Update github/gh-aw action to v0.50.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	minor	v0.49.4 → v0.50.0

---

Release Notes

github/gh-aw (github/gh-aw)

v0.50.0

Compare Source

🌟 Release Highlights

This release focuses on improving reliability and flexibility for agentic engine authentication — giving teams more control over how secrets are managed — alongside important fixes for CRLF repositories and token security.

✨ What's New

• Custom engine token secrets — You can now provide your own engine.env in workflow frontmatter to override the default agentic engine token expression. gh-aw automatically wires your secret into both the execution step and the secret validator, giving teams full control over credential naming conventions (#​18017).

🐛 Bug Fixes & Improvements

• CRLF repository compatibility — Workflows like Code Simplification that push changes via safe_outputs were silently failing on repositories that normalize line endings with .gitattributes. The git am patch application step now correctly handles CRLF-encoded patches (#​18029).

• GH_AW_CI_TRIGGER_TOKEN scoped correctly — The CI trigger token is now emitted only at the step level (instead of job level), ensuring it is available exclusively to the safe-outputs handler and not inadvertently exposed across all job steps (#​18030).

• Dependency bumps — Claude Code updated to 2.1.51 and Copilot CLI to 0.0.415 across all 158 compiled workflows (#​18046).

📚 Documentation

• Agent-focused quick-start links (llms.txt, Create, Debug, Update) added to the documentation site footer — visible on every page (#​18032).
• README updated with instructions for agents to download llms.txt (#​18031).

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @AmoebaChant for Code Simplification agent silently fails to create PRs when the repo stores line endings as CRLF (#​17975)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Update agentic engine token handling to use user-provided secrets by @​Copilot in #​18017
• Update README with llms.txt download instruction by @​pelikhan in #​18031
• Fix silent git am failure on CRLF repositories in safe_outputs patch application by @​Copilot in #​18029
• 🔧 Fix GH_AW_CI_TRIGGER_TOKEN emit scope and update docs by @​dsyme in #​18030
• Add agent-focused links to the docs footer by @​Copilot in #​18032
• Fix premature exit in conformance checker due to bash arithmetic increment bug by @​Copilot in #​18035
• [jsweep] Clean add_reaction.cjs by @​github-actions[bot] in #​18041
• Strengthen noop documentation and add explicit noop instructions to all workflow prompts by @​Copilot in #​18045
• [docs] Update documentation for features from 2026-02-24 by @​github-actions[bot] in #​18051
• Bump Claude Code to 2.1.51 and Copilot CLI to 0.0.415 by @​Copilot in #​18046
• refactor: extract applyFrontmatterLineTransform to eliminate duplicate codemod boilerplate by @​Copilot in #​18050
• Add features.copilot-requests feature flag for GitHub Actions token auth by @​Copilot in #​18028

Full Changelog: github/gh-aw@v0.49.7...v0.50.0

v0.49.7

Compare Source

🌟 Release Highlights

This release sharpens the developer experience with a cleaner CI token configuration, more accurate audit diagnostics, polished error messages, and a new self-hosted runners guide.

⚠️ Breaking Changes

• GH_AW_EXTRA_EMPTY_COMMIT_TOKEN renamed to GH_AW_CI_TRIGGER_TOKEN — If you set this environment variable to trigger CI pipelines on empty commits, update your secret name to GH_AW_CI_TRIGGER_TOKEN. (#​17997)

✨ What's New

• Simplified CI trigger token configuration — GH_AW_CI_TRIGGER_TOKEN is now used automatically when github-token-for-extra-empty-commit is not explicitly set, removing the need for the default keyword. Less boilerplate, same power. (#​17997)
• AI message footer in activation comments — Activation comments (PR/issue links and commit-pushed messages) now include a contextual AI message footer, giving collaborators clearer context about agent activity. (#​18021)

🐛 Bug Fixes & Improvements

• audit now points to the right error — The audit command was extracting error details from the "Complete job" teardown step instead of the actual failing step. It now correctly surfaces ##[error] annotations from the step that failed, making debugging dramatically more straightforward. (#​18010)
• Clearer max-turns error for Copilot engine — The error message for unsupported max-turns on the Copilot engine was self-contradictory (telling users to remove it while showing an example using it). The message is now clean and unambiguous. (#​18009)
• Fixed IMP-002 conformance check false failure — A casing mismatch in check-safe-outputs-conformance.sh caused a permanent false HIGH failure on every run. Now fixed. (#​18011)

