build(deps): bump github/gh-aw from 0.43.7 to 0.49.2

[dependabot]

Bumps github/gh-aw from 0.43.7 to 0.49.2.

Release notes

Sourced from github/gh-aw's releases.

v0.49.2

🌟 Release Highlights

This release brings new workflow privacy controls, improved CI integration, key bug fixes in Playwright and safe-outputs conformance checks, and token-efficiency improvements in the safe-outputs prompt system.

✨ What's New

• Workflow privacy via private frontmatter (#17801) — Workflows marked with private: true are now hidden from the gh aw add command, giving teams a clean way to keep internal-only workflows out of the public catalogue.

• CI trigger token support for PR and branch pushes (#17803) — Workflows can now supply a dedicated token when triggering CI on PRs and branches, enabling richer automation pipelines that require elevated or scoped credentials.

🐛 Bug Fixes & Improvements

• Playwright MCP: Chromium sandbox disabled for localhost access (#17808) — Fixed a configuration issue that prevented Playwright MCP from accessing localhost-hosted services inside the runner container.

• Safe-outputs conformance: reduce SEC-003 false positives (#17790) — The conformance checker was incorrectly flagging valid safe-output patterns as SEC-003 violations; this is now resolved, reducing noise in security reports.

• Safe-outputs prompt: XML wrapping & template extraction (#17769) — The safe-outputs prompt has been refactored to use dedicated template files and XML-wrapped content, improving token efficiency and maintainability without changing observable behaviour.

🔧 Internal

• Shared components extracted for Serena Go analysis tooling and Copilot PR analysis base setup (#17797, #17798), improving reuse across workflows.
• Developer specifications consolidated into a single instructions file (#17794).

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Refactor safe outputs prompt: extract all content to template files, wrap in XML, optimize for token usage by @​Copilot in github/gh-aw#17769
• Fix SEC-003 false positives in safe-outputs conformance check by @​Copilot in github/gh-aw#17790
• [instructions] Sync github-agentic-workflows.md with release v0.49.1 by @​github-actions[bot] in github/gh-aw#17792
• [docs] Consolidate developer specifications into instructions file (2026-02-23) by @​github-actions[bot] in github/gh-aw#17794
• Extract Serena Go Analysis Tool Configuration into shared component by @​Copilot in github/gh-aw#17798
• Extract Copilot PR Analysis Base Setup into shared component by @​Copilot in github/gh-aw#17797
• 🔔 Add CI trigger token support for PR and branch pushes by @​dsyme in github/gh-aw#17803
• [q] fix: disable Chromium sandbox in Playwright MCP to allow localhost access by @​github-actions[bot] in github/gh-aw#17808
• Add private frontmatter field to block add command by @​Copilot in github/gh-aw#17801

Full Changelog: github/gh-aw@v0.49.1...v0.49.2

v0.49.1

🌟 Release Highlights

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• 1c8368c Add private frontmatter field to block add command (#17801)
• 6740e50 [q] fix: disable Chromium sandbox in Playwright MCP to allow localhost access...
• b7d219a 🔔 Add CI trigger token support for PR and branch pushes (#17803)
• 6c28d39 Extract Copilot PR Analysis Base Setup into shared component (#17797)
• d744ebd Extract Serena Go Analysis Tool Configuration into shared component (#17798)
• b25ee24 docs: update developer instructions to v2.8 with PR #17769 features (#17794)
• e122b5e Merge branch 'main' of https://github.com/github/gh-aw
• af209c8 fix name
• 0037114 Sync github-agentic-workflows.md with release v0.49.1 (#17792)
• 6dca926 Fix SEC-003 false positives in safe-outputs conformance check (#17790)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #19558.