Skip to content

ci: bump github/gh-aw from 0.51.2 to 0.51.5#95

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github/gh-aw-0.51.5
Open

ci: bump github/gh-aw from 0.51.2 to 0.51.5#95
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github/gh-aw-0.51.5

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2026

Bumps github/gh-aw from 0.51.2 to 0.51.5.

Release notes

Sourced from github/gh-aw's releases.

v0.51.5

🌟 Release Highlights

This release focuses on security hardening, improved developer experience, and better error messaging — making workflows safer by default and easier to author correctly.

✨ What's New

  • GitHub MCP server is now read-only by default — The dangerous-permissions-write feature flag has been removed; GitHub MCP access is permanently enforced as read-only. This removes an entire class of accidental write-permission exposure. Workflows using read-only: false will now receive a clear validation error. (#19092)

  • github.event_name is now an allowed expression — You can now safely reference $\{\{ github.event_name }} in workflow prompts, consistent with other github.* context properties. (#19121)

  • gh aw add and gh aw add-wizard are now separate commands — The add command is always non-interactive; --create-pull-request requires an interactive terminal with confirmation. A new dedicated add-wizard command handles the interactive workflow with its own --push flag. This gives cleaner, non-overlapping flag interfaces for both use cases. (#19117)

  • safe-output-projects renamed to safe-output-custom-tokens — The setup input now accurately reflects its broader scope: any per-handler github-token, not just project handlers. Update your workflow configurations accordingly. (#19156)

  • Better compile errors for triggers: misuse — Using triggers: instead of on: in workflow frontmatter now produces a clear, actionable error at compile time rather than silently treating the workflow as a shared import. (#19142)

🐛 Bug Fixes & Improvements

  • Clean /tmp/gh-aw/ on each setup run — The setup script now removes and recreates the temporary directory before each run, preventing stale state from affecting subsequent workflow executions. (#19122)

📚 Documentation

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

For complete details, see CHANGELOG.

Generated by Release

What's Changed

... (truncated)

Commits
  • 88319be 🔑 Rename safe-output-projects to safe-output-custom-tokens (#19156)
  • 55e326b [WIP] Add smoke tests for cross-repo PR creation and updates (#19127)
  • dcaa791 Enforce readonly access to GitHub MCP server; remove dangerous-permissions-wr...
  • defba6f [instructions] Sync github-agentic-workflows.md with v0.40.1 (#19137)
  • 8176a37 [docs] Consolidate architecture diagram and guard policies into dev.md (v3.4)...
  • a312098 [docs] docs: remove bullet-list bloat from ephemerals guide (#19141)
  • 32769f4 docs: add FAQ entry for workflows used as repository rulesets (#19131)
  • d57415f docs: add FAQ entry on disabling GitHub references to prevent backlinks (#19135)
  • 575b7f6 [q] save architecture diagram to scratchpad/architecture.md (#19132)
  • 30aa9a8 [WIP] add command: remove --push flag, require interactive confirmation for -...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
ci: bump github/gh-aw from 0.51.2 to 0.51.5
0c119b0 
Bumps [github/gh-aw](https://github.com/github/gh-aw) from 0.51.2 to 0.51.5.
- [Release notes](https://github.com/github/gh-aw/releases)
- [Commits](github/gh-aw@v0.51.2...v0.51.5)

---
updated-dependencies:
- dependency-name: github/gh-aw
  dependency-version: 0.51.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 2, 2026

Labels

The following labels could not be found: area/ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added the type/chore Maintenance and housekeeping label Mar 2, 2026
This was referenced Mar 2, 2026
Open
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

type/chore Maintenance and housekeeping

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants