Bump github/gh-aw from 0.68.3 to 0.71.1 in the github-actions group

[dependabot]

Bumps the github-actions group with 1 update: github/gh-aw.

Updates github/gh-aw from 0.68.3 to 0.71.1

Release notes

Sourced from github/gh-aw's releases.

v0.71.1

🌟 Release Highlights

This release focuses on reliability and correctness — fixing several impactful bugs reported by the community, improving agent workflow efficiency, and hardening security boundaries for the Claude engine.

🐛 Bug Fixes & Improvements

• protected-files object form compilation fixed — Workflows using the documented {policy, exclude} object form for protected-files were incorrectly rejected at compile time with expected string or null, got object. The schema now correctly allows the object form alongside the string shorthand. (#28341)

• APM-restored skills no longer clobbered in pull_request runs — Skills installed by pre-agent-steps (e.g. from .github/skills/) were silently overwritten because the "Restore agent config folders" step executed after pre-agent-steps. The step ordering is now correct for pull_request triggers. (#28290)

• push_to_pull_request_branch patch size now uses incremental diff — On long-running branches, max_patch_size was measured against the full cumulative diff from the default branch rather than the net change since the last push. Each iteration now measures only the incremental git diff against the PR branch head, preventing spurious size-limit rejections. (#28198)

• design-decision-gate reliability — Raised max-turns from 15 → 20 and added git ls-remote:* to allowed tools. The workflow was exhausting all turns on copilot/* PRs before completing useful work. An explicit MCP fallback table ensures the agent switches to GitHub MCP tools when pre-fetched context files are unavailable. (#28353)

• jsweep workflow no longer runs to 60 turns — Added explicit exit criteria after PR creation. Previously the agent kept calling create_pull_request in a loop consuming 4.64M tokens/run. (#28322)

• audit/audit-diff MCP tools now return structured JSON consistently — These tools were setting IsError: true on failure and routing output to stderr, unlike logs and compile which always return structured JSON. Behaviour is now consistent. (#28291)

• Model update in github-remote-mcp-auth-test — Replaced the unavailable gpt-5.1-codex-mini model with gpt-5.4-mini, fixing 3+ days of consecutive workflow failures. (#28321)

• MCP Gateway v0.2.30 compatibility — The mempalace shared config now includes the required container field on stdio server entries, fixing daily-fact workflow failures after the gateway schema tightened. (#28288)

✨ What's New

• Hippo memory vector embeddings — New hippo-embed maintenance workflow generates vector embeddings for all Hippo memories (previously <1% were embedded, making semantic recall nearly non-functional). The daily-hippo-learn workflow now runs hippo embed on every cycle to keep the index current. (#28178)

• Claude bypassPermissions tool enforcement documented and hardened — When Claude Code runs in bypassPermissions mode (triggered by unrestricted bash access), --allowed-tools is silently ignored. The MCP gateway allowed: filter is now the documented sole effective tool boundary in this mode, with implementation notes added to prevent regressions. (#28174)

⚡ Performance

• docs-noob-tester token usage reduced ~70% — Server setup (npm install, Astro dev server startup, readiness polling, bridge IP detection) now runs in pre-agent-steps before the agent starts, saving ~700K–1M tokens/run. Timeout reduced from 45 → 30 minutes. (#28343)

📚 Documentation

• Docs table wrapping on tablet screens — Markdown tables on 641px–768px viewports were silently clipped without horizontal scroll. A new rehype plugin wraps tables in a scrollable container. (#28280)

🌍 Community Contributions

@edgeq

• [Bug] protected-files object form fails compilation despite being documented (direct issue)

@mrjf

• push_to_pull_request_branch should compute patch size relative to PR branch head, not checkout base (direct issue)

... (truncated)

Commits

• f01a9d1 fix(design-decision-gate): add git ls-remote permission, raise turn limit to ...
• f216a16 fix(security): remove readiness check from MemPalace MCP server startup (#28340)
• 9c675c3 fix: add regression tests for protected-files object form compilation (#28341)
• 7a54b74 optimize: move docs-noob-tester setup to pre-agent-steps, slim prompt, reduce...
• 6eef218 feat: use actions/cache and artifacts for APM bundle with lock file hash + en...
• 66e3120 fix: replace unsupported model pins in 5 workflow frontmatters (#28323)
• 04ae1fe build(deps): Bump go.opentelemetry.io/otel (#28337)
• 53cf9b3 fix: replace unsupported gpt-5.1-codex-mini model in github-remote-mcp-auth-t...
• 194ffd4 Apply progressive disclosure to firewall blocked domains alert (#28332)
• 75491ff jsweep: add Done Conditions to prevent runaway PR creation loop (#28322)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions