chore(deps): update github/gh-aw action to v0.43.23

[release-workflows]

This PR contains the following updates:

Package	Type	Update	Change
github/gh-aw	action	patch	v0.43.18 → v0.43.23

---

Release Notes

github/gh-aw (github/gh-aw)

v0.43.23

Compare Source

🌟 Release Highlights

This maintenance release focuses on reliability improvements, CI/CD enhancements, and better developer experience with expanded smoke test coverage.

✨ What's New

🔧 Enhanced API Proxy Architecture - The API proxy now uses capability-based detection (supportsLLMGateway engine flag) instead of hardcoded engine checks, making it easier to add future engines with LLM gateway support (#​15557)

🧪 Expanded Smoke Test Coverage - Claude smoke tests now support 50 conversation turns (up from 25), allowing more comprehensive validation of complex workflows with multiple test scenarios (#​15565)

📋 Stricter Contribution Guidelines - The project now requires agent-based bug analysis before filing issues, improving issue quality and reducing noise. Use gh aw audit and gh aw logs for automated diagnostics (#​15532)

🐛 Bug Fixes & Improvements

Cache & Artifact Naming - Fixed cache-memory and repo-memory artifacts to use sanitized workflow IDs, eliminating issues with spaces and special characters in cache keys. Cache keys now use consistent formatting like memory-smokecopilot-{run-id} instead of memory-Smoke Copilot-{run-id} (#​15558)

Test Infrastructure - Added missing build tags to test files and improved HTTP 403 error handling, preventing spurious CI failures (#​15526)

Permissions Optimization - Safe outputs now compute minimal required permissions based on configured outputs, reducing over-permissioning (#​15518)

PR Approval Flexibility - Pull request approvals no longer require a body comment, and the footer: false setting is now properly honored (#​15507)

Codespaces Documentation - Added clear warnings that gh aw secrets set doesn't work in GitHub Codespaces; users should use the GitHub UI instead (#​15537)

🔧 Internal

• Fixed hash consistency test by recompiling release.lock.yml (#​15538)
• Refactored API proxy capability detection to use engine registry (#​15557)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• feat: prefer Announcements category by default for create-discussion by @​Copilot in #​15513
• Fix: Compute minimal permissions for conclusion/safe_outputs jobs based on configured safe-outputs by @​Copilot in #​15518
• Don't require body on PR Approval and honor footer: false by @​strawgate in #​15507
• Fix test build failures: add missing build tag and handle HTTP 403 by @​Copilot in #​15526
• Add Codespaces incompatibility note for CLI secrets command by @​Copilot in #​15537
• Fix hash consistency test by recompiling release.lock.yml by @​Copilot in #​15538
• Require agent-based bug analysis before filing issues by @​Copilot in #​15532
• Enable --enable-api-proxy for Claude and Codex engines by @​Mossaka in #​15533
• Fix cache-memory and repo-memory naming to use sanitized IDs by @​Copilot in #​15558
• Increase smoke-claude max-turns to 50 by @​Copilot in #​15565

Full Changelog: github/gh-aw@v0.43.22...v0.43.23

v0.43.22

Compare Source

🌟 Release Highlights

This maintenance release focuses on improving the reliability and usability of safe outputs, particularly for GitHub Discussion and PR creation workflows, plus better security controls for lockdown mode.

✨ What's New

GitHub Discussions Default Behavior - Discussion creation now automatically defaults to "Announcements" category, which provides enhanced visibility and notification features ideal for AI-generated content. This prevents common integration-forbidden errors when using categories without announcement capabilities. Learn more

Enhanced Lockdown Mode Security - Lockdown mode now activates only when at least one custom GitHub token is configured (GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, or custom github-token), providing clearer security boundaries for public repository workflows. Includes runtime validation to catch misconfigurations early. Learn more

Improved Tool Context - When using update_project or create_project_status_update safe outputs, AI agents now receive the configured default project URL in tool descriptions, making it clearer which project they're operating on.

🐛 Bug Fixes & Improvements

Fixed Cross-Repository PR Creation (#​15501) - When create-pull-request specifies a target-repo, git operations (checkout, fetch, push) now correctly use the target repository instead of the source repo. Previously only the PR API call used the target, causing workflow failures.

Fixed Comment Body Handling (#​15508) - close_issue and close_pull_request now properly use the body field from messages for closure comments. Previously, comments were being lost due to incorrect field mapping.

Cleaner Workflow Listings (#​15499) - gh aw status and gh aw list now hide internal workflows, showing only user-created workflows for better clarity.