📚 Documentation

• New guide: Self-hosted runners — A comprehensive new guide covers all runs-on formats, shared runner configuration patterns, and detection job runner overrides. View guide (#​17986)
• Streamlined triggers reference — The triggers reference page has been refactored for clarity, reducing size by 16% while preserving all essential information. (#​18002)

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @benvillalobos for Confusing error message: max-turns not supported example contradicts the error

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [instructions] Sync github-agentic-workflows.md with release v0.40.1 by @​github-actions[bot] in #​17996
• [docs] Consolidate engine architecture, JS sanitization pipeline, activation output transforms into dev.md v2.9 by @​github-actions[bot] in #​17999
• Add documentation page on self-hosted runners configuration by @​Copilot in #​17986
• [docs] docs: unbloat triggers reference page by @​github-actions[bot] in #​18002
• fix: correct function name casing in IMP-002 conformance check by @​Copilot in #​18011
• 🔑 Rename env var to GH_AW_CI_TRIGGER_TOKEN and default its usage by @​dsyme in #​17997
• fix(audit): extract ##[error] annotations from all step logs instead of last-step content by @​Copilot in #​18010
• fix: simplify max-turns error message by removing contradictory example by @​Copilot in #​18009
• [WIP] Update activation comments with AI message footer by @​Copilot in #​18021

Full Changelog: github/gh-aw@v0.49.6...v0.49.7

v0.49.6

Compare Source

🌟 Release Highlights

This release focuses on authentication improvements, better self-hosted runner configurability, and a polished CLI experience — with significant documentation restructuring to make auth setup clearer than ever.

✨ What's New

• GH_AW_CI_TRIGGER_TOKEN magic secret support — Set github-token-for-extra-empty-commit: "default" to automatically use the GH_AW_CI_TRIGGER_TOKEN magic secret without manual token wiring. This simplifies CI trigger token configuration for most workflows. (#​17990)

• Runner resolution for detection jobs — The detection job now inherits agent.runs-on by default and can be independently overridden via safe-outputs.detection.runs-on. The unlock job uses safe-outputs.runs-on, giving full control over runner placement in self-hosted environments. (#​17979)

• Simplified secrets set CLI — The gh aw secrets set command now uses a single --repo owner/repo flag (replacing the separate --owner and --repo flags) and defaults to the current repository. (#​17977)

🐛 Bug Fixes & Improvements

• Frontmatter hash extraction — extractHashFromLockFile now correctly reads the new JSON metadata format (# gh-aw-metadata: {...}) in addition to the legacy # frontmatter-hash: format, preventing false "workflow has changed" warnings. (#​17971)

• Docs build — Fixed an unclosed code fence in auth.mdx that was silently swallowing the GH_AW_AGENT_TOKEN section, causing broken anchor links across the docs. (#​17972)

📚 Documentation

Auth documentation has been substantially restructured with dedicated pages:

• GitHub Tools auth — New reference page at /reference/github-tools/
• GitHub Projects auth — New dedicated auth-projects page
• Copilot agent assignment — New assign-to-copilot auth guide
• Gemini auth + Copilot PAT setup — Step-by-step guides for Gemini engine authentication and improved Copilot personal access token setup (#​17957, #​17990)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• fix: replace interface{} with any in WASM layout stub by @​Copilot in #​17960
• [code-simplifier] refactor: simplify permissions converter and sort pattern by @​github-actions[bot] in #​17966
• refactor: remove thin wrappers, move test helper to test file, consolidate formatDuration by @​Copilot in #​17964
• Fix docs build: unclosed code fence in auth.mdx swallows GH_AW_AGENT_TOKEN section by @​Copilot in #​17972
• 🔧 Simplify secrets set to use single --repo flag by @​dsyme in #​17977
• [log] Add debug logging to five pkg files for better troubleshooting by @​github-actions[bot] in #​17980
• Implement runner resolution strategy for unlock and detection jobs by @​Copilot in #​17979
• 🔧 Fix frontmatter hash extraction to support JSON metadata format by @​dsyme in #​17971
• 📚 Add Gemini auth docs and improve Copilot PAT setup by @​dsyme in #​17957
• 🔐 Refactor auth docs and add GH_AW_CI_TRIGGER_TOKEN magic secret support by @​dsyme in #​17990

Full Changelog: github/gh-aw@v0.49.5...v0.49.6

v0.49.5

Compare Source

🌟 Release Highlights

This release focuses on correctness and reliability — fixing propagation bugs in threat detection, stabilizing compiled output ordering, and expanding schema coverage so configurations behave exactly as documented.

✨ What's New

• Expanded runtime & permission schema coverage — RuntimeConfig and RuntimesConfig typed structs now cover all 11 supported runtimes (including bun, deno, uv, and more) plus action-repo/action-version fields. repository-projects and organization-projects permission scopes are now correctly included in the schema, preventing silent validation failures. (#​17911, #​17951)
• storage.googleapis.com added to node ecosystem — Deno and Bun workflows that depend on Google Cloud Storage (e.g., deno/fresh, deno/postgres) can now reach storage.googleapis.com without extra network configuration. (#​17944)
• MCP observability pipeline alignment — The daily observability report now uses rpc-messages.jsonl as the canonical telemetry fallback, eliminating false 🔴 Critical alerts for Copilot-engine MCP runs. (#​17950)
• MCPServerID semantic type — MCP server ID constants are now compile-time typed, preventing accidental mixing with arbitrary string values. (#​17897)

🐛 Bug Fixes & Improvements

• Threat detection no longer inherits --agent flag — engine.agent was being propagated into the threat detection job via pointer copy, causing "No such agent" failures. The detection job now correctly ignores agent configuration. (#​17949)
• Stable compiled lock file ordering — Non-deterministic import and job dependency ordering caused noisy, spurious diffs in .lock.yml files on each recompile. Output ordering is now stable. (#​17927)
• Safe-outputs: 11 missing operation types restored — hasSafeOutputType() was missing cases for 11 operation types, plural YAML tags were mismatched, and meta fields were not being merged. All resolved. (#​17908)
• Network/firewall schema fixes — Schema description no longer incorrectly states firewall is Copilot-only; cleanup-script is now included; log-level hyphen casing corrected. (#​17909)

📚 Documentation

• Network docs updated for Codex & Gemini — The network.md reference now documents firewall and network feature support across all four engines. (#​17910)
• Playwright allowed_domains removed from docs — This field was deprecated in v0.9.0; the docs now correctly direct users to the top-level network: field. (#​17942)

🌍 Community Contributions

A huge thank you to the community member who reported an issue resolved in this release:

• @benvillalobos for Bug: engine.agent propagates to threat detection job, causing "No such agent" failure (#​17943)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add MCPServerID semantic type for MCP server ID constants by @​Copilot in #​17897
• Fix "GitHub" capitalization in permissions_validation.go error message by @​Copilot in #​17901
• Expand RuntimeConfig and RuntimesConfig typed structs to cover all supported runtimes and fields by @​Copilot in #​17911
• [workflow-style] Normalize report formatting for cli-consistency-checker and repository-quality-improver by @​Copilot in #​17928
• docs: update network.md to document Codex and Gemini engine support for firewall/network features by @​Copilot in #​17910
• fix: sync test assertions with capitalized "GitHub toolsets" message by @​Copilot in #​17935
• Fix network/firewall schema description and engine support inconsistencies by @​Copilot in #​17909
• fix: stabilize compiled lock file output ordering by @​Copilot in #​17927
• [slides] Update AI Engines slide to include Gemini CLI by @​github-actions[bot] in #​17940
• docs: remove tools.playwright.allowed_domains, replaced by network: by @​Copilot in #​17942
• Add storage.googleapis.com to node ecosystem by @​Mossaka in #​17944
• Fix safe-outputs: missing op types in hasSafeOutputType, plural YAML tags, unmerged meta fields, Serena schema enum by @​Copilot in #​17908
• Align MCP observability pipeline: treat rpc-messages.jsonl as canonical telemetry fallback by @​Copilot in #​17950
• Add missing permission scopes to schema and handle all meta-key in scope converter by @​Copilot in #​17951
• Fix: engine.agent propagates to threat detection job causing "No such agent" failure by @​Copilot in #​17949

Full Changelog: github/gh-aw@v0.49.4...v0.49.5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Only on Sunday and Saturday ( * * * * 0,6 ), Between 12:00 AM and 12:59 PM, only on Monday ( * 0-12 * * 1 ) in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.14%. Comparing base (090787e) to head (1e44a7a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #26567   +/-   ##
=======================================
  Coverage   73.14%   73.14%           
=======================================
  Files        1529     1529           
  Lines      120229   120229           
  Branches    14523    14523           
=======================================
  Hits        87941    87941           
  Misses      31267    31267           
  Partials     1021     1021           

Flag	Coverage Δ
admin-tests	53.74% <ø> (ø)
e2e-tests	73.14% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.