github/gh-aw v0.65.6

on GitHub

🌟 Release Highlights

This release centers on Effective Tokens — a new end-to-end feature that tracks and surfaces AI token usage across workflow runs — alongside five community-reported bug fixes and a set of reliability improvements.

✨ What's New

• Effective Tokens visibility — Token usage is now tracked from the MCP gateway log through the agent job outputs and surfaced directly in workflow footer comments. Footer templates gain three new variables: {effective_tokens} (raw integer), {effective_tokens_formatted} (compact string like 1.2K), and {effective_tokens_suffix} (a ready-to-use suffix like · ● 1.2K). All built-in footer templates have been updated to include {effective_tokens_suffix} by default. (#24150, #24132, #24122, #24029)

• Custom model token weights — The engine frontmatter now supports custom token weight overrides per model, enabling more accurate effective-token calculations for non-default deployments. (#24134)

• Native web-fetch for Codex and Gemini — The mcp/fetch fallback has been removed; Codex and Gemini workflows now use native web-fetch, reducing latency and eliminating an unnecessary MCP dependency. (#24017)

• Staggered cron schedules — Approximately 30 workflows previously fired simultaneously at the top of each hour, exhausting the GitHub App rate limit. The compiler now hashes each workflow's identity to scatter execution within ±30 minutes, eliminating rate-limit bursts. (#24144)

🐛 Bug Fixes & Improvements

• Safe outputs MCP server now receives GH_AW_SAFE_OUTPUTS — The environment variable was not passed to the safe-outputs MCP HTTP server startup step, causing outputs.jsonl to appear empty even on success. (#24126)

• Discussion reply threading fixed — add-comment now correctly threads replies when the triggering comment is itself a reply inside a discussion thread. (#24031)

• Lenient temporary ID validation — Invalid temporary IDs (e.g. containing underscores) now emit a warning instead of failing PR creation. (#24030)

• Conclusion job concurrency now customizable — A concurrency.job-discriminator field can be applied to the conclusion job, allowing users to control grouping independently of the agent job. (#24043)

• Lock file integrity check works across organizations — Reusable workflow lock files are now resolved from the source repository rather than the calling repository, fixing cross-org integrity validation. (#24057)

• add_comment no longer fails on scheduled runs — When no triggering context is available (e.g. a schedule trigger), the add_comment handler now silently skips instead of erroring. (#24131, #24098)

• MCP gateway tool allowlist enforced at gateway layer — Tool allow/deny lists are now enforced at the gateway itself with restricted config file permissions, improving security posture. (#23933)

• Protocol-relative URLs blocked in safe-outputs sanitizer — URLs like //evil.com are now treated as blocked domains, closing a sanitization bypass. (#23930)

📚 Documentation

• Added the Effective Tokens specification documenting the token-tracking architecture, formula, and template variables.
• Developer spec consolidated into dev.md v5.0. (#24067)

🌍 Community Contributions

For complete details, see CHANGELOG.