📚 Documentation

• Added comprehensive guidance on announcement-capable categories for GitHub Discussions
• Updated cross-repository workflow examples with correct git operation patterns
• Improved lockdown mode security documentation with token configuration details

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix cut off border on blog post box by @​eaftan in #​15496
• Fix landing page header hierarchy and harmonize blog section styling by @​Copilot in #​15497
• Hide internal workflows from gh aw status and gh aw list by @​Copilot in #​15499
• Fix: Use target repository for git operations in create-pull-request by @​Copilot in #​15501
• [code-simplifier] Simplify close safe-output handlers by @​github-actions[bot] in #​15504
• Include default project URL in update_project and create_project_status_update tool descriptions by @​Copilot in #​15502
• Document create-discussion announcement-capable category requirement by @​Copilot in #​15512
• Fix close_issue/close_pull_request to use message body field by @​Copilot in #​15508
• lockdown: used only of one of user tokens is set by @​dsyme in #​15509

Full Changelog: github/gh-aw@v0.43.21...v0.43.22

v0.43.21

Compare Source

🌟 Release Highlights

This release focuses on improving the developer experience with clearer messaging, better safe-output handling, and documentation enhancements.

✨ What's New

• Relaxed Temporary ID Validation - Temporary IDs now support 3-8 alphanumeric characters (previously 4-8), making it easier to create short, memorable references like aw_abc (#​15482)
• Smarter Permission Validation - When GitHub MCP tools are auto-added, permission validation is now skipped to avoid unnecessary warnings (#​15480)
• Enhanced Close Actions - Close safe-output tools (close_issue, close_pull_request, close_discussion) now recommend adding comments and gracefully handle already-closed entities (#​15489)

📚 Documentation & UX

• Clearer Compilation Messages - Workflow compilation now provides more actionable feedback to help you understand what's happening (#​15478)
• Improved Tool Descriptions - The difference between update_issue (for editing) and close_issue (for closing) is now more clearly documented (#​15475)
• Better Docs Navigation - Added a centered blog link section to the documentation landing page for easier discovery (#​15476)
• Updated Tutorial Video - Refreshed the Copilot PAT setup video with current instructions (#​15479)

🐛 Bug Fixes

• Fixed Blog Post Border - Resolved a visual issue where borders were cut off on blog post boxes in the documentation (#​15496)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• [WIP] Debug workflow failure for Smoke Claude by @​Copilot in #​15472
• Clarify update-issue vs close-issue tool descriptions by @​Copilot in #​15475
• chore: update copilot pat video by @​mnkiefer in #​15479
• Add centered blog link section to docs landing page by @​Copilot in #​15476
• Skip permission validation when tools.github auto-added by @​Copilot in #​15480
• Relax temporary ID validation from aw_{4,8} to aw_{3,8} by @​Copilot in #​15482
• 🔧 Improve workflow compilation message clarity by @​dsyme in #​15478
• Update close safe-output types to recommend comments and handle already-closed entities by @​Copilot in #​15489

Full Changelog: github/gh-aw@v0.43.20...v0.43.21

v0.43.20

Compare Source

🌟 Release Highlights

This release includes an important migration notice for existing users, a new security feature flag, and improved temporary ID handling in safe outputs.

⚠️ Migration Notice

If you installed from githubnext/gh-aw, you must re-register the extension to receive future updates:

# Remove old extension
gh extension remove gh-aw

# Install from new location
gh extension install github/gh-aw

The gh-aw project has moved from githubnext/gh-aw to github/gh-aw. Users on the old channel will not receive updates unless they reinstall from the new location.

✨ What's New

• XPIA Prompt Control (#​15461) - New disable-xpia-prompt feature flag allows workflows to opt out of the Cross-Prompt Injection Attack (XPIA) security prompt in agent instructions. Useful for workflows with custom security requirements:

  ---
  features:
    disable-xpia-prompt: true
  ---

🐛 Bug Fixes

• Temporary ID Resolution in Comments (#​15459) - Fixed add_comment safe output handler to properly resolve temporary IDs (e.g., aw_test01) before validation. Previously, the handler attempted to parse temporary IDs as integers, causing NaN validation errors. Now follows the same resolution pattern as other handlers.

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add disable-xpia-prompt feature flag by @​Copilot in #​15461
• Update CHANGELOG for gh-aw migration and bug fixes by @​bmerkle in #​15463
• Fix add_comment handler to resolve temporary IDs before validation by @​Copilot in #​15459

Full Changelog: github/gh-aw@v0.43.19...v0.43.20

v0.43.19

Compare Source

🌟 Release Highlights

This release strengthens strict mode network validation, improves temporary ID handling, enhances bot detection workflows, and refines documentation for better user experience.

