v0.65.6
π Release Highlights
This release centers on Ef 8000 fective Tokens β a new end-to-end feature that tracks and surfaces AI token usage across workflow runs β alongside five community-reported bug fixes and a set of reliability improvements.
β¨ What's New
-
Effective Tokens visibility β Token usage is now tracked from the MCP gateway log through the agent job outputs and surfaced directly in workflow footer comments. Footer templates gain three new variables:
{effective_tokens}(raw integer),{effective_tokens_formatted}(compact string like1.2K), and{effective_tokens_suffix}(a ready-to-use suffix likeΒ· β 1.2K). All built-in footer templates have been updated to include{effective_tokens_suffix}by default. (#24150, #24132, #24122, #24029) -
Custom model token weights β The
enginefrontmatter now supports custom token weight overrides per model, enabling more accurate effective-token calculations for non-default deployments. (#24134) -
Native web-fetch for Codex and Gemini β The
mcp/fetchfallback has been removed; Codex and Gemini workflows now use native web-fetch, reducing latency and eliminating an unnecessary MCP dependency. (#24017) -
Staggered cron schedules β Approximately 30 workflows previously fired simultaneously at the top of each hour, exhausting the GitHub App rate limit. The compiler now hashes each workflow's identity to scatter execution within Β±30 minutes, eliminating rate-limit bursts. (#24144)
π Bug Fixes & Improvements
-
Safe outputs MCP server now receives
GH_AW_SAFE_OUTPUTSβ The environment variable was not passed to the safe-outputs MCP HTTP server startup step, causingoutputs.jsonlto appear empty even on success. (#24126) -
Discussion reply threading fixed β
add-commentnow correctly threads replies when the triggering comment is itself a reply inside a discussion thread. (#24031) -
Lenient temporary ID validation β Invalid temporary IDs (e.g. containing underscores) now emit a warning instead of failing PR creation. (#24030)
-
Conclusion job concurrency now customizable β A
concurrency.job-discriminatorfield can be applied to theconclusionjob, allowing users to control grouping independently of the agent job. (#24043) -
Lock file integrity check works across organizations β Reusable workflow lock files are now resolved from the source repository rather than the calling repository, fixing cross-org integrity validation. (#24057)
-
add_commentno longer fails on scheduled runs β When no triggering context is available (e.g. ascheduletrigger), theadd_commenthandler now silently skips instead of erroring. (#24131, #24098) -
MCP gateway tool allowlist enforced at gateway layer β Tool allow/deny lists are now enforced at the gateway itself with restricted config file permissions, improving security posture. (#23933)
-
Protocol-relative URLs blocked in safe-outputs sanitizer β URLs like
//evil.comare now treated as blocked domains, closing a sanitization bypass. (#23930)
π Documentation
- Added the Effective Tokens specification documenting the token-tracking architecture, formula, and template variables.
- Developer spec consolidated into
dev.md v5.0. (#24067)
π Community Contributions
A huge thank you to the community members who reported issues that were resolved in this release!
@corygehr
@dsyme
- Invalide temporary ID should probably not fail PR creation (direct issue)
@jaroslawgajewski
- Lock file integrity check should resolve the lock file from the reusable workflow source repository (direct issue)
@szabta89
@yaananth
For complete details, see CHANGELOG.
Generated by Release Β· β 747.2K
What's Changed
- fix: treat protocol-relative URLs as blocked domains in safe-outputs sanitizer by @Copilot in #23930
- Enforce MCP gateway tool allowlist at the gateway layer and restrict config file permissions by @Copilot in #23933
- feat: remove mcp/fetch fallback and wire native web-fetch for Codex and Gemini by @Copilot in #24017
- [jsweep] jsweep: Clean add_comment.cjs by @github-actions[bot] in #24020
- docs: expand security architecture section on homepage for non-security audiences by @Copilot in #24026
- feat(logs): parse events.jsonl as primary metrics source for Copilot CLI runs by @Copilot in #24027
- fix: use events.jsonl from copilot session-state for log parsing by @Copilot in #24028
- feat: render token-usage.jsonl in the MCP gateway step summary by @Copilot in #24029
- [code-simplifier] refactor: simplify token usage parsing in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24032
- Fix discussion reply threading when triggering comment is itself a reply by @Copilot in #24031
- [ca] fix: correct JSDoc type annotation in parse_mcp_gateway_log.cjs by @github-actions[bot] in #24033
- fix: lenient temporary ID validation β support underscores, warn instead of fail by @Copilot in #24030
- fix: increase timeout for daily-architecture-diagram workflow by @Copilot in #24042
- [docs] Update glossary - daily scan by @github-actions[bot] in #24044
- Apply
concurrency.job-discriminatorto theconclusionjob by @Copilot in #24043 - [community] Update community contributions in README by @github-actions[bot] in #24062
- [instructions] Sync github-agentic-workflows.md with release v0.65.5 by @github-actions[bot] in #24061
- fix: use Python venv for pip installs in shared Python workflows by @Copilot in #24053
- Set max branch limit to 10 and enable deletion on scheduled runs by @Copilot in #24064
- [docs] Consolidate developer specs into dev.md v5.0 (2026-04-02) by @github-actions[bot] in #24067
- Fix lock file integrity check for cross-org reusable workflows by @Copilot in #24057
- [rendering-scripts] fix: add pretty-print format support to copilot log parser by @github-actions[bot] in #24070
- Prevent copilot-maintenance workflow from running on forks by @Copilot in #24082
- Fix JS typecheck failures introduced by TypeScript v6 strict catch variable typing by @Copilot in #24089
- Remove unnecessary
[]bytecasts inpkg/consolegolden tests by @Copilot in #24086 - Implement conclusion job step improvements by @Copilot in #24063
- Migrate pkg/repoutil tests to testify assertions by @Copilot in #24085
- [dead-code] chore: remove dead functions β 4 functions removed by @github-actions[bot] in #24094
- Return structured JSON instead of MCP protocol errors for invalid inputs in logs/audit/compile tools by @Copilot in #24058
- fix: silently skip add_comment when no triggering context (schedule runs) by @Copilot in #24098
- Extract Go source code analysis tools bundle into shared component by @Copilot in #24084
- fix(docs): add aria-label to Expressive Code copy-to-clipboard buttons by @Copilot in #24099
- refactor: split mixed-concern files identified by semantic function clustering analysis by @Copilot in #24101
- fix: add-wizard ls-remote default branch parsing bug by @dsyme in #24105
- docs: add Effective Tokens (ET) specification by @Copilot in #24111
- refactor: extract standard repo-memory configuration into shared/repo-memory-standard.md by @Copilot in #24100
- [docs] Self-healing documentation fixes from issue analysis - 2026-04-02 by @github-actions[bot] in #24116
- refactor: migrate features.difc-proxy to tools.github.integrity-proxy (#refactor-integrity-proxy) by @Copilot in #24065
- refactor: extract daily audit discussion configuration into shared/daily-audit-discussion.md by @Copilot in #24102
- feat: implement Effective Tokens specification in Go by @Copilot in #24122
- fix: only update .gitattributes if needed, skip if already up to date by @Copilot in #24124
- Adopt charmbracelet/x/exp/golden in pkg/workflow/wasm_golden_test.go by @Copilot in #24120
- chore: Bump AWF firewall version to v0.25.11 by @lpcox in #24133
- fix: resolve 8 CLI consistency issues from automated inspection by @Copilot in #24130
- fix: silently skip add_comment when no triggering context on schedule runs by @Copilot in #24131
- fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP HTTP server startup step by @Copilot in #24126
- feat: add custom model token weights in engine frontmatter by @Copilot in #24134
- chore(deps): bump @xmldom/xmldom from 0.9.8 to 0.9.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #24141
- [slides] fix(slides): correct default MCP toolsets comment by @github-actions[bot] in #24146
- detone gamified status messages in brave.md by @Copilot in #24142
- Stagger concurrent 0-minute cron schedules to prevent GitHub App rate limit burst by @Copilot in #24144
- feat: implement effective tokens computation and display in action JavaScript by @Copilot in #24132
- fix(auto-triage): add community and cookie approval-labels and centralize guard policy by @Copilot in #24143
- fix: create_pull_request branch guidance, PR-comment tool selection, and shallow clone fallback by @Copilot in #24123
- feat: add effective token template expressions to all footer templates by @Copilot in #24150
Full Changelog: v0.65.5...v0.65.6