Bump github/gh-aw from 0.65.5 to 0.65.6

[dependabot]

Bumps github/gh-aw from 0.65.5 to 0.65.6.

Release notes

Sourced from github/gh-aw's releases.

v0.65.6

🌟 Release Highlights

This release centers on Effective Tokens — a new end-to-end feature that tracks and surfaces AI token usage across workflow runs — alongside five community-reported bug fixes and a set of reliability improvements.

✨ What's New

• Effective Tokens visibility — Token usage is now tracked from the MCP gateway log through the agent job outputs and surfaced directly in workflow footer comments. Footer templates gain three new variables: {effective_tokens} (raw integer), {effective_tokens_formatted} (compact string like 1.2K), and {effective_tokens_suffix} (a ready-to-use suffix like · ● 1.2K). All built-in footer templates have been updated to include {effective_tokens_suffix} by default. (#24150, #24132, #24122, #24029)

• Custom model token weights — The engine frontmatter now supports custom token weight overrides per model, enabling more accurate effective-token calculations for non-default deployments. (#24134)

• Native web-fetch for Codex and Gemini — The mcp/fetch fallback has been removed; Codex and Gemini workflows now use native web-fetch, reducing latency and eliminating an unnecessary MCP dependency. (#24017)

• Staggered cron schedules — Approximately 30 workflows previously fired simultaneously at the top of each hour, exhausting the GitHub App rate limit. The compiler now hashes each workflow's identity to scatter execution within ±30 minutes, eliminating rate-limit bursts. (#24144)

🐛 Bug Fixes & Improvements

• Safe outputs MCP server now receives GH_AW_SAFE_OUTPUTS — The environment variable was not passed to the safe-outputs MCP HTTP server startup step, causing outputs.jsonl to appear empty even on success. (#24126)

• Discussion reply threading fixed — add-comment now correctly threads replies when the triggering comment is itself a reply inside a discussion thread. (#24031)

• Lenient temporary ID validation — Invalid temporary IDs (e.g. containing underscores) now emit a warning instead of failing PR creation. (#24030)

• Conclusion job concurrency now customizable — A concurrency.job-discriminator field can be applied to the conclusion job, allowing users to control grouping independently of the agent job. (#24043)

• Lock file integrity check works across organizations — Reusable workflow lock files are now resolved from the source repository rather than the calling repository, fixing cross-org integrity validation. (#24057)

• add_comment no longer fails on scheduled runs — When no triggering context is available (e.g. a schedule trigger), the add_comment handler now silently skips instead of erroring. (#24131, #24098)

• MCP gateway tool allowlist enforced at gateway layer — Tool allow/deny lists are now enforced at the gateway itself with restricted config file permissions, improving security posture. (#23933)

• Protocol-relative URLs blocked in safe-outputs sanitizer — URLs like //evil.com are now treated as blocked domains, closing a sanitization bypass. (#23930)

📚 Documentation

• Added the Effective Tokens specification documenting the token-tracking architecture, formula, and template variables.
• Developer spec consolidated into dev.md v5.0. (#24067)

---

🌍 Community Contributions

@corygehr

• add-comment for Discussion doesn't allow for replies to a threaded comment reply (direct issue)

@dsyme

... (truncated)

Commits

• 2962622 feat: add effective token template expressions to all footer templates (#24150)
• b4d387c walkthroughs
• 6d7fc80 fix: create_pull_request branch guidance, PR-comment tool selection, and shal...
• 5380a02 fix(auto-triage): add community and cookie approval-labels and centralize gua...
• e95d91a feat: implement effective tokens computation and display in action JavaScript...
• 6cb0ce9 Stagger concurrent 0-minute cron schedules to prevent GitHub App rate limit b...
• 9b96dcf detone gamified status messages in brave.md (#24142)
• 99653d6 fix(slides): remove 'users' from default MCP toolsets comment (#24146)
• 5711ef8 chore(deps): bump @​xmldom/xmldom (#24141)
• c6b4bf9 feat: add custom model token weights in engine frontmatter (#24134)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud