Bump github/gh-aw from 0.56.2 to 0.57.0

[dependabot]

Bumps github/gh-aw from 0.56.2 to 0.57.0.

Release notes

Sourced from github/gh-aw's releases.

v0.57.0

🌟 Release Highlights

This release delivers a meaningful rename that clarifies the product model, a new concurrency primitive for fan-out workflows, and a focused round of reliability fixes across safe-outputs and developer tooling.

⚠️ Breaking Changes

safe-inputs renamed to mcp-scripts

The safe-inputs frontmatter field has been renamed to mcp-scripts throughout the compiler, schema, documentation, and runtime to better reflect its purpose as a lightweight MCP Script host.

Migration: Run the built-in codemod to update your workflows automatically:

gh aw fix --write safe-inputs-to-mcp-scripts

All documentation, environment variables, log messages, and shared workflows have been updated accordingly. (#20115)

---

✨ What's New

concurrency.job-discriminator for fan-out workflows

A new job-discriminator field in the concurrency frontmatter block prevents concurrent fan-out runs from cancelling each other. When set, the expression is appended to compiler-generated job-level concurrency groups (agent, output jobs), making each dispatch unique.

# Allow concurrent runs dispatched with different inputs
concurrency:
  job-discriminator: $\{\{ inputs.finding_id }}
Use run_id for scheduled workflows with no distinguishing input
concurrency:
job-discriminator: ${{ github.run_id }}

This is especially useful for workflows invoked in batch — such as per-repository analysis jobs — where the default static concurrency group would cancel all-but-two concurrent runs. (#20190)

---

🐛 Bug Fixes & Improvements

Safe-Outputs reliability:

• created_issue_* outputs now emitted correctly — created_issue_number and created_issue_url were silently dropped after a successful create-issue action due to the handler manager never calling the emitter. Workflows gating on these outputs will now work as expected. (#20130)
• pull_request_target events now recognized as PR context — Safe-output operations using target: "triggering" (e.g., update-pull-request) were silently skipped or failed when triggered via pull_request_target. (#20198)
• Cross-repo safe-outputs now pass GITHUB_TOKEN to git CLI — Custom token sources are now wired into the GITHUB_TOKEN environment variable for create-pull-request and push-to-pull-request-branch steps involving cross-repo checkouts. (#19890)

Tooling fixes:

• gh aw health now finds workflow runs — The path field was accidentally dropped from the gh run list query, causing the .lock.yml filter to discard every run and always report "No workflow runs found". (#20221)

... (truncated)

Commits

• 9028450 Fix __GH_AW_WIKI_NOTE__ placeholder not substituted when wiki is disabled (...
• 81e2556 fix: missing json:path from health cmd (#20221)
• e1f4359 fix: use preprocessExpiresField for create-pull-request integer expires conve...
• 5f477d2 Add GFM tip to no-op runs issue template explaining how to disable reporting ...
• 9059513 Add concurrency.job-discriminator to prevent fan-out cancellations in job-l...
• a9ebf88 Show Codex session preview in parse agent log step like other engines (#20199)
• e7a6f19 Fix anchor links in project-ops docs (#20173)
• 17b510d fix(safe-outputs): include pull_request_target in PR context detection (#20...
• 067fa45 specs: update layout specification - 2026-03-09 (#20170)
• 2c28174 Update architecture diagram - 2026-03-09 (#20175)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)