Bump github/gh-aw from 0.71.5 to 0.73.0

[dependabot]

Bumps github/gh-aw from 0.71.5 to 0.73.0.

Release notes

Sourced from github/gh-aw's releases.

v0.72.1

🌟 Release Highlights

v0.72.1 delivers a new developer-facing lint command, critical compiler correctness fixes, and improved shared workflow ergonomics — all driven largely by community-reported issues.

✨ What's New

• gh aw lint — fast lock-file validation (#30704): New gh aw lint command runs actionlint directly against existing .lock.yml files — no recompile, no extra scanners. Perfect for a lightweight CI gate to catch syntax errors before pushing. Supports --dir, explicit file paths, and optional --shellcheck/--pyflakes checks.

• Import engine.mcp.tool-timeout from shared workflows (#30634): Shared workflows wrapping slow MCP servers (e.g. Repo Mind Light) can now declare engine.mcp.tool-timeout and engine.mcp.session-timeout once, and consumers inherit those values automatically — no more duplicating timeout configs in every consumer. Consumer-declared values still take precedence.

• First-party coding-agent skill for gh aw (#27259): Added a router skill that gives coding agents (Copilot, Claude, etc.) structured guidance on creating, debugging, and updating agentic workflows using the gh aw CLI.

• Shared skip-if-match dedup component: The common "open issue/PR by title prefix" deduplication query is now a shared compiler-imported component, eliminating copy-paste duplication across dozens of workflows.

🐛 Bug Fixes & Improvements

• && preserved in compiled workflow expressions (#30695): Go's HTML escaping was converting && to \u0026\u0026 inside AWF config JSON embedded in .lock.yml files, corrupting ${{ ... && ... }} expressions and causing workflow parse failures. Fixed by switching to json.Encoder with SetEscapeHTML(false).

• safe-outputs permission regression fixed (#30733): When update-project appeared alongside add-comment/add-labels, the minted App token was incorrectly downgraded to issues:read instead of issues:write, silently failing issue mutations.

• Conclusion comment now reflects safe_outputs failures (#30662): The conclusion job was reporting ✅ success even when safe_outputs failed (e.g., 422 on PR review submission). The job now correctly propagates safe_outputs status.

• Firewall binary version corrected (#30705, #30191): v0.71.1 was referencing a non-existent gh-aw-firewall version, causing 404s on AWF binary install. This release ships with the correct firewall v0.25.29 (which also includes the healthcheck fix).

• Playwright mode: cli recognized by compiler (#30088): gh aw compile now correctly accepts mode: cli in Playwright tool configuration.

• COPILOT_API_KEY dummy key no longer triggers over-billing (#30324): The dummy byok-key placeholder introduced in v0.71 was causing 10–100x premium request over-billing compared to v0.68. Fixed.

@arthurfvives

• Bug: mode: cli for Playwright not recognized during gh aw compile (direct issue)

@bryanchen-d

• feat: lightweight gh aw lint — actionlint-only over existing .lock.yml files (no recompile, no zizmor/poutine) (direct issue)
• Compiler JSON-encodes && to \u0026\u0026 inside ${{ }} expressions in AWF config printf, breaking workflow parse (direct issue)

@haavamoa

• Release new gh-aw CLI version with firewall v0.25.29 (healthcheck fix) (direct issue)

@jonathanpeppers

• Conclusion comment shows success when safe_outputs fails to submit PR review (direct issue)

@lpcox

... (truncated)

Commits

• 4d44d0e [docs] Consolidate developer specifications to v9.3 (#31027)
• 379ceb7 Polish MCP server UX metadata and correct unknown-tool JSON-RPC semantics (#3...
• 7058737 deps: bump default @​playwright/cli from 0.1.11 to 0.1.13 (#31013)
• ce5b7a1 fix(harness): treat "No deferred tool marker" as non-retriable in claude_harn...
• 89b6823 fix(js): use optional chaining for resolvedFieldByName.id in set_issue_field....
• 2a6bc9d Render engine.mcp.tool-timeout as numeric gateway toolTimeout seconds (#3...
• 92b0c3d Enforce pre-API input validation in experiment state loader (SEC-002) (#31002)
• 0c3de77 Emit OTLP export error count on all job conclusion spans (#31004)
• 842a49f Import shared/observability-otlp.md in most agentic workflows (#30995)
• 89855b4 Handle issue_comment PR context in submit_pull_request_review body-only f...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud