v0.59.0

🌟 Release Highlights

v0.59.0 is a substantial release focused on new trigger types, call-workflow reliability, performance fixes, and a streamlined safe-outputs domain configuration. It also ships two new CLI commands and meaningful add-wizard UX improvements.

⚠️ Breaking Changes

• default-redaction renamed to default-safe-outputs — The built-in compound ecosystem identifier has been renamed. Update any frontmatter that references default-redaction in safe-outputs.allowed-domains.
• safe-outputs.allowed-url-domains merged into allowed-domains — The separate allowed-url-domains field has been removed. Its capabilities (ecosystem identifiers, additive URL allowlisting) are now part of the unified allowed-domains field.

✨ What's New

• Label Command Trigger — A new label_command trigger activates workflows when a specific label is added to an issue, PR, or discussion. The label is automatically removed on activation so it can be reapplied to re-trigger. (#21118)

• gh aw domains command — Inspect the effective network domain configuration across all your workflows, or drill into a specific workflow with per-domain ecosystem annotations. (#21086)

• Pre-activation step injection — New on.steps and on.permissions frontmatter fields let you inject custom steps and permissions into the activation job, enabling advanced trigger customization. (#21219)

• Smarter add-wizard — The wizard now detects org-level secrets to skip redundant token prompts (#21262) and offers an "Edit PR title and retry" option when a merge fails (#21261).

• Richer agent step log summaries — MCP tool calls now display their key arguments inline (e.g., ✓ github-list_issues repo=my-repo), giving you at-a-glance insight without digging into raw logs. (#21060)

• Builtin MCP usage guide — The canonical agentic-workflows MCP usage guide is now automatically injected at compile time — no need to duplicate it across workflow prompts. (#21117)

• Default reaction: eyes and status-comment — Slash-command and label-command triggers now enable reaction: eyes and status-comment: true by default, providing immediate visual acknowledgment when a workflow is triggered. (#21229)

⚡ Performance

• Fixed a ~50% regression in FindIncludesInContent that slowed compilation for workflows with many imports. (#21265)
• Fixed a YAML generation regression caused by repeated schema parsing; deprecated-field schema is now cached. (#21264)

🐛 Bug Fixes & Improvements

• call-workflow reliability — Multiple fixes: call-workflow is now wired into the consolidated safe-outputs handler path (#21218), tool registration in the HTTP MCP server is corrected (#21124), workflow_call inputs are properly forwarded (#21085), and caller jobs now inherit the correct permissions (#21080).
• PR reviewers respected — create-pull-request safe output now correctly applies reviewers configured in the workflow frontmatter. (#21217)
• sandbox.mcp payload fields — payloadSizeThreshold and other sandbox MCP fields were silently ignored during frontmatter extraction; this is now fixed. (#21167)
• label_command + slash_command co-existence — Workflows that declare both triggers no longer suppress label_command activation. (#21222)
• Bot allowlist fallback — check_membership.cjs no longer short-circuits the bot allowlist when a permissions API error occurs. (#21109)
• Missing npm treated as warning — Workflows that don't require npm no longer fail compilation on machines where npm is absent. (#21165)
• Long PAT header corruption — Checkout fetch steps now use base64 -w 0 to prevent line-wrapped headers with long PATs. (#21068)
• Compiler error messages — Syntax errors now report more precise locations and clearer descriptions. (#21123)

