Bump github/gh-aw from 0.42.17 to 0.68.3

[dependabot]

Bumps github/gh-aw from 0.42.17 to 0.68.3.

Release notes

Sourced from github/gh-aw's releases.

v0.68.3

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New

• Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#26229)
• checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#26292)
• env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#26113)
• Time Between Turns (TBT) metric — gh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#26321)
• OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#26121)
• API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#26150)

🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

• File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#26287)
• Copy/rename detection and C-quoted filenames are now handled correctly. (#26277)
• Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#26259)
• Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#26306)
• Submodule entries now fall back to a plain git push instead of erroring. (#26298)

Other notable fixes:

• on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#26137)
• copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#26146)
• add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#26288)
• safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#26291)
• engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#26122)
• Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#26074)
• GH_HOST env var used for GH CLI calls — gh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#26311)
• resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#26114)
• --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#26160)

📚 Documentation

• Gemini AI engine added to the introduction/how-they-work guide. (#26147)
• github-app documented as a top-level Allowed Import Field in the imports reference. (#26119)
• New working-directory navigation example in the side-repo-ops pattern. (#26123)
• Comprehensive new guide: Maintaining repos with agentic workflows at scale. (#26073)

🌍 Community Contributions

@arthurfvives

• Feature: Auto-detect available models or gracefully fallback on 400 errors (Copilot Pro/Education) (direct issue)

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• ce17949 fix: use GH_HOST env var instead of --hostname flag for gh repo view and gh p...
• c25673e fix: --topo-order and merge commit fallback in push_signed_commits.cjs (#26306)
• d37c7c6 fix(USE-001): add standardized ERR_* error codes to two non-conformant handle...
• 9939478 fix(USE-003): emit staged mode preview summary in upload_artifact handler (#2...
• b8e0b8a fix: expose safe-outputs.actions custom action tools to agent MCP toolset (#2...
• 549223d feat: support checkout field in importable shared workflows (#26292)
• ace4abb Split frontmatter_types.go into types, parsing, and serialization files (#2...
• b048b08 Split gateway_logs.go into concern-aligned files (#26296)
• a12b147 refactor: split audit_report_render.go into domain-specific files (#26304)
• f109ff0 Handle submodule entries in push_signed_commits by falling back to git push (...
• Additional commits viewable in compare view

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.