dependabot[bot] opened a new pull request, #13166: URL: https://github.com/apache/cloudstack/pull/13166
Bumps the github-actions-dependencies group with 1 update in the / directory: [github/gh-aw](https://github.com/github/gh-aw). Updates `github/gh-aw` from 0.71.1 to 0.73.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/gh-aw/releases";>github/gh-aw's releases</a>.</em></p> <blockquote> <h2>v0.72.1</h2> <h2>π Release Highlights</h2> <p>v0.72.1 delivers a new developer-facing lint command, critical compiler correctness fixes, and improved shared workflow ergonomics β all driven largely by community-reported issues.</p> <h3>β¨ What's New</h3> <ul> <li> <p><strong><code>gh aw lint</code> β fast lock-file validation</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30704";>#30704</a>): New <code>gh aw lint</code> command runs <a href="https://github.com/rhysd/actionlint";>actionlint</a> directly against existing <code>.lock.yml</code> files β no recompile, no extra scanners. Perfect for a lightweight CI gate to catch syntax errors before pushing. Supports <code>--dir</code>, explicit file paths, and optional <code>--shellcheck</code>/<code>--pyflakes</code> checks.</p> </li> <li> <p><strong>Import <code>engine.mcp.tool-timeout</code> from shared workflows</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30634";>#30634</a>): Shared workflows wrapping slow MCP servers (e.g. Repo Mind Light) can now declare <code>engine.mcp.tool-timeout</code> and <code>engine.mcp.session-timeout</code> once, and consumers inherit those values automatically β no more duplicating timeout configs in every consumer. Consumer-declared values still take precedence.</p> </li> <li> <p><strong>First-party coding-agent skill for <code>gh aw</code></strong> (<a href="https://redirect.github.com/github/gh-aw/issues/27259";>#27259</a>): Added a router skill that gives coding agents (Copilot, Claude, etc.) structured guidance on creating, debugging, and updating agentic workflows using the <code>gh aw</code> CLI.</p> </li> <li> <p><strong>Shared <code>skip-if-match</code> dedup component</strong>: The common "open issue/PR by title prefix" deduplication query is now a shared compiler-imported component, eliminating copy-paste duplication across dozens of workflows.</p> </li> </ul> <h3>π Bug Fixes & Improvements</h3> <ul> <li> <p><strong><code>&&</code> preserved in compiled workflow expressions</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30695";>#30695</a>): Go's HTML escaping was converting <code>&&</code> to <code>\u0026\u0026</code> inside AWF config JSON embedded in <code>.lock.yml</code> files, corrupting <code>${{ ... && ... }}</code> expressions and causing workflow parse failures. Fixed by switching to <code>json.Encoder</code> with <code>SetEscapeHTML(false)</code>.</p> </li> <li> <p><strong>safe-outputs permission regression fixed</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30733";>#30733</a>): When <code>update-project</code> appeared alongside <code>add-comment</code>/<code>add-labels</code>, the minted App token was incorrectly downgraded to <code>issues:read</code> instead of <code>issues:write</code>, silently failing issue mutations.</p> </li> <li> <p><strong>Conclusion comment now reflects <code>safe_outputs</code> failures</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30662";>#30662</a>): The <code>conclusion</code> job was reporting β success even when <code>safe_outputs</code> failed (e.g., 422 on PR review submission). The job now correctly propagates <code>safe_outputs</code> status.</p> </li> <li> <p><strong>Firewall binary version corrected</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30705";>#30705</a>, <a href="https://redirect.github.com/github/gh-aw/issues/30191";>#30191</a>): v0.71.1 was referencing a non-existent <code>gh-aw-firewall</code> version, causing 404s on AWF binary install. This release ships with the correct firewall v0.25.29 (which also includes the healthcheck fix).</p> </li> <li> <p><strong>Playwright <code>mode: cli</code> recognized by compiler</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30088";>#30088</a>): <code>gh aw compile</code> now correctly accepts <code>mode: cli</code> in Playwright tool configuration.</p> </li> <li> <p><strong>COPILOT_API_KEY dummy key no longer triggers over-billing</strong> (<a href="https://redirect.github.com/github/gh-aw/issues/30324";>#30324</a>): The dummy <code>byok-key</code> placeholder introduced in v0.71 was causing 10β100x premium request over-billing compared to v0.68. Fixed.</p> </li> </ul> <!