://github.com/github/gh-aw/pull/22018)): `on.schedule` cron entries now accept an optional `timezone` field. Say goodbye to mental UTC arithmetic — express your schedules in local time directly in your workflow frontmatter.
- **Boolean expression optimizer** ([#22025](https://github.com/github/gh-aw/pull/22025)): Condition node trees are now optimized at compile time, producing cleaner and more efficient `if:` expressions in compiled workflows.
- **Wildcard `target-repo` in safe-output handlers** ([#21877](https://github.com/github/gh-aw/pull/21877)): Safe-output handlers now accept `target-repo: "*"` to match any repository, making reusable handler definitions much more portable across organizations.
- **Bot comment activation fix** ([#22013](https://github.com/github/gh-aw/pull/22013)): `slash_command` workflows now correctly activate on bot comments that append metadata after a newline — a common pattern with GitHub Apps.

### [v0.62.4](https://github.com/github/gh-aw/releases/tag/v0.62.4) — March 20

A focused patch bringing:

- **`github-token` in `update-discussion` safe output**: Workflows can now pass a custom token when updating GitHub Discussions, consistent with the authentication model used by other safe-output handlers.
- **Smoke-Gemini scheduled runs stabilized**: Scheduled Gemini smoke runs were failing due to an unconditional `add_comment` step. The fix applies the step conditionally, restoring reliable scheduled validation.

### [v0.62.3](https://github.com/github/gh-aw/releases/tag/v0.62.3) — March 20

A feature-dense release focused on extensibility and speed:

- **Custom Actions as Safe Output Tools** ([#21752](https://github.com/github/gh-aw/pull/21752)): Expose any GitHub Action as an MCP tool via the new `safe-outputs.actions` block. The compiler resolves `action.yml` at compile time to derive the tool schema — no custom wiring needed.
- **`trustedBots` support in MCP Gateway** ([#21865](https://github.com/github/gh-aw/pull/21865)): Pass an allowlist of additional bot identities to the MCP Gateway via the new `trustedBots` field, enabling safe cross-bot collaboration.
- **~20 seconds faster per run** ([#21873](https://github.com/github/gh-aw/pull/21873)): Bumping `DefaultFirewallVersion` to v0.24.5 eliminates a 10-second container shutdown delay in both the main agent and threat detection containers.
- **Raised `update_issue` / `update_discussion` limits to 256** ([#21902](https://github.com/github/gh-aw/pull/21902)): The previous cap of 100 operations was blocking high-throughput workflows.

### [v0.62.2](https://github.com/github/gh-aw/releases/tag/v0.62.2) — March 19

The week opened with a reliability-focused patch:

- **`lockdown: true` replaced by `min-integrity: approved`**: The `lockdown` field under `tools.github` is superseded by the `min-integrity` guard policy. All 13 built-in agentic workflows were updated automatically.
- Critical safe-outputs failures and signal handling improvements on Linux/WSL also shipped in this release.

## Notable Pull Requests

Beyond the releases, a few noteworthy PRs merged today:

- **[#22492](https://github.com/github/gh-aw/pull/22492) — Shared PR code review base configuration**: Seven workflows were inlining identical PR review tooling. This PR extracts that pattern into a shared component at `.github/workflows/shared/pr-code-review-config.md`, reducing drift across the review agent fleet.
- **[#22490](https://github.com/github/gh-aw/pull/22490) — Fix `GH_AW_STOP_TIME` YAML type error**: Unquoted datetime strings were being parsed as `time.Time` objects rather than strings, causing 175 out of 177 workflows to fail schema validation. A one-character fix (`%s` → `%q`) unblocked the whole fleet.
- **[#22508](https://github.com/github/gh-aw/pull/22508) — Firewall bumped to v0.25.0**: The gh-aw-firewall component updated to its latest release.

## 🤖 Agent of the Week: changeset

The diligent bookkeeper that makes sure every PR leaves a paper trail.

The `changeset` workflow runs on every pull request and checks whether a `.changeset/*.md` file has been added to document the change. This week it processed three PRs in quick succession — and showed admirably good judgment. On one run ([#1905](https://github.com/github/gh-aw/actions/runs/23457649485)), it quietly detected that the changeset file was already present and correctly called `noop` with the message: _"No action needed: PR already contains .changeset/patch-bump-awf-v0-24-0.md, latest commit adds it, working tree is clean."_ On another run ([#1900](https://github.com/github/gh-aw/actions/runs/23450628105)), it generated and pushed a fresh changeset in 9.4 minutes flat.

The real comedy? One run was cancelled after 42 seconds because the PR was updated underneath it — `changeset` took it completely in stride and didn't even file a complaint.

💡 **Usage tip**: Pair `changeset` with your release workflow so version bumps and changelog entries are never an afterthought — they're automatically generated the moment a PR opens.

→ [View the workflow on GitHub](https://github.com/github/gh-aw/blob/main/.github/workflows/changeset.md)

## Try It Out

All four releases are available now — update with `gh extension upgrade aw` and see what's new. As always, feedback and contributions are welcome in [github/gh-aw](https://github.com/github/gh-aw).