v0.65.4

🌟 Release Highlights

This release focuses on workflow parameterization for workflow_call reuse, automatic service container access, and a strong set of community-driven bug fixes and features.

✨ What's New

• Expression parameterization for workflow_call — Multiple frontmatter fields now accept GitHub Actions expressions, enabling reusable workflows to customize behavior at call time:

  • timeout-minutes: $\{\{ inputs.timeout }}
  • engine.version: $\{\{ inputs.engine-version }}
  • tools.timeout, tools.startup-timeout, and tools.playwright.version

• Auto-generate --allow-host-service-ports from services: mappings — Workflows using GitHub Actions service containers (PostgreSQL, Redis, etc.) no longer need manual port configuration. The compiler now extracts declared port mappings and emits runtime $\{\{ job.services.<name>.ports['<port>'] }} expressions automatically, so agents can reach service containers out of the box.

• Step templating support — Workflows can now use templating patterns for steps, enabling more expressive and reusable workflow definitions.

• Restrict Copilot CLI built-in tools via frontmatter — Fine-grained control over which Copilot CLI built-in tools are available to agents in a workflow.

• Discussion post commenting and editing — Workflows can now comment on and edit posts within GitHub Discussions, expanding discussion interaction capabilities.

🐛 Bug Fixes & Improvements

• Cross-repo org ruleset timestamp check fixed — The "Check workflow file timestamps" step no longer fails with ERR_CONFIG when workflows run cross-repo via organization rulesets.
• <safe-output-tools> prompt expression inlining resolved — Compiled prompts no longer inline $\{\{ }} expressions verbatim, which was re-triggering the expression-size limit.
• create-code-scanning-alert safe-output fixed — The code scanning alert safe-output handler now works correctly for all supported alert configurations.
• Cross-repo import path resolution corrected — gh aw add no longer rewrites \{\\{\#import shared/X.md}} with an incorrect path; imports now resolve from .github/workflows/ as expected.
• Audit tool: Codex metrics and firewall root cause — gh aw audit now surfaces token/turn metrics and firewall-blocked domain root causes for failed Codex runs.

📚 Documentation

• New "Supported Languages & Ecosystems" reference page — A dedicated reference mapping popular languages (Python, Go, Java, Rust, TypeScript, etc.) to their ecosystem identifiers, package managers, and configuration examples. Learn more

⚡ Dependency Updates

• Playwright v1.59.0 — New Screencast API (page.screencast), Browser Interoperability (browser.bind()), Observability Dashboard, and CLI debugger for agents.
• MCP Gateway v0.2.11 — WASM guard startup time reduced (wazero compilation cache), accurate /health endpoint, embedded config schema.
• Playwright MCP v0.0.70 — Tracks Playwright v1.59.0.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release!

@corygehr

• Request: Allow commenting, editing posts within a Discussion (direct issue)

@deyaaeldeen

• Feature: allow restricting Copilot CLI built-in tools via frontmatter (direct issue)

@ericstj

• Feature request: allow for templating of steps (direct issue)

@jaroslawgajewski

• "Check workflow file timestamps" step fails with ERR_CONFIG when workflow runs cross-repo via org rulesets (direct issue)

@johnpreed

• gh aw add rewrites {\{#import shared/X.md}} with incorrect cross-repo path (resolves from repo root instead of .github/workflows/) (direct issue)

@kbreit-insight

• create-code-scanning-alert safe-output doesn't seem to work as it should (direct issue)

@strawgate

• Compiled (safe-output-tools) prompt inlines ${{ }} expressions, re-triggering expression-size limit (direct issue)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] docs: remove duplicate Claude plugins section and condense create-discussion FAQ by @github-actions[bot] in #23816
• fix: extract ${{ }} expressions from <safe-output-tools> max: values to avoid 21KB heredoc limit by @Copilot in #23812
• feat: auto-generate --allow-host-service-ports from services: port mappings by @Mossaka in #23760
• fix: use GITHUB_WORKFLOW_REF to resolve source repo for cross-repo lock file hash check by @Copilot in #23808
• [jsweep] Clean messages_run_status.cjs by @github-actions[bot] in #23824
• feat: bump MCP Gateway v0.2.11, Playwright Browser v1.59.0, Playwright MCP 0.0.70, Firewall v0.25.6 by @Copilot in #23821
• fix: body-level {{#import shared/X.md}} rewritten with wrong cross-repo path in gh aw add by @Copilot in #23817
• [ca] fix: update golden files for awf v0.25.6 and mcpg v0.2.11 by @github-actions[bot] in #23846
• [instructions] Sync github-agentic-workflows.md with v0.65.2 by @github-actions[bot] in #23856
• [docs] Update glossary - daily scan by @github-actions[bot] in #23853
• [docs] Developer Documentation Consolidation v4.9 by @github-actions[bot] in #23858
• [code-simplifier] refactor: simplify imports.go and add_command.go from PR #23817 by @github-actions[bot] in #23844
• fix: use token instead of github-token for upload-sarif action by @Copilot in #23837
• fix: thread discussion replies when add_comment triggered by discussion_comment event by @Copilot in #23836
• Docs: Add "Supported Languages & Ecosystems" reference page by @Copilot in #23833
• docs: add concrete steps/mcp-servers/jobs import examples to imports reference by @Copilot in #23835
• docs: update APM to use shared/apm.md imported workflow by @Copilot in #23877
• bump: gh-aw-firewall v0.25.6, gh-aw-mcpg v0.2.11 by @Copilot in #23879
• Remove noisy negative-result messages from compile output by @Copilot in #23878
• fix: update_cache_memory must not run if agent job failed by @Copilot in #23876
• Improve test quality: pkg/parser/frontmatter_utils_test.go by @Copilot in #23868
• [q] fix: improve patch size logging with warning level and diff stat breakdown (#23865) by @github-actions[bot] in #23871
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #23882
• feat: allow timeout-minutes to accept GitHub Actions expressions by @Copilot in #23863
• feat: parameterize engine.version to accept GitHub Actions expressions (injection-safe) by @Copilot in #23870
• [WIP] Fix daily mcp concurrency analysis by adding jq and git log to bash allowlist by @Copilot in #23886
• fix: integer/bool step env values silently dropped during workflow compilation by @Copilot in #23887
• fix: YAML syntax error in ci.yml caused by heredoc body at column 0 by @Copilot in #23895
• fix: align qmd step names with established naming conventions by @Copilot in #23891
• feat: parameterize tools.timeout and tools.startup-timeout to accept GitHub Actions expressions by @Copilot in #23888
• fix(audit): surface Codex firewall blocks from agent-stdio.log and populate action_minutes by @Copilot in #23889
• fix: use assert.Positive instead of assert.Greater with 0 in testifylint by @Copilot in #23910

Full Changelog: v0.65.3...v0.65.4