Generated by Release · ● 747.2K

What's Changed

• fix: treat protocol-relative URLs as blocked domains in safe-outputs sanitizer by @Copilot in #23930
• Enforce MCP gateway tool allowlist at the gateway layer and restrict config file permissions by @Copilot in #23933
• feat: remove mcp/fetch fallback and wire native web-fetch for Codex and Gemini by @Copilot in #24017
• [jsweep] jsweep: Clean add_comment.cjs by @github-actions[bot] in #24020
• docs: expand security architecture section on homepage for non-security audiences by @Copilot in #24026
• feat(logs): parse events.jsonl as primary metrics source for Copilot CLI runs by @Copilot in #24027
• fix: use events.jsonl from copilot session-state for log parsing by @Copilot in #24028
• feat: render token-usage.jsonl in the MCP gateway step summary by @Copilot in #24029
• [code-simplifier] refactor: simplify token usage parsing in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24032
• Fix discussion reply threading when triggering comment is itself a reply by @Copilot in #24031
• [ca] fix: correct JSDoc type annotation in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24033
• fix: lenient temporary ID validation — support underscores, warn instead of fail by @Copilot in #24030
• fix: increase timeout for daily-architecture-diagram workflow by @Copilot in #24042
• [docs] Update glossary - daily scan by @github-actions[bot] in #24044
• Apply concurrency.job-discriminator to the conclusion job by @Copilot in #24043
• [community] Update community contributions in README by @github-actions[bot] in #24062
• [instructions] Sync github-agentic-workflows.md with release v0.65.5 by @github-actions[bot] in #24061
• fix: use Python venv for pip installs in shared Python workflows by @Copilot in #24053
• Set max branch limit to 10 and enable deletion on scheduled runs by @Copilot in #24064
• [docs] Consolidate developer specs into dev.md v5.0 (2026-04-02) by @github-actions[bot] in #24067
• Fix lock file integrity check for cross-org reusable workflows by @Copilot in #24057
• [rendering-scripts] fix: add pretty-print format support to copilot log parser by @github-actions[bot] in #24070
• Prevent copilot-maintenance workflow from running on forks by @Copilot in #24082
• Fix JS typecheck failures introduced by TypeScript v6 strict catch variable typing by @Copilot in #24089
• Remove unnecessary []byte casts in pkg/console golden tests by @Copilot in #24086
• Implement conclusion job step improvements by @Copilot in #24063
• Migrate pkg/repoutil tests to testify assertions by @Copilot in #24085
• [dead-code] chore: remove dead functions — 4 functions removed by @github-actions[bot] in #24094
• Return structured JSON instead of MCP protocol errors for invalid inputs in logs/audit/compile tools by @Copilot in #24058
• fix: silently skip add_comment when no triggering context (schedule runs) by @Copilot in #24098
• Extract Go source code analysis tools bundle into shared component by @Copilot in #24084
• fix(docs): add aria-label to Expressive Code copy-to-clipboard buttons by @Copilot in #24099
• refactor: split mixed-concern files identified by semantic function clustering analysis by @Copilot in #24101
• fix: add-wizard ls-remote default branch parsing bug by @dsyme in #24105
• docs: add Effective Tokens (ET) specification by @Copilot in #24111
• refactor: extract standard repo-memory configuration into shared/repo-memory-standard.md by @Copilot in #24100
• [docs] Self-healing documentation fixes from issue analysis - 2026-04-02 by @github-actions[bot] in #24116
• refactor: migrate features.difc-proxy to tools.github.integrity-proxy (#refactor-integrity-proxy) by @Copilot in #24065
• refactor: extract daily audit discussion configuration into shared/daily-audit-discussion.md by @Copilot in #24102
• feat: implement Effective Tokens specification in Go by @Copilot in #24122
• fix: only update .gitattributes if needed, skip if already up to date by @Copilot in #24124
• Adopt charmbracelet/x/exp/golden in pkg/workflow/wasm_golden_test.go by @Copilot in #24120
• chore: Bump AWF firewall version to v0.25.11 by @lpcox in #24133
• fix: resolve 8 CLI consistency issues from automated inspection by @Copilot in #24130
• fix: silently skip add_comment when no triggering context on schedule runs by @Copilot in #24131
• fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP HTTP server startup step by @Copilot in #24126
• feat: add custom model token weights in engine frontmatter by @Copilot in #24134
• chore(deps): bump @xmldom/xmldom from 0.9.8 to 0.9.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #24141
• [slides] fix(slides): correct default MCP toolsets comment by @github-actions[bot] in #24146
• detone gamified status messages in brave.md by @Copilot in #24142
• Stagger concurrent 0-minute cron schedules to prevent GitHub App rate limit burst by @Copilot in #24144
• feat: implement effective tokens computation and display in action JavaScript by @Copilot in #24132
• fix(auto-triage): add community and cookie approval-labels and centralize guard policy by @Copilot in #24143
• fix: create_pull_request branch guidance, PR-comment tool selection, and shallow clone fallback by @Copilot in #24123
• feat: add effective token template expressions to all footer templates by @Copilot in #24150

Full Changelog: v0.65.5...v0.65.6