Bump github/gh-aw from 0.65.2 to 0.65.5

[dependabot]

Bumps github/gh-aw from 0.65.2 to 0.65.5.

Release notes

Sourced from github/gh-aw's releases.

v0.65.5

🌟 Release Highlights

This release focuses on security hardening, observability improvements, and setup performance — with a meaningful reduction in firewall install time and new token usage visibility for AI cost tracking.

✨ What's New

• Token Usage Visibility — The Agentic Workflow Firewall now logs per-model token consumption to token-usage.jsonl. gh aw audit and gh aw logs surface a full breakdown (input, output, cache read/write tokens, cache hit %, avg request duration) per model. A new step summary step appends a markdown table to your workflow run's summary page. (#23943)

• 140× Faster Firewall Install — AWF v0.25.10 ships a single awf-bundle.js file (~357 KB). On GitHub-hosted runners with Node.js ≥ 20 (the default), setup now downloads 357 KB instead of ~50 MB — a 140× reduction. Self-hosted runners without Node.js ≥ 20 automatically fall back to the platform binary. (#23993)

• Richer Threat Detection Context — The detection job now performs a conditional repository checkout when a patch is present, giving the threat detection engine full codebase context to review code changes. Previously, the engine saw diffs in isolation without surrounding source files. (#23961)

• GitHub Actions Expression Support — timeout-minutes, engine.version, tools.timeout, and tools.startup-timeout now accept GitHub Actions expressions (e.g., $\{\{ inputs.timeout }}), enabling reusable workflow_call workflows where callers can customize these values without forking the workflow. (docs)

🐛 Bug Fixes & Improvements

• Session Logs Now Collected — events.jsonl files written by Copilot CLI inside session subdirectories were silently missed by the log-copy step (flat glob only matched the top level). Fixed with a recursive find-based copy that preserves session IDs in filenames. (#23992)

• Security: Git Hook Injection Prevented — Cache-memory git repos now have .git/hooks/ cleared and core.hooksPath set to /dev/null on every setup. Previously, a compromised run could plant executable hooks that fired on the host runner before the AWF sandbox was active. (#23929)

• gh aw add-wizard No Longer Loses Work on Push Failure — If the branch push failed after downloading workflow files, the command previously rolled back everything and left users with nothing. Files and the local commit are now preserved, with actionable recovery instructions printed to the console. (#23926)

• Label Pagination Fixed for Large Repos — create_discussion and update_discussion silently dropped any labels beyond the first 100 when resolving label names to IDs. The paginated fetch now loops until all labels are loaded. (#23915)

• CLI Help Text Fixes — Dynamic column width in root command usage (fixing truncated hash-frontmatter), corrected logs --timeout flag description, and improved mcp add help text. (#23912)

📚 Documentation

• Updated reference docs for expression support in frontmatter.md, engines.md, and tools.md — including new "Tool Timeout Configuration" section.
• Condensed verbose troubleshooting sections in common-issues.md (−49 lines, −8%).

🌍 Community Contributions

@ajfeldman6

• Error: "Failed to add workflow" during Quick Start Guide for creating an agentic workflow (direct issue)

@yskopets

• add_labels.cjs only fetches first page of labels (pagination bug) (direct issue)

---

For complete details, see CHANGELOG.

... (truncated)

Commits

• 3c32425 docs: condense verbose sections in common-issues.md (#24010)
• 3b1d00e fix: events.jsonl not collected — copy step uses flat glob, misses session su...
• a33929a feat: bump AWF to v0.25.10 and use lightweight esbuild bundle (#23993)
• 251ec57 feat: bump firewall to v0.25.8 and surface token-usage.jsonl (#23943)
• b721ac4 fix(security): clear .git/hooks/ and disable hooksPath in cache-memory git se...
• 0bff55d docs: document GitHub Actions expression support in timeout-minutes, engine.v...
• 2ee8ab4 feat: add conditional workspace checkout to detection job for patch context (...
• a370734 fix: preserve workflow files and guide user on manual push when branch push f...
• 5fbd1cb refactor: split trial_command.go (1,007 lines) into focused files (#23917)
• 8405976 fix: paginate label fetch in create_discussion and update_discussion (#23915)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud