Bump github/gh-aw from 0.59.0 to 0.63.0

[dependabot]

Bumps github/gh-aw from 0.59.0 to 0.63.0.

Release notes

Sourced from github/gh-aw's releases.

v0.63.0

🌟 Release Highlights

This release delivers a major new experimental tool for semantic documentation search, two high-priority security fixes applied across all compiled workflows, a firewall and MCP gateway upgrade, and a smarter fuzzy scheduler that reduces queue contention on GitHub Actions.

✨ What's New

qmd documentation search tool (experimental)

Agentic workflows can now perform vector-similarity search over local documentation, GitHub code search results, and issue lists — without requiring contents: read in the agent job. The new built-in qmd tool (powered by tobi/qmd) runs a dedicated indexing job that builds and caches an embedding index, then serves it to the agent via an HTTP MCP server. GPU-accelerated indexing is supported on custom runners.

tools:
  qmd:
    checkouts:
      - name: docs
        paths: [docs/**/*.md]
    searches:
      - name: issues
        type: issues
        max: 500
        github-token: $\{\{ secrets.GITHUB_TOKEN }}

Learn more →

Smarter fuzzy scheduler

The FUZZY:* schedule patterns now guarantee that scattered cron minutes land in [5, 54], avoiding GitHub Actions peak-contention windows (midnight UTC and ±5 minutes around every hour). Existing workflows are automatically updated on next recompile.

Schedule syntax reference →

🔒 Security Fixes

• github-env HIGH vulnerability eliminated — All 193 compiled workflows now write framework-controlled variables (GH_AW_SAFE_OUTPUTS, GH_AW_AGENT_OUTPUT, GH_HOST) to $GITHUB_OUTPUT instead of $GITHUB_ENV, resolving a zizmor HIGH finding. (#22528)
• SHA pinning extended to on.steps — Custom steps injected into pre-activation jobs via on.steps are now run through the same SHA-pinning pipeline as steps: and post-steps:, closing a supply chain gap where unpinned action references could pass through verbatim into lock files. (#22529)
• AWF Firewall upgraded to v0.25.0 — All workflow lock files recompiled against the latest firewall image. (#22508)
• MCP Gateway upgraded to v0.2.2 — Improved robustness when extracting issue and PR numbers from search results where structured data fields are absent or malformed. (#22538)

🌍 Community Contributions

@Dan-Co

• gh-aw: GitHub App token narrowing omits Dependabot alerts permission for GitHub MCP (403 on list_dependabot_alerts) (direct issue)

@dsyme

... (truncated)

Commits

• 4248ac6 Add builtin qmd documentation search tool (experimental) (#22183)
• 7d0aa2d Upgrade gh-aw-mcpg to v0.2.2 (#22538)
• d90c14f Fix github-env HIGH vulnerability in ci-doctor and dev-hawk workflows (#22528)
• 42a2247 Add aw_context caller metadata to workflow dispatches (#22479)
• 4474a9d fix: apply SHA pinning to on.steps in pre-activation job (#22529)
• 6b46ba6 chore: remove dead functions ExtractWorkflowNameFromMarkdown and ExtractMarkd...
• ad6e063 test(js): add tests for check_skip_if_helpers.cjs (#22535)
• 6316f1c refactor: resolve semantic function clustering issues in pkg/workflow (#22474)
• 3c75759 perf: eliminate redundant YAML parsing in import field extraction (#22491)
• 68ca9ed fix: update golden test files to AWF firewall version 0.25.0 (#22531)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)