build(deps): Bump github/gh-aw from 0.62.5 to 0.67.0

[dependabot]

Bumps github/gh-aw from 0.62.5 to 0.67.0.

Release notes

Sourced from github/gh-aw's releases.

v0.67.0

🌟 Release Highlights

This release delivers a major observability milestone with full OTLP trace export support, resolves critical GitHub MCP App token authentication bugs, expands the environment variable reference documentation, and addresses a wave of community-reported issues across self-hosted runners, cross-repo workflows, and the Codex engine.

✨ What's New

📡 OTLP Trace Export (observability.otlp)

Workflows can now export structured OpenTelemetry spans to any OTLP-compatible backend (e.g. Honeycomb, Grafana Tempo, Sentry) with a single frontmatter block:

observability:
  otlp:
    endpoint: $\{\{ secrets.GH_AW_OTEL_ENDPOINT }}
    headers: $\{\{ secrets.GH_AW_OTEL_HEADERS }}

Every job emits setup and conclusion spans with rich attributes (gh-aw.job.name, gh-aw.workflow.name, gh-aw.engine.id, token usage, and more). Cross-job trace correlation is wired automatically — all jobs in a run share a single trace ID originating from the activation job. Dispatched child workflows inherit the parent's trace context via aw_context, giving you end-to-end visibility across composite workflow chains. When a static endpoint URL is provided, its hostname is automatically added to the AWF firewall allowlist.

📚 Environment Variable Reference

A new comprehensive Environment Variables reference section covers CLI configuration (DEBUG, GH_AW_FEATURES, …), per-phase model override variables (GH_AW_MODEL_AGENT_*), and guard policy fallback variables (GH_AW_GITHUB_BLOCKED_USERS, GH_AW_GITHUB_TRUSTED_USERS) — previously discoverable only by reading source code.

🐛 Bug Fixes & Improvements

• GitHub MCP App token always empty — actions/create-github-app-token masks its output token and GitHub Actions runner v2.308+ silently drops masked values from job outputs, causing github_mcp_app_token to always arrive empty in the agent job (GitHub MCP server ran unauthenticated). The token is now minted directly in the agent job to avoid the cross-job output masking issue. (closes #24569)

• Duplicate "Generate GitHub App token" step — when multiple checkout: entries fell back to the top-level github-app:, the compiler produced steps with the same name, causing a duplicate-step validation error. Each step is now uniquely named. (closes #24573)

• Tavily MCP docs and mcp inspect missing servers — the web-search guide referenced the wrong npm package (@tavily/mcp-server → @tavily/mcp) and a dead GitHub URL. Additionally, gh aw mcp inspect now correctly reports MCP servers defined in imported workflows and handles on: issues string triggers. (closes #24567)

• repo-memory file-glob patterns silently skipping files — documentation and several built-in workflow templates incorrectly instructed agents to prefix file-glob patterns with the branch path (e.g. memory/branch-name/*.json). Patterns are matched against relative paths from the artifact directory, so bare extension patterns (*.json) are correct. All affected workflows and the reference docs have been fixed.

• Remote workflow calls — fixed a regression that broke workflow_call triggers in cross-repository setups. (closes #24422)

• workflow_call missing ref: in cross-repo checkout — activation job now correctly passes ref: when checking out a target repository for workflow_call triggers. (closes #20508)

• setup.sh create_dir() fails on self-hosted Linux runners — create_dir() now uses sudo when the runner user lacks write access to /opt/. (closes #20283)

• Codex engine on self-hosted runners — the vendored codex-x86_64-unknown-linux-musl binary now correctly supports --dangerously-bypass-approvals-and-sandbox. (closes #20157)

• GH_AW_SAFE_OUTPUTS_CONFIG_PATH / GH_AW_SAFE_OUTPUTS_TOOLS_PATH not available as env vars — these paths are now written to both GITHUB_OUTPUT and GITHUB_ENV so downstream jobs can reference them as environment variables. (closes #23092)

• agent_version: latest causes 400 Bad Request with Gemini models — version resolution now correctly handles latest for model/version combinations that do not support it. (closes #20833)

• Runtime parameterization of frontmatter fields — compile-time frontmatter fields can now be overridden at runtime via $\{\{ vars.* }} or $\{\{ secrets.* }} expressions in supported fields. (closes #23724)

🔧 Internal

... (truncated)

Commits

• 245d168 ci-cleaner: switch to Claude with max-turns, scope recompile, add exit guardr...
• 73887bf Fix invalid Tavily MCP package name/link in docs and mcp inspect missing serv...
• c816157 refactor: extract shared OTLP observability config, import in 30% of workflow...
• 16c5c53 fix: move selection to agent, keep only log download as pre-step (#24637)
• cbe27b7 fix: move optimizer data loading to pre-agentic steps (#24625)
• 7acccb4 fix: correct file-glob pattern docs and workflows for repo-memory (#24621)
• 730ce5e fix: update broken anchor link in glossary.md for audit diff command (#24620)
• c69880d fix: unique step names for checkout GitHub App token minting steps (#24609)
• 021d1a9 fix: remove branch-name prefix from repo-memory glob filter (#24613)
• 1a77097 feat: propagate pre-activation trace-id to activation job and reduce setup.sh...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #923.