fix(ci): bump github/gh-aw from 0.43.23 to 0.53.1

[dependabot]

Bumps github/gh-aw from 0.43.23 to 0.53.1.

Release notes

Sourced from github/gh-aw's releases.

v0.53.1

🌟 Release Highlights

This patch release delivers targeted bug fixes improving expression validation, safe-output reliability, and custom job compilation — along with a security hardening fix for the safe-outputs handler.

✨ What's New

• Safe Output Step Summaries now show secrecy and integrity fields — When agents include these metadata fields in safe-output messages, they are now visible in the step summary, giving teams clearer visibility into the confidentiality and trustworthiness of each output (#19552).
• allowed-github-references supports macro expressions — Schema validation now accepts $\{\{ ... }} macro syntax in the allowed-github-references field, enabling dynamic reference configuration at workflow runtime (#19554).

🐛 Bug Fixes & Improvements

• Expression defaults now compile correctly — Patterns like $\{\{ inputs.devices || 'mobile,tablet,desktop' }} were incorrectly rejected at compile time. String, number, and boolean literals are now unconditionally allowed as OR-fallback values (#19550).
• Fixed 7 silently-dropped custom job fields — buildCustomJobs() was discarding fields including name, timeout-minutes, continue-on-error, defaults, strategy, environment, and outputs. Custom jobs now faithfully preserve all authored configuration (#19539).
• Fixed context is not defined crash in safe-output MCP server — Unguarded global context accesses caused a ReferenceError in environments without a GitHub Actions payload context; all access sites are now safely guarded (#19544).
• Fixed double-escaped HTML entities in titles — Issue and PR titles containing >, <, & were being double-encoded. The sanitizer now correctly decodes named HTML entities in a single pass (#19545).
• Clearer compile-time error for agent job write permissions — The error message now explains the security context and points directly to the safe-outputs documentation (#19546).
• Security: body content sanitized before GitHub API writes — update_handler_factory was forwarding raw body content to GitHub without sanitization. All body fields are now sanitized before any API write (SEC-004, #19538).

📚 Documentation

• Added a Security Posture section to the workflow creation guide, prominently explaining why the agent job must remain read-only (#19548).
• Updated ProjectOps docs with practical workflow examples and fixed a broken anchor link for add-comment (#19387, #19556).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @dsyme for Allowed expressions should allow simple defaults (#19468)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: update action pin test expectations for actions/setup-node v6.3.0 by @​Copilot in github/gh-aw#19537
• SEC-004: Sanitize body content in update_handler_factory before GitHub API writes by @​Copilot in github/gh-aw#19538
• Improve compile-time error message for write permissions on agent job by @​Copilot in github/gh-aw#19546
• docs: add Security Posture section to .github/aw/create-agentic-workflow.md by @​Copilot in github/gh-aw#19548
• Add scope/constraint guidance to developer.instructions to prevent complex workflow timeouts by @​Copilot in github/gh-aw#19549
• fix: allow expr || 'literal' default patterns in expression validation by @​Copilot in github/gh-aw#19550
• [WIP] Fix context is not defined error in safe output MCP server by @​Copilot in github/gh-aw#19544
• [WIP] Fix double escaping of text in titles by @​Copilot in github/gh-aw#19545
• chore: update projectops docs by @​mnkiefer in github/gh-aw#19387
• Display secrecy and integrity fields in safe output step summary renderer by @​Copilot in github/gh-aw#19552

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• 3ee4953 Fix buildCustomJobs() to extract 7 silently-dropped job fields (#19539)
• cf3be2e [WIP] Update schema pattern for allowed GitHub references (#19554)
• 4e5e198 Display secrecy and integrity fields in safe output step summary renderer (#1...
• c681fab chore: update projectops docs (#19387)
• c9f8a54 [WIP] Fix double escaping of text in titles (#19545)
• 4861bef [WIP] Fix context is not defined error in safe output MCP server (#19544)
• 0ec30e5 fix: allow expr || 'literal' default patterns in expression validation (#19...
• 6643aa1 Add scope/constraint guidance to developer.instructions to prevent complex wo...
• aaa4078 docs: add Security Posture section to .github/aw/create-agentic-workflow.md (...
• 1fa4f3f Improve compile-time error message for write permissions on agent job (#19546)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.