build(deps): Bump github/gh-aw from 0.62.5 to 0.67.1

[dependabot]

Bumps github/gh-aw from 0.62.5 to 0.67.1.

Release notes

Sourced from github/gh-aw's releases.

v0.67.1

🌟 Release Highlights

This release delivers a major OpenTelemetry observability overhaul, a new report_incomplete safe output signal, Claude Code 1.0.0 compatibility, and a wave of security hardening — all driven in part by community-reported issues.

✨ What's New

🔭 OpenTelemetry Observability (Multiple PRs)

A substantial series of improvements makes distributed tracing production-ready:

• Accurate span names — job lifecycle spans now use the actual job name (e.g. gh-aw.agent.conclusion) instead of the generic gh-aw.job.conclusion, making traces immediately readable in Grafana/Honeycomb/Datadog.
• Real job duration — conclusion spans now record actual execution time (previously always reported 2–5 ms due to a missing startMs).
• OTLP payload sanitization — sensitive values (token, secret, key, auth, etc.) in span attributes are automatically redacted before sending to any OTLP collector.
• OTLP headers masking — OTEL_EXPORTER_OTLP_HEADERS is masked with ::add-mask:: in every job, preventing auth tokens from leaking in GitHub Actions debug logs.
• MCP Gateway OpenTelemetry — the MCP Gateway now receives opentelemetry config derived from observability.otlp frontmatter and the actions/setup trace IDs, correlating all MCP tool-call traces under the workflow root trace.
• New resource attributes — service.version, github.repository, github.run_id, github.event_name, github.ref, github.sha, github.actions.run_url, deployment.environment, gh-aw.staged, gh-aw.run.attempt enriching all spans.
• Observability job summary auto-enabled — the job summary step is now rendered automatically whenever OTLP is configured; the observability.job-summary opt-in field is removed (auto-detected).
• Real OTLP trace ID in the observability job summary (was incorrectly showing the workflow_call_id).
• GitHub API rate limit analytics — gh aw audit, gh aw logs, and gh aw audit diff now show GitHub API quota consumed per run, per resource.

🛡️ report_incomplete Safe Output

A new first-class signal for agents to surface infrastructure or tool failures without being misclassified as successful runs. When an agent emits report_incomplete, the safe-outputs handler activates failure handling regardless of agent exit code — preventing "tool-failure comment disguised as a success" scenarios. Can be configured with create-issue, title-prefix, and labels, just like missing_tool.

✅ checks as a First-Class MCP Tool

The checks tool is now registered in the gh-aw MCP server, returning a normalized CI verdict (success, failed, pending, no_checks, policy_blocked). Review workflows no longer need to shell out to gh aw checks.

🔐 Security Hardening

• Token/secret injection prevention — 422 instances of $\{\{ secrets.* }} interpolated directly into run: blocks have been moved to env: mappings across 181 lock files and hand-authored CI workflows, preventing shell injection if a token contains metacharacters.
• runner-guard added to static analysis — the static-analysis-report workflow now runs Vigilant-LLC's runner-guard scanner alongside zizmor, poutine, and actionlint.

🔍 Pre-Activation Visibility

When a workflow activation is denied (bot gate, role gate, stop-after, skip-if-match, etc.), the activation job now writes a $GITHUB_STEP_SUMMARY explaining the exact reason and providing remediation guidance — no more silently skipping PRs with no visible indicator.

🤖 Claude Code 1.0.0 Compatibility

The --disable-slash-commands flag has been removed from the Claude CLI args builder. Claude Code 1.0.0 dropped this flag as a breaking change; the compiler was unconditionally injecting it, causing all Claude-engine workflows to fail at startup.

🐛 Bug Fixes & Improvements

• Fix Octokit .endpoint proxy — pre_activation check scripts were failing with route.endpoint is not a function due to the rate-limit-aware github proxy stripping Octokit's .endpoint decorator; fixed with a Proxy wrapper.
• Fix OTLP span kind — job lifecycle spans now use SPAN_KIND_INTERNAL (was SPAN_KIND_SERVER), preventing false RED-metric pollution in observability backends.
• Error message quality — duplicate permission scope hints suppressed, redundant path prefix stripped from single-failure messages, and YAML parse error fallbacks now emit proper IDE-navigable positions.
• Fix daily-issues-report — switched from codex to copilot engine after OpenAI API access restrictions blocked Codex since Mar 24.
• Fix runner-guard v2 module path — corrected go install path to include /v2/ suffix for Go major version convention compliance.
• Fix docs breadcrumb config — removed unrecognized breadcrumbs: true key that was breaking Starlight config.

... (truncated)

Commits

• 13ac7de fix: normalize INPUT_JOB_NAME hyphen form in OTLP span scripts (#24823)
• d67c9c3 fix: remove unrecognized breadcrumbs key from Starlight config (#24821)
• e9da712 fix: update TestMCPServer_ToolIcons and tool list to include checks tool (#24...
• 7a6faba fix lint: use require.NoError for error assertion in gitutil_test.go (#24817)
• 563ec89 Configure MCP gateway OpenTelemetry from observability.otlp and actions/setup...
• 5bcb428 Remove --disable-slash-commands flag for Claude Code 1.0.0 compatibility (#24...
• dcae774 Add report_incomplete safe output type to prevent tool-failure comments from ...
• 44233cc Surface pre-activation denial reason in job summary (#24792)
• 1de4eba feat: add-mask OTLP telemetry header value to prevent log leakage (#24805)
• 3f32757 feat(otel): add github.ref and github.sha to span resource attributes (#24786)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)