Skip to content

Bump github/gh-aw from 0.58.0 to 0.59.0#3786

Merged
roji merged 1 commit intomainfrom
dependabot/github_actions/github/gh-aw-0.59.0
Mar 17, 2026
Merged

Bump github/gh-aw from 0.58.0 to 0.59.0#3786
roji merged 1 commit intomainfrom
dependabot/github_actions/github/gh-aw-0.59.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 17, 2026

Bumps github/gh-aw from 0.58.0 to 0.59.0.

Release notes

Sourced from github/gh-aw's releases.

v0.59.0

🌟 Release Highlights

v0.59.0 is a substantial release focused on new trigger types, call-workflow reliability, performance fixes, and a streamlined safe-outputs domain configuration. It also ships two new CLI commands and meaningful add-wizard UX improvements.

⚠️ Breaking Changes

  • default-redaction renamed to default-safe-outputs — The built-in compound ecosystem identifier has been renamed. Update any frontmatter that references default-redaction in safe-outputs.allowed-domains.
  • safe-outputs.allowed-url-domains merged into allowed-domains — The separate allowed-url-domains field has been removed. Its capabilities (ecosystem identifiers, additive URL allowlisting) are now part of the unified allowed-domains field.

✨ What's New

  • Label Command Trigger — A new label_command trigger activates workflows when a specific label is added to an issue, PR, or discussion. The label is automatically removed on activation so it can be reapplied to re-trigger. (#21118)

  • gh aw domains command — Inspect the effective network domain configuration across all your workflows, or drill into a specific workflow with per-domain ecosystem annotations. (#21086)

  • Pre-activation step injection — New on.steps and on.permissions frontmatter fields let you inject custom steps and permissions into the activation job, enabling advanced trigger customization. (#21219)

  • Smarter add-wizard — The wizard now detects org-level secrets to skip redundant token prompts (#21262) and offers an "Edit PR title and retry" option when a merge fails (#21261).

  • Richer agent step log summaries — MCP tool calls now display their key arguments inline (e.g., ✓ github-list_issues repo=my-repo), giving you at-a-glance insight without digging into raw logs. (#21060)

  • Builtin MCP usage guide — The canonical agentic-workflows MCP usage guide is now automatically injected at compile time — no need to duplicate it across workflow prompts. (#21117)

  • Default reaction: eyes and status-comment — Slash-command and label-command triggers now enable reaction: eyes and status-comment: true by default, providing immediate visual acknowledgment when a workflow is triggered. (#21229)

⚡ Performance

  • Fixed a ~50% regression in FindIncludesInContent that slowed compilation for workflows with many imports. (#21265)
  • Fixed a YAML generation regression caused by repeated schema parsing; deprecated-field schema is now cached. (#21264)

🐛 Bug Fixes & Improvements

  • call-workflow reliability — Multiple fixes: call-workflow is now wired into the consolidated safe-outputs handler path (#21218), tool registration in the HTTP MCP server is corrected (#21124), workflow_call inputs are properly forwarded (#21085), and caller jobs now inherit the correct permissions (#21080).
  • PR reviewers respectedcreate-pull-request safe output now correctly applies reviewers configured in the workflow frontmatter. (#21217)
  • sandbox.mcp payload fieldspayloadSizeThreshold and other sandbox MCP fields were silently ignored during frontmatter extraction; this is now fixed. (#21167)
  • label_command + slash_command co-existence — Workflows that declare both triggers no longer suppress label_command activation. (#21222)
  • Bot allowlist fallbackcheck_membership.cjs no longer short-circuits the bot allowlist when a permissions API error occurs. (#21109)
  • Missing npm treated as warning — Workflows that don't require npm no longer fail compilation on machines where npm is absent. (#21165)
  • Long PAT header corruption — Checkout fetch steps now use base64 -w 0 to prevent line-wrapped headers with long PATs. (#21068)
  • Compiler error messages — Syntax errors now report more precise locations and clearer descriptions. (#21123)

📚 Documentation

  • Fixed the custom trigger filtering guide to use job-based graceful skip instead of exit 1. (#21215)
  • Updated ecosystem identifiers and safe-outputs.allowed-domains reference docs. (#21170)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

... (truncated)

Commits
  • 7d1a279 perf: fix ~50% regression in FindIncludesInContent (#21265)
  • d71ea6b feat: offer "Edit PR title and retry" when merge fails in add-wizard (#21261)
  • 0067149 perf: cache deprecated fields schema parse to fix YAMLGeneration regression (...
  • 5e60adb feat: detect org-level secrets in add-wizard to avoid redundant token prompt ...
  • 63b748d Add on.steps and on.permissions support for pre-activation job step injec...
  • 85a9c86 Enable reaction: eyes and status-comment: true by default for slash_command a...
  • e67e634 fix: label_command doesn't trigger when workflow also has slash_command (#21222)
  • f522815 deps: update github.com/modelcontextprotocol/go-sdk v1.4.0 → v1.4.1 (security...
  • b2f9fb5 fix: wire call_workflow into consolidated safe_outputs handler-manager path...
  • 341ee9f fix: apply configured reviewers when creating pull request via safe output (#...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github/gh-aw from 0.58.0 to 0.59.0
9aec6f7 
Bumps [github/gh-aw](https://github.com/github/gh-aw) from 0.58.0 to 0.59.0.
- [Release notes](https://github.com/github/gh-aw/releases)
- [Commits](github/gh-aw@v0.58.0...v0.59.0)

---
updated-dependencies:
- dependency-name: github/gh-aw
  dependency-version: 0.59.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Mar 17, 2026
@roji roji merged commit 9d41483 into main Mar 17, 2026
11 of 12 checks passed
@roji roji deleted the dependabot/github_actions/github/gh-aw-0.59.0 branch March 17, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roji roji roji approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roji