Bernstein — Multi-Agent Orchestration
Version updated for https://github.com/sipyourdrink-ltd/bernstein to version v2.13.0.
- This action is used across all versions by 5 repositories.
Action Type
This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed
v2.13.0
Released 2026-07-02.
Run-safety guardrails and per-role endpoint configuration.
Fixes (run safety)
- GitHub backlog auto-sync is now opt-in and off by default. Previously a run in a repository with open GitHub issues would pull every open issue into the backlog before task scoping, which could silently discard a seeded goal and spawn work against the entire issue list. Enable it explicitly with the
github.sync_backlogseed config key (or theBERNSTEIN_SYNC_GITHUB_BACKLOGenv override). (#2178) - A seeded goal is no longer silently dropped when the backlog is non-empty: the run now prints a loud warning naming the precedence and how to force the goal, instead of quietly planning from the backlog. (#2178)
- Agent worktree merges refuse to land on the repository default branch. The merge and push path resolves the protected default (origin/HEAD, then
init.defaultBranch, then the conventional names, treating bothmainandmasteras protected when the remote head is ambiguous) and refuses to merge or push agent work onto it, recording the refusal, so a run started from a default-branch checkout can no longer push unreviewed commits straight to the trunk. (#2178)
Features (per-role model configuration)
role_model_policyentries gain optionalbase_urlandapi_key_envnext tomodel/provider, so different roles can target different OpenAI-compatible endpoints in one workflow (for example a fast manager endpoint and cheaper worker endpoints).api_key_envnames an environment variable and is validated against the same fail-closed provider allowlist as the runner. YAML anchors give reuse across roles with no new file format. Absent fields keep today’s behavior. (#2159)ModeProfilegainstop_p,top_k, andmax_tokensbeside its existingtemperature, and the previously-deferredapply_mode_to_spawnwiring is completed so a mode profile’s sampling parameters actually reach the spawn and the runner manifest. (#2159)- Opt-in builtin tools for the openai_agents runner, for runs without an MCP gateway, selected by
tool_source: builtin(the gateway remains the default).read_file,write_file, andlist_dirare workdir-confined (absolute and parent-escape paths are rejected).run_commandis a restricted process-exec primitive: bare-name commands only, shell interpreters blocked, resolved against PATH, available only under a configured OS sandbox provider or an explicit opt-in; its filesystem confinement is the OS sandbox, not the builtin. Every builtin call is recorded to the run event log so a gateway-free run stays auditable. (#2159)
Quality
- Resolved refurb FURB123 findings in the OWASP control-map builders.