diff --git a/.github/aw/releases.json b/.github/aw/releases.json
index b9a4f1194fa..b7e6bdee713 100644
--- a/.github/aw/releases.json
+++ b/.github/aw/releases.json
@@ -2,5 +2,9 @@
   "$schema": "./releases.schema.json",
   "blockedVersions": [],
   "minimumVersion": "v0.64.4",
-  "minRecommendedVersion": "v0.64.4"
+  "minRecommendedVersion": "v0.64.4",
+  "aliases": {
+    "latest": "latest",
+    "stable": "v0.64.5"
+  }
 }
diff --git a/.github/aw/releases.schema.json b/.github/aw/releases.schema.json
index c1ebba7027d..0ea8b5e8ffb 100644
--- a/.github/aw/releases.schema.json
+++ b/.github/aw/releases.schema.json
@@ -31,6 +31,16 @@
       "description": "The minimum recommended compile-agentic version in vMAJOR.MINOR.PATCH format. Workflows compiled with a version below this will emit a warning (but not fail) at activation, nudging users to upgrade. Use an empty string to disable this check.",
       "pattern": "^(v[0-9]+\\.[0-9]+\\.[0-9]+)?$",
       "default": ""
+    },
+    "aliases": {
+      "type": "object",
+      "description": "A map of release alias names to version strings. The special value 'latest' resolves to the most recent release. Other values must be a version string in vMAJOR.MINOR.PATCH format.",
+      "additionalProperties": {
+        "type": "string",
+        "pattern": "^(latest|v[0-9]+\\.[0-9]+\\.[0-9]+)$",
+        "description": "A version string in vMAJOR.MINOR.PATCH format or the special value 'latest'"
+      },
+      "default": {}
     }
   }
 }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4b74051e541..f6741e13b2c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -869,13 +869,30 @@ jobs:
             const errors = [];
 
             // Check additionalProperties (only allow known keys)
-            const allowedKeys = new Set(['$schema', 'blockedVersions', 'minimumVersion', 'minRecommendedVersion']);
+            const allowedKeys = new Set(['$schema', 'blockedVersions', 'minimumVersion', 'minRecommendedVersion', 'aliases']);
             for (const key of Object.keys(config)) {
               if (!allowedKeys.has(key)) {
                 errors.push(`Unknown property: '${key}'`);
               }
             }
 
+            // Validate aliases
+            if ('aliases' in config) {
+              const aliases = config.aliases;
+              if (typeof aliases !== 'object' || aliases === null || Array.isArray(aliases)) {
+                errors.push("'aliases' must be an object");
+              } else {
+                const aliasValuePattern = /^(latest|v[0-9]+\.[0-9]+\.[0-9]+)$/;
+                for (const [alias, value] of Object.entries(aliases)) {
+                  if (typeof value !== 'string') {
+                    errors.push(`'aliases.${alias}' must be a string`);
+                  } else if (!aliasValuePattern.test(value)) {
+                    errors.push(`'aliases.${alias}' ('${value}') must be 'latest' or a version in vMAJOR.MINOR.PATCH format (e.g. 'v1.2.3')`);
+                  }
+                }
+              }
+            }
+
             // Validate blockedVersions
             if ('blockedVersions' in config) {
               const bv = config.blockedVersions;
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index 52ced31e194..4b5396d980f 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -332,10 +332,10 @@ jobs:
       - name: Restore cache-memory file share data
         uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
-          key: memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+          key: memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
           path: /tmp/gh-aw/cache-memory
           restore-keys: |
-            memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
+            memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
       - name: Setup cache-memory git repository
         env:
           GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
@@ -390,6 +390,7 @@ jobs:
         id: parse-guard-vars
         env:
           GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }}
+          GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS || '' }}
           GH_AW_APPROVAL_LABELS_EXTRA: cookie
           GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }}
         run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh
@@ -625,7 +626,8 @@ jobs:
                     "approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
                     "blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
                     "min-integrity": "approved",
-                    "repos": "all"
+                    "repos": "all",
+                    "trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
                   }
                 }
               },
@@ -1476,6 +1478,6 @@ jobs:
         if: steps.check_cache_default.outputs.has_content == 'true'
         uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
-          key: memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+          key: memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
           path: /tmp/gh-aw/cache-memory