✨ What's New

Strict Mode Network Validation Improvements

• Ecosystem identifier suggestions - When custom domains are rejected in strict mode, error messages now suggest the appropriate ecosystem identifier (e.g., "pypi.org" → suggest "python") for easier troubleshooting
• Unified validation for all engines - Strict mode now enforces ecosystem domain validation consistently across all AI engines, including those with LLM gateway support
• Go ecosystem support - Workflows dependent on Go now have the "go" ecosystem available in network allowlists, enabling access to go.dev, golang.org, and Go module proxies

Enhanced Temporary ID System

• New alphanumeric format - Temporary IDs now use aw_[A-Za-z0-9]{4,8} format (4-8 alphanumeric characters) instead of the previous hex format, making them more readable and easier to generate
• Improved validation and normalization - Better handling of temporary ID cross-references in safe-output workflows with comprehensive documentation updates

Bot Detection & Activity Tracking

• Enhanced observability - Added detailed logging throughout bot detection workflows including contributor account loading and precompute steps
• Improved search accuracy - Refined issue and PR search queries for more accurate bot activity detection
• Better activity reporting - Enhanced tracking and reporting of bot activity patterns

🐛 Bug Fixes & Improvements

• SafeOutputMessagesConfig field merging - Fixed incomplete field merging in mergeMessagesConfig to ensure all 13 configuration fields are properly merged during workflow imports
• Strict mode test failures - Resolved failing tests related to custom network domains in strict mode by properly handling ecosystem validation
• XPIA prompt integration - Added cross-prompt injection attack (XPIA) security prompts to strengthen workflow security
• Community feedback integration - Added prominent Community Feedback link to documentation footer for easier user input

📚 Documentation

• Strict mode network validation guide - Comprehensive documentation updates explaining ecosystem identifiers, domain validation rules, and error resolution strategies
• Temporary ID reference - Enhanced documentation with clear examples of valid/invalid formats and usage patterns
• Quick-start improvements - Updated authentication instructions and fixed typos for clearer onboarding experience
• Glossary refinement - Removed unnecessary bloat from glossary for improved readability

🔧 Internal Improvements

• Multiple GitHub Actions workflow fixes and stability improvements
• Code simplification passes for better maintainability
• Test infrastructure enhancements with improved coverage
• Workflow recompilation to propagate schema and validation updates

---

Full Details: See CHANGELOG for complete list of changes.

Learn More: Visit gh-aw documentation for guides and references.

Generated by Release

---

What's Changed

• [WIP] Fix failing GitHub Actions workflow Integration: Workflow Misc Part 2 by @​Copilot in #​15341
• [instructions] Sync github-agentic-workflows.md with v0.40.1 changes by @​github-actions[bot] in #​15348
• chore: update bot detection workflow to token by @​mnkiefer in #​15354
• chore: update schedule and token usage by @​mnkiefer in #​15355
• chore: improve issue and PR search accuracy by @​mnkiefer in #​15356
• [docs] Update documentation for allowed-extensions default behavior by @​github-actions[bot] in #​15352
• refactor: improve activity tracking and reporting by @​mnkiefer in #​15360
• chore: add contributor account loading to bot detection workflow by @​mnkiefer in #​15366
• [WIP] Add flag to agentic engine interface for LLM gateway support by @​Copilot in #​15363
• Add observability logging to bot-detection precompute step by @​Copilot in #​15367
• fix: pass shared temporary ID map by @​mnkiefer in #​15371
• feat: enhance bot detection logging by @​mnkiefer in #​15376
• Fix strict mode validation failures for workflows with custom network domains by @​Copilot in #​15369
• Fix security regression test failing under default strict mode by @​Copilot in #​15368
• fix: imrpove temporary ID validation and normalization by @​mnkiefer in #​15392
• [WIP] Fix issues in existing tests by @​Copilot in #​15395
• Recompile workflows to propagate temporary ID schema updates by @​Copilot in #​15402
• Enhance documentation for temporary ID by @​mnkiefer in #​15404
• Fix permissions test: remove network config conflicting with strict mode by @​Copilot in #​15406
• adding xpia prompt by @​pelikhan in #​15414
• [WIP] Update terminology from discussions to issues by @​Copilot in #​15421
• Add Community Feedback link to documentation footer by @​Copilot in #​15423
• Enforce strict mode network domain validation for all engines by @​Copilot in #​15409
• Add ecosystem identifier suggestions to strict mode network validation errors by @​Copilot in #​15424
• [docs] Remove bloat from glossary by @​github-actions[bot] in #​15433
• [docs] Update documentation for strict mode network validation features from 2026-02-13 by @​github-actions[bot] in #​15426
• [WIP] Fix failing GitHub Actions workflow test by @​Copilot in #​15432
• [code-simplifier] Code Simplification - 2026-02-13 by @​github-actions[bot] in #​15428
• Change temporary ID format from hex to alphanumeric (4-8 chars) by @​Copilot in #​15419
• Fix typo in 'pre-requisites' in quick-start guide by @​lindseywild in #​15452
• Add Go ecosystem to network allowlist for Go-dependent workflows by @​Copilot in #​15454
• Fix incomplete field merging in SafeOutputMessagesConfig imports by @​Copilot in #​15453
• Update quick-start guide for authentication instructions by @​bmerkle in #​15455

New Contributors

• @​lindseywild made their first contribution in #​15452

Full Changelog: github/gh-aw@v0.43.18...v0.43.19

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.