deps(actions): bump github/gh-aw from 0.45.0 to 0.50.1

[dependabot]

Bumps github/gh-aw from 0.45.0 to 0.50.1.

Release notes

Sourced from github/gh-aw's releases.

v0.50.1

🌟 Release Highlights

This release focuses on safe-outputs reliability, concurrency correctness, and security hardening — with several community-reported bugs resolved and a new gh aw checks command for deterministic CI state classification.

✨ What's New

• gh aw checks command — New command for deterministic PR CI state classification, enabling reliable triage and automation based on check run outcomes. (#18164)
• AI Moderator: Probe detection — The AI moderator now detects probing attempts and tracks ephemeral cross-run spam, improving workflow security against adversarial inputs. (#18157)
• Configurable patch size limit for repo-memory — Safe output updates to repo-memory now support a configurable patch size limit, preventing oversized updates from failing silently. (#18144)
• Merged detection into action job — The threat detection job has been merged into the action job, simplifying workflow structure and reducing overall job overhead. (#18079)

🐛 Bug Fixes & Improvements

• Fixed workflow_dispatch concurrency blocking — Engine-level concurrency is now disabled for workflow_dispatch-only workflows, allowing multiple dispatches to run in parallel as expected. (#18172)
• Fixed GitHub App multi-repo MCP token handling — GitHub MCP tools (e.g., issue_read) are now available when the app token is scoped to multiple repositories. (#18159)
• Fixed blocked constraints dropped from safe-outputs — The compiler now consistently preserves blocked constraints in safe-outputs configurations. (#18140)
• Fixed allowed-repos schema gap — The allowed-repos field is now accepted inline for assign-to-user and remove-labels safe outputs. (#18132)
• Fixed spurious "PR created" comment — Workflows no longer post a "PR created" status comment on the PR that was just created. (#18130)
• Fixed push-to-PR-branch bugs — Multiple bugs with creating and pushing to PR branches resolved, including improved error context with target PR links. (#18175, #18058)
• Fixed malformed secrets expression rejection — The expression processor now correctly rejects malformed/truncated $\{\{ secrets. expressions rather than passing them through. (#18171)
• Fixed concurrency for synthetic events — Concurrency helpers now correctly handle synthetic events (slash_command, schedule). (#18184)
• Fixed copilot-requests permission — The copilot-requests permission is now preserved in the GitHub workflow JSON schema after schema refresh. (#18135, #18067)
• Cleared MCP config before inline threat detection — Prevents stale MCP configuration from leaking into threat detection context. (#18085)

📚 Documentation

• Fixed Mermaid flowchart node labels rendering literal \n instead of line breaks. (#18131)
• Fixed steps: placement in Deterministic Multi-Repo Workflows example. (#18143)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @davidahmann for Add explicit CI state classification command for gh-aw PR triage
• @benvillalobos for Compiler drops 'blocked' constraints from safe-outputs configs inconsistently
• @benvillalobos for allowed-repos not accepted inline for assign-to-user and remove-labels safe outputs
• @benvillalobos for GitHub MCP issue_read tool unavailable when app token is scoped to multiple repositories
• @tspascoal for Mermaid flowchart node multiline text is not rendered correctly in the documentation

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• fad43e3 Fix concurrency helpers to correctly handle synthetic events (slash_command, ...
• db8724d Fix fuzz harness panic on malformed options input (#18179)
• 6e56a35 Merge branch 'main' of https://github.com/github/gh-aw
• f671b70 cleanup
• b3fde56 🔧 Fix multiple bugs with create and push to PRs (#18175)
• 55f54b4 Disable engine-level concurrency for workflow_dispatch-only workflows (#18172)
• c373f2b Fix GitHub App multi-repo token handling for MCP server (#18159)
• e7963ef Fix: reject malformed/truncated ${{ secrets. expressions in `processExpress...
• f50c5cb fix: preserve entityType in parseLabelTriggerShorthand on validation errors (...
• b046c6b Add gh aw checks command for deterministic PR CI state classification (#18164)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: release-note-none. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Superseded by #370.