Bump github/gh-aw from 0.79.0 to 0.79.4

[dependabot]

Bumps github/gh-aw from 0.79.0 to 0.79.4.

Release notes

Sourced from github/gh-aw's releases.

v0.79.4

🌟 Release Highlights

v0.79.4 delivers significant improvements to AI credit (AIC) cost tracking and telemetry accuracy, introduces new workflow authoring controls for custom model pricing and configurable timeouts, and hardens sandbox security. A focused round of bug fixes improves milestone caching, SHA-pinning reliability, and failure reporting.

⚠️ Breaking Changes

• dangerously-disable-sandbox-agent now requires an operator-authored string justification (#38325). Boolean true is no longer accepted — workflows must supply a plain-text reason (≥ 20 characters) explaining why the trust boundary is being removed. Update any workflow using dangerously-disable-sandbox-agent: true to a descriptive string.

• user-invokable and disable-model-invocation fields removed from the gh-aw schema (#38328). These Copilot-specific fields have no meaning in gh-aw workflows and will now produce a validation error. Remove them from any .github/workflows/*.md files.

✨ What's New

• Custom model pricing via models frontmatter (#38276). Declare custom cost tables for private or non-catalog models directly in your workflow frontmatter. Overlays merge over the built-in models.json at runtime with main-workflow precedence. Learn more

• Configurable safe-outputs timeout (#38361). The default safe_outputs job timeout has been raised from 30 to 45 minutes, and a new safe-outputs.timeout-minutes frontmatter field lets you tune it per workflow. Learn more

• create_check_run now supports PR targeting (#38237). Pass target: "pr" or target: "*" to attach check runs to the triggering pull request in addition to the existing commit-based flow.

• Steering messages visible in unified log view (#38277). Mid-run steering messages from operators are now rendered inline in the unified workflow log.

🐛 Bug Fixes & Improvements

• AIC telemetry accuracy across all engines (#38314, #38364, #38327, #38412). The github_models provider alias is now recognised; zero-AIC firewall proxy responses correctly fall back to engine-reported values; AIC credits are properly wired through the agent failure handler and propagated into the failure footer.

• Milestone cache now scoped per owner/repo (#38342). Milestone lookups in assign_milestone no longer bleed across repositories in multi-repo runs.

• SHA-pinning for runtime setup-cli in custom steps: workflows (#38344). The emitted setup-cli step in steps: workflows now receives a SHA pin, aligning with the security posture of standard compiled workflows.

• Failure-issue permission denials handled gracefully (#38273). Workflows lacking issues: write no longer crash on failure reporting; timeout-specific failure messages are now enforced separately.

• Usage tracking fixed for engine jobs (#38353). sendJobConclusionSpan now correctly records token usage for engine-backed jobs.

📚 Documentation

• Auth reference page restructured for clarity (#38390)
• copilot-requests: write now recommended for Copilot authentication (#38404) — see permissions reference
• AIC pricing documentation now links to the live models.dev catalog (#38371)

Generated by 🚀 Release · 164.2 AIC · ⊞ 28.8K

---

What's Changed

• [caveman] Optimize instruction verbosity — memory, mcp-clis, messages, network (2026-06-10) by @​github-actions[bot] in github/gh-aw#38263
• [WIP] Fix failing GitHub Actions job Integration: Workflow Misc Part 2 by @​Copilot in github/gh-aw#38265
• Handle failure-issue permission denials and enforce timeout-specific failure messaging by @​Copilot in github/gh-aw#38273
• Add steering message rendering in unified log view by @​Copilot in github/gh-aw#38277

... (truncated)

Commits

• 3faf908 Propagate resolved AI credits into failure footer context (#38412)
• 202e958 [WIP] Explore agent persona and scenarios for agentic workflows (#38407)
• 7b17b20 [WIP] Fix failing GitHub Actions job 'js-typecheck' (#38397)
• 4615ff2 docs: unbloat monitoring-with-projects.md (#38417)
• 739dc01 Expand Daily AIC report to include Grafana telemetry (#38400)
• 18713ba docs: recommend copilot-requests: write for Copilot authentication (#38404)
• dada0da optimize: reduce claude-code-user-docs-review AIC cost ~20–33% by eliminating...
• 7187acf fix(telemetry): emit gh-aw.aic=0 and fall back to engine-reported AIC when fi...
• 31b9ca4 Replace /reference/auth engine-secret table with header/list reference bloc...
• 35da39b fix: SHA-pin the runtime setup-cli step emitted for custom steps: workflows...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Superseded by #544.