build(deps): bump github/gh-aw from 0.46.3 to 0.58.3

[dependabot]

Bumps github/gh-aw from 0.46.3 to 0.58.3.

Release notes

Sourced from github/gh-aw's releases.

v0.58.3

🌟 Release Highlights

This release focuses on security hardening, GHES compatibility, and developer experience improvements — with better MCP write protection, a new Copilot pre-flight diagnostic for enterprise environments, and a noticeably improved run details summary.

✨ What's New

• MCP Write-Sink Guard Policy — All non-GitHub MCP servers configured via the gateway now enforce a write-sink guard policy, preventing unintended writes through third-party MCP tools. This improves the security posture of workflows using custom MCP integrations. (#21005)

• Copilot Pre-flight Diagnostic for GHES — A new pre-flight check helps diagnose Copilot configuration issues in GitHub Enterprise Server environments before a workflow run fails, saving time when debugging enterprise setups. (#20975)

• Action Pins Mode with gh-aw-actions v0 — The action-tag step now uses action pins mode, enabling stable and auditable action references via gh-aw-actions at the v0 tag. (#20991)

• Enhanced Run Details Step Summary — Workflow run summaries now render as structured bullet points, display the gh-aw version, and include full aw_info output for easier post-run inspection. (#20989)

⚡ Performance

• Faster Workflow Name Extraction — extractWorkflowNameFromFile no longer performs an unnecessary full YAML parse, reducing overhead when processing large workflow collections. (#21012)

🐛 Bug Fixes & Improvements

• GHES Host Leakage Prevention — The "Install GitHub Copilot CLI" step now explicitly emits GH_HOST: github.com, preventing GHES host values from leaking into the Copilot CLI installation context. (#20992)
• Workflow Call Artifact Downloads Fixed — Artifact prefix handling in the conclusion job and script step downloads now works correctly in workflow_call contexts. (#21011)
• TypeScript Type Error Fixed — Resolved a type error in json_object_to_markdown.cjs that could cause runtime failures in certain output scenarios. (#21010)
• Go Firewall Rule for Shared Workflows — The shared/go-make.md shared workflow now includes go in its firewall allowed set, enabling Go toolchain downloads during builds. (#21014)

📚 Documentation

• Accessibility: Live Search Results — The docs site search now announces results to screen readers via aria-live, improving accessibility for keyboard and assistive technology users. (#21019)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Optimize qmd-docs workflows: explicitly instruct models to use qmd-query for doc search by @​Copilot in github/gh-aw#20987
• Add Copilot pre-flight diagnostic for GHES environments by @​Claude in github/gh-aw#20975
• Improve run details step summary: bullet points, aw version, and full aw_info rendering by @​Copilot in github/gh-aw#20989
• feat: update action-tag to use action pins mode (gh-aw-actions) with v0 by @​Copilot in github/gh-aw#20991
• fix: emit GH_HOST: github.com on Install GitHub Copilot CLI step to prevent GHES host leakage by @​Copilot in github/gh-aw#20992
• [instructions] Sync github-agentic-workflows.md with v0.40.1 by @​github-actions[bot] in github/gh-aw#21001
• [docs] docs: condense CentralRepoOps intro and remove duplicate cross-repo notes by @​github-actions[bot] in github/gh-aw#21003
• feat: add write-sink guard policy to all non-GitHub MCP servers configured by gateway by @​Copilot in github/gh-aw#21005
• Add go firewall allowed set to shared/go-make.md by @​Copilot in github/gh-aw#21014
• perf: optimize extractWorkflowNameFromFile by eliminating unnecessary YAML parse by @​Copilot in github/gh-aw#21012

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• 08a903b docs: add aria-live enhancement for search results accessibility (#issue) (#2...
• 1cb4a5a Remove copilot-preflight script and associated step generation (#21016)
• 47ab8dd fix: use artifact prefix in conclusion job and script step downloads for work...
• c87077e perf: optimize extractWorkflowNameFromFile by eliminating unnecessary YAML ...
• 1a426d0 Add go firewall allowed set to shared/go-make.md (#21014)
• 50e4991 feat: add write-sink guard policy to all non-GitHub MCP servers configured by...
• 4e2b550 docs: condense intro and remove duplicate cross-repo notes in central-repo-op...
• 1333b4a docs: add action-tag feature flag to github-agentic-workflows.md (#21001)
• 5a8a60a fix: emit GH_HOST: github.com on Install GitHub Copilot CLI step to prevent G...
• 4173449 feat: update action-tag to use action pins mode (gh-aw-actions) with v0 (#20991)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.