-- raw HTML omitted --> <h3><code>@arthurfvives</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/30088";>Bug: <code>mode: cli</code> for Playwright not recognized during <code>gh aw compile</code></a> <em>(direct issue)</em></li> </ul> <h3><code>@bryanchen-d</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/30704";>feat: lightweight <code>gh aw lint</code> β actionlint-only over existing .lock.yml files (no recompile, no zizmor/poutine)</a> <em>(direct issue)</em></li> <li><a href="https://redirect.github.com/github/gh-aw/issues/30695";>Compiler JSON-encodes <code>&&</code> to <code>\u0026\u0026</code> inside <code>${{ }}</code> expressions in AWF config printf, breaking workflow parse</a> <em>(direct issue)</em></li> </ul> <h3><code>@haavamoa</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/30191";>Release new gh-aw CLI version with firewall v0.25.29 (healthcheck fix)</a> <em>(direct issue)</em></li> </ul> <h3><code>@jonathanpeppers</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/30662";>Conclusion comment shows success when safe_outputs fails to submit PR review</a> <em>(direct issue)</em></li> </ul> <h3><code>@lpcox</code></h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/gh-aw/blob/main/CHANGELOG.md";>github/gh-aw's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file.</p> <h2>v0.40.1 - 2026-02-03</h2> <h3>Move from githubnext/gh-aw to github/gh-aw</h3> <p>If you were a former user of the githubnext Agentic Workflows you might have to <strong>re-register</strong> the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.</p> <p>Example:</p> <pre lang="text" data-meta="wrap"><code>gh extension list NAME REPO VERSION gh aw githubnext/gh-aw v0.36.0 <p>gh extension upgrade --all [aw]: already up to date</p> <p>gh extension remove gh-aw</p> <p>gh extension install github/gh-aw β Installed extension github/gh-aw</p> <p>gh extension list NAME REPO VERSION gh aw github/gh-aw v0.40.1 </code></pre></p> <h3>Bug Fixes</h3> <h4>Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.</h4> <h4>Add discussion interaction to smoke workflows and serialize the discussion</h4> <p>flag in safe-outputs handler config.</p> <p>Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the <code>"discussion": true</code> flag in <code>GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG</code> when a workflow requests discussion output, and lock files include <code>discussions: write</code> permission where applicable.</p> <h4>Add discussion interaction to smoke workflows; compiler now serializes the <code>discussion</code> flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include <code>discussions: write</code> where applicable.</h4> <p>Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.</p> <h4>Add discussion interaction to smoke workflows; deprecate the <code>discussion</code> flag and</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/gh-aw/commit/4d44d0e89851a877f4ddc0cb6c0197e42b1016c5";><code>4d44d0e</code></a> [docs] Consolidate developer specifications to v9.3 (<a href="https://redirect.github.com/github/gh-aw/issues/31027";>#31027</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/379ceb7864daf3be187b7174e3d11dc2cfd25954";><code>379ceb7</code></a> Polish MCP server UX metadata and correct unknown-tool JSON-RPC semantics (<a href="https://redirect.github.com/github/gh-aw/issues/3";>#3</a>...</li> <li><a href="https://github.com/github/gh-aw/commit/705873707533d7b11cb2196531d116c71ca609ec";><code>7058737</code></a> deps: bump default <code>@βplaywright/cli</code> from 0.1.11 to 0.1.13 (<a href="https://redirect.github.com/github/gh-aw/issues/31013";>#31013</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/ce5b7a1dd4e8a2d97eb135b109bb3b7cca8bca3d";><code>ce5b7a1</code></a> fix(harness): treat "No deferred tool marker" as non-retriable in claude_harn...</li> <li><a href="https://github.com/github/gh-aw/commit/89b6823bfb93592536483fc5c0488c9696ab0597";><code>89b6823</code></a> fix(js): use optional chaining for resolvedFieldByName.id in set_issue_field....</li> <li><a href="https://github.com/github/gh-aw/commit/2a6bc9d82e741bbfd56c0fe35b82e533fd551fb6";><code>2a6bc9d</code></a> Render <code>engine.mcp.tool-timeout</code> as numeric gateway <code>toolTimeout</code> seconds (<a href="https://redirect.github.com/github/gh-aw/issues/3";>#3</a>...</li> <li><a href="https://github.com/github/gh-aw/commit/92b0c3d10639c31f60c5c2dac27d3cdf5a8c5f8a";><code>92b0c3d</code></a> Enforce pre-API input validation in experiment state loader (SEC-002) (<a href="https://redirect.github.com/github/gh-aw/issues/31002";>#31002</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/0c3de7751329de950aba97a80af1889f156439e8";><code>0c3de77</code></a> Emit OTLP export error count on all job conclusion spans (<a href="https://redirect.github.com/github/gh-aw/issues/31004";>#31004</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/842a49f98f59a8ed7013e622b54d02342b595679";><code>842a49f</code></a> Import shared/observability-otlp.md in most agentic workflows (<a href="https://redirect.github.com/github/gh-aw/issues/30995";>#30995</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/89855b4bd72ef7c541d794383cd5a096862b2f4b";><code>89855b4</code></a> Handle <code>issue_comment</code> PR context in <code>submit_pull_request_review</code> body-only f...</li> <li>Additional commits viewable in <a href="https://github.com/github/gh-aw/compare/f01a9d118afa6e306f3645ca31e43f4ea8fb4d22...4d44d0e89851a877f4ddc0cb6c0197e42b1016c5";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
