chore(deps): bump github/gh-aw from 0.43.23 to 0.71.1

[dependabot]

Bumps github/gh-aw from 0.43.23 to 0.71.1.

Release notes

Sourced from github/gh-aw's releases.

v0.71.1

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several impactful bugs reported by the community, improving agent workflow efficiency, and hardening security boundaries for the Claude engine.

🐛 Bug Fixes & Improvements

• protected-files object form compilation fixed — Workflows using the documented {policy, exclude} object form for protected-files were incorrectly rejected at compile time with expected string or null, got object. The schema now correctly allows the object form alongside the string shorthand. (#28341)

• APM-restored skills no longer clobbered in pull_request runs — Skills installed by pre-agent-steps (e.g. from .github/skills/) were silently overwritten because the "Restore agent config folders" step executed after pre-agent-steps. The step ordering is now correct for pull_request triggers. (#28290)

• push_to_pull_request_branch patch size now uses incremental diff — On long-running branches, max_patch_size was measured against the full cumulative diff from the default branch rather than the net change since the last push. Each iteration now measures only the incremental git diff against the PR branch head, preventing spurious size-limit rejections. (#28198)

• design-decision-gate reliability — Raised max-turns from 15 → 20 and added git ls-remote:* to allowed tools. The workflow was exhausting all turns on copilot/* PRs before completing useful work. An explicit MCP fallback table ensures the agent switches to GitHub MCP tools when pre-fetched context files are unavailable. (#28353)

• jsweep workflow no longer runs to 60 turns — Added explicit exit criteria after PR creation. Previously the agent kept calling create_pull_request in a loop consuming 4.64M tokens/run. (#28322)

• audit/audit-diff MCP tools now return structured JSON consistently — These tools were setting IsError: true on failure and routing output to stderr, unlike logs and compile which always return structured JSON. Behaviour is now consistent. (#28291)

• Model update in github-remote-mcp-auth-test — Replaced the unavailable gpt-5.1-codex-mini model with gpt-5.4-mini, fixing 3+ days of consecutive workflow failures. (#28321)

• MCP Gateway v0.2.30 compatibility — The mempalace shared config now includes the required container field on stdio server entries, fixing daily-fact workflow failures after the gateway schema tightened. (#28288)

✨ What's New

• Hippo memory vector embeddings — New hippo-embed maintenance workflow generates vector embeddings for all Hippo memories (previously <1% were embedded, making semantic recall nearly non-functional). The daily-hippo-learn workflow now runs hippo embed on every cycle to keep the index current. (#28178)

• Claude bypassPermissions tool enforcement documented and hardened — When Claude Code runs in bypassPermissions mode (triggered by unrestricted bash access), --allowed-tools is silently ignored. The MCP gateway allowed: filter is now the documented sole effective tool boundary in this mode, with implementation notes added to prevent regressions. (#28174)

⚡ Performance

• docs-noob-tester token usage reduced ~70% — Server setup (npm install, Astro dev server startup, readiness polling, bridge IP detection) now runs in pre-agent-steps before the agent starts, saving ~700K–1M tokens/run. Timeout reduced from 45 → 30 minutes. (#28343)

📚 Documentation

• Docs table wrapping on tablet screens — Markdown tables on 641px–768px viewports were silently clipped without horizontal scroll. A new rehype plugin wraps tables in a scrollable container. (#28280)

🌍 Community Contributions

@edgeq

• [Bug] protected-files object form fails compilation despite being documented (direct issue)

@mrjf

• push_to_pull_request_branch should compute patch size relative to PR branch head, not checkout base (direct issue)

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• f01a9d1 fix(design-decision-gate): add git ls-remote permission, raise turn limit to ...
• f216a16 fix(security): remove readiness check from MemPalace MCP server startup (#28340)
• 9c675c3 fix: add regression tests for protected-files object form compilation (#28341)
• 7a54b74 optimize: move docs-noob-tester setup to pre-agent-steps, slim prompt, reduce...
• 6eef218 feat: use actions/cache and artifacts for APM bundle with lock file hash + en...
• 66e3120 fix: replace unsupported model pins in 5 workflow frontmatters (#28323)
• 04ae1fe build(deps): Bump go.opentelemetry.io/otel (#28337)
• 53cf9b3 fix: replace unsupported gpt-5.1-codex-mini model in github-remote-mcp-auth-t...
• 194ffd4 Apply progressive disclosure to firewall blocked domains alert (#28332)
• 75491ff jsweep: add Done Conditions to prevent runaway PR creation loop (#28322)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.