build(deps): bump github/gh-aw from 0.43.7 to 0.51.5

[dependabot]

Bumps github/gh-aw from 0.43.7 to 0.51.5.

Release notes

Sourced from github/gh-aw's releases.

v0.51.5

🌟 Release Highlights

This release focuses on security hardening, improved developer experience, and better error messaging — making workflows safer by default and easier to author correctly.

✨ What's New

• GitHub MCP server is now read-only by default — The dangerous-permissions-write feature flag has been removed; GitHub MCP access is permanently enforced as read-only. This removes an entire class of accidental write-permission exposure. Workflows using read-only: false will now receive a clear validation error. (#19092)

• github.event_name is now an allowed expression — You can now safely reference $\{\{ github.event_name }} in workflow prompts, consistent with other github.* context properties. (#19121)

• gh aw add and gh aw add-wizard are now separate commands — The add command is always non-interactive; --create-pull-request requires an interactive terminal with confirmation. A new dedicated add-wizard command handles the interactive workflow with its own --push flag. This gives cleaner, non-overlapping flag interfaces for both use cases. (#19117)

• safe-output-projects renamed to safe-output-custom-tokens — The setup input now accurately reflects its broader scope: any per-handler github-token, not just project handlers. Update your workflow configurations accordingly. (#19156)

• Better compile errors for triggers: misuse — Using triggers: instead of on: in workflow frontmatter now produces a clear, actionable error at compile time rather than silently treating the workflow as a shared import. (#19142)

🐛 Bug Fixes & Improvements

• Clean /tmp/gh-aw/ on each setup run — The setup script now removes and recreates the temporary directory before each run, preventing stale state from affecting subsequent workflow executions. (#19122)

📚 Documentation

• New FAQ entry: disabling GitHub references to prevent backlinks
• New FAQ entry: using workflows as repository rulesets

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @dsyme for github.event_name should be an allowed expression (#19120)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add github.event_name to AllowedExpressions by @​Copilot in github/gh-aw#19121
• [WIP] Remove entire /tmp/gh-aw/ folder before setup by @​Copilot in github/gh-aw#19122
• [WIP] add command: remove --push flag, require interactive confirmation for --create-pull-request, split add/add-wizard by @​Copilot in github/gh-aw#19117
• [q] save architecture diagram to scratchpad/architecture.md by @​github-actions[bot] in github/gh-aw#19132
• docs: add FAQ entry on disabling GitHub references to prevent backlinks by @​Copilot in github/gh-aw#19135
• docs: add FAQ entry for workflows used as repository rulesets by @​Copilot in github/gh-aw#19131
• [docs] docs: remove bullet-list bloat from ephemerals guide by @​github-actions[bot] in github/gh-aw#19141
• [docs] Consolidate architecture diagram and guard policies into dev.md (v3.4) by @​github-actions[bot] in github/gh-aw#19138

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• 88319be 🔑 Rename safe-output-projects to safe-output-custom-tokens (#19156)
• 55e326b [WIP] Add smoke tests for cross-repo PR creation and updates (#19127)
• dcaa791 Enforce readonly access to GitHub MCP server; remove dangerous-permissions-wr...
• defba6f [instructions] Sync github-agentic-workflows.md with v0.40.1 (#19137)
• 8176a37 [docs] Consolidate architecture diagram and guard policies into dev.md (v3.4)...
• a312098 [docs] docs: remove bullet-list bloat from ephemerals guide (#19141)
• 32769f4 docs: add FAQ entry for workflows used as repository rulesets (#19131)
• d57415f docs: add FAQ entry on disabling GitHub references to prevent backlinks (#19135)
• 575b7f6 [q] save architecture diagram to scratchpad/architecture.md (#19132)
• 30aa9a8 [WIP] add command: remove --push flag, require interactive confirmation for -...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)