build(deps): bump github/gh-aw from 0.46.3 to 0.49.0

[dependabot]

Bumps github/gh-aw from 0.46.3 to 0.49.0.

Release notes

Sourced from github/gh-aw's releases.

v0.49.0

🌟 Release Highlights

This release focuses on security hardening, safe outputs flexibility, and code quality improvements — making workflows more robust and configurable.

🔒 Security Hardening

Critical security fixes and hardening across the codebase:

• Shell injection fix in upload_assets.cjs — closes an incomplete fix from a prior commit (#17736)
• Hardened exec.Command invocations for cross-platform compatibility and security across the codebase (#17729)

✨ What's New

• Templatable boolean & integer fields in safe outputs — workflow authors can now use template expressions for boolean flags and integer max fields, enabling dynamic configuration without recompilation (#17653, #17667, #17694)
• expires codemod — a migration helper that automatically converts integer expires values to the new day-string format, making upgrades seamless (#17695)
• Configurable bot trigger neutralization — safe-outputs.max-bot-mentions controls how many bot trigger references are preserved vs. escaped, with smarter handling for already-quoted entries (#17689)
• Source links in GitHub MCP tools report — the MCP tools report now includes direct links to source definitions, improving discoverability (#17709)
• MCP Gateway updated to v0.1.5 (#17697)

🐛 Bug Fixes & Improvements

• Fixed base64 executable not found on Windows during gh aw update (#17720)
• Resolved 22 actionlint expression errors caused by missing needs: declarations in 4 workflows (#17681)
• Fixed ci-doctor to pre-download logs and artifacts, applying generic error heuristics to reduce token usage (#17719)
• Replaced curl | sh uv install with pinned astral-sh/setup-uv action for more reliable CI (#17688)

🔧 Internal

• Enabled 16 additional Go linters + modernize and intrange linters with all issues resolved (#17714, #17705)
• Normalized report formatting across multiple internal workflows (#17727, #17698)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [docs] Update dictation skill instructions by @​github-actions[bot] in github/gh-aw#17665
• Convert boolean safe output fields to templatable bools by @​Copilot in github/gh-aw#17653
• Add templatable integer support for safe output max fields by @​Copilot in github/gh-aw#17667
• Fix SC2129: use grouped redirect for prompt construction in compiler template by @​Copilot in github/gh-aw#17687
• Replace curl | sh uv install with pinned astral-sh/setup-uv action by @​Copilot in github/gh-aw#17688
• Update safe outputs spec with templatable boolean and integer fields by @​Copilot in github/gh-aw#17694
• Normalize report formatting for step-name-alignment and bot-detection workflows by @​Copilot in github/gh-aw#17698
• Add codemod to migrate expires integer values to day-string format by @​Copilot in github/gh-aw#17695

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• 0eb518a fix: close shell injection in upload_assets.cjs (incomplete fix from d07e64c3...
• 4b8d0a8 Review and harden all exec.Command invocations for cross-platform compatibili...
• dce6f84 Enable 16 additional Go linters and fix all reported issues (#17714)
• 18ff0b0 fix: use strings.Cut to resolve stringscut lint violation in known_needs_expr...
• a5ee151 Normalize report formatting in org-health-report and daily-safe-outputs-confo...
• 1a4a937 neutralizeBotTriggers: allow first n references unchanged then escape excess,...
• 8461cb6 Fix base64 executable not found on Windows in gh aw update (#17720)
• 6221cdc fix(ci-doctor): pre-download logs and artifacts, apply generic error heuristi...
• c99d014 Add source links to GitHub MCP tools report (#17709)
• 784b253 Update MCP Gateway to v0.1.5 (#17697)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.