📚 Documentation

• Fixed the custom trigger filtering guide to use job-based graceful skip instead of exit 1. (#21215)
• Updated ecosystem identifiers and safe-outputs.allowed-domains reference docs. (#21170)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @alondahari for create-pull-request safe output does not add reviewers configured in workflow (#21207)
• @johnwilliams-12 for call-workflow is not wired into the consolidated safe_outputs handler-manager path (#21205)
• @johnwilliams-12 for HTTP safe-outputs server does not register generated call-workflow tools (#21074)
• @johnwilliams-12 for call-workflow generated caller jobs omit required permissions: (#21071)
• @johnwilliams-12 for call-workflow fan-out jobs do not forward declared workflow_call.inputs (#21062)
• @strawgate for sandbox.mcp.payloadSizeThreshold is ignored during frontmatter extraction (#21135)
• @strawgate for Feature: support explicit custom key for close-older matching (#21028)
• @microsasa for check_membership.cjs error branch short-circuits before bot allowlist fallback (#21098)
• @MattSkala for Allow conditional trigger filtering without failing workflow runs (#21203)
• @veverkap for Feature Request: Modify PR before creation (#21257)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix engine validation error location and improve error detection (#issue) by @Copilot in #21023
• [docs] Update documentation for features from 2026-03-15 by @github-actions[bot] in #21025
• feat: use action mode for release builds instead of release mode by @Copilot in #21024
• [docs] Update dictation skill glossary with 20 new terms by @github-actions[bot] in #21032
• fix: use qmd vsearch instead of qmd query to avoid LLM dependency in CI by @Copilot in #21046
• [code-simplifier] refactor: simplify fastParseTitle state machine and deduplicate formatCompilerError by @github-actions[bot] in #21050
• [docs] Update dictation skill instructions by @github-actions[bot] in #21059
• feat: enable status-comment on archie, cloclo, and q workflows by @Copilot in #21055
• [cloclo] fix: resolve temporary IDs in add_labels and remove_labels handlers by @github-actions[bot] in #21058
• Fix missing permissions in security-alert-burndown campaign workflow by @Copilot in #21066
• fix: use base64 -w 0 in checkout fetch step to prevent header corruption with long PATs by @Copilot in #21068
• fix(workflow-health-manager): increase repo-memory max-patch-size by @Copilot in #21070
• Show tool arguments and outputs in agent step log summaries by @Copilot in #21060
• cloclo: add protected-files fallback-to-issue by @Copilot in #21078
• Add history URL to agent failure issue/comment footers by @Copilot in #21075
• feat: support explicit custom key for close-older matching by @Copilot in #21076
• Add CI guard for validator file size limit (768 lines) by @Copilot in #21077
• fix: propagate worker job permissions to call-workflow caller jobs (#21061) by @Copilot in #21080
• Add gh aw domains command to list network domains configured in workflows by @Copilot in #21086
• Add safe-outputs.allowed-url-domains for additive URL domain allowlisting by @Copilot in #21083
• [code-simplifier] Code Simplification - 2026-03-15: domains command and safe-outputs token logic by @github-actions[bot] in #21104
• [dead-code] chore: remove dead functions — 3 functions removed by @github-actions[bot] in #21100
• fix: normalize report formatting — replace h2 headers with h3 in output templates by @Copilot in #21106
• Extract Python NLP setup into shared/python-nlp.md component by @Copilot in #21107
• Delete all chroma-related agentic workflows by @Copilot in #21110
• refactor: consolidate duplicate and misplaced functions identified in semantic clustering analysis by @Copilot in #21111
• Migrate pkg/parser/frontmatter_helpers_test.go to testify assertions by @Copilot in #21108
• fix: forward declared workflow_call inputs in call-workflow fan-out jobs by @Copilot in #21085
• fix: bot allowlist check short-circuits on permission API error in check_membership.cjs by @Copilot in #21109
• [log] Add debug logging to 5 under-logged packages by @github-actions[bot] in #21119
• Inject agentic-workflows MCP usage guide as a compiler-level builtin prompt by @Copilot in #21117
• Merge safe-outputs.allowed-domains and allowed-url-domains; rename default-redaction to default-safe-outputs by @Copilot in #21114
• fix(errors): improve compiler syntax error message quality by @Copilot in #21123
• Fix call_workflow tool registration in HTTP safe-outputs MCP server by @Copilot in #21124
• fix(workflows): normalize report formatting in output templates by @Copilot in #21128
• [docs] docs(mcp-scripts): remove redundant content (21% reduction) by @github-actions[bot] in #21140
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @github-actions[bot] in #21137
• Expand dev-tools and github domain sets; add dedicated local ecosystem; add github and local to default-safe-outputs by @Copilot in #21142
• feat: add label-command trigger (On Label Command) by @Copilot in #21118
• [jsweep] Clean add_reaction.cjs by @github-actions[bot] in #21160
• Fix sandbox.mcp payload fields ignored during frontmatter extraction by @Copilot in #21167
• [docs] Update documentation for ecosystem identifiers and safe-outputs.allowed-domains by @github-actions[bot] in #21170
• Rename collectAPIKey → configureEngineAPISecret and applyChanges → createWorkflowPRAndConfigureSecret by @Copilot in #21164
• fix(workflow): resolve Multi-Device Docs Tester max-turns exhaustion due to Playwright/localhost networking mismatch by @Copilot in #21166
• Add context.Context to fetchAndSaveRemoteDispatchWorkflows and getRepoDefaultBranch by @Copilot in #21169
• fix: treat missing npm as warning instead of compilation error by @Copilot in #21165
• refactor: extract shared flattenArtifactTree helper to remove duplicate flatten logic by @Copilot in #21172
• chore: bump gh-aw-firewall default version to v0.24.2 by @Copilot in #21173
• [docs] Update glossary - daily scan (ecosystem identifiers, label command trigger) by @github-actions[bot] in #21206
• [specs] Update layout specification - 2026-03-16 by @github-actions[bot] in #21187
• docs: fix custom trigger filtering — replace exit 1 with job-based graceful skip by @Copilot in #21215
• refactor(gateway_logs): replace manual ASCII table with console.RenderTable by @Copilot in #21216
• fix: apply configured reviewers when creating pull request via safe output by @Copilot in #21217
• fix: wire call_workflow into consolidated safe_outputs handler-manager path by @Copilot in #21218
• deps: update github.com/modelcontextprotocol/go-sdk v1.4.0 → v1.4.1 (security patch) by @Copilot in #21221
• fix: label_command doesn't trigger when workflow also has slash_command by @Copilot in #21222
• Enable reaction: eyes and status-comment: true by default for slash_command and label_command triggers by @Copilot in #21229
• Add on.steps and on.permissions support for pre-activation job step injection by @Copilot in #21219
• feat: detect org-level secrets in add-wizard to avoid redundant token prompt by @Copilot in #21262
• perf: cache deprecated fields schema parse to fix YAMLGeneration regression by @Copilot in #21264
• feat: offer "Edit PR title and retry" when merge fails in add-wizard by @Copilot in #21261
• perf: fix ~50% regression in FindIncludesInContent by @Copilot in #21265

Full Changelog: v0.58.3...v0.59.0