chore(deps): bump github/gh-aw from 0.42.17 to 0.45.0

[dependabot]

Bumps github/gh-aw from 0.42.17 to 0.45.0.

Release notes

Sourced from github/gh-aw's releases.

v0.45.0

🌟 Release Highlights

This release brings powerful new workflow control features, improved flexibility, enhanced security enforcement, and a significant breaking change to reaction/status comment behavior. Highlights include role-based and bot-based workflow skipping, flexible workflow name matching, SRT removal, and major security specification updates.

⚠️ Breaking Changes

Reaction and Status Comments Now Independent (#15856)

The ai-reaction emoji and status-comment fields are now fully decoupled. Both must be explicitly enabled in your workflow configuration.

Migration required:

# ❌ OLD (implicit coupling)
messages:
  ai-reaction: 👀  # Auto-enabled status comments
✅ NEW (explicit configuration)
messages:
ai-reaction: 👀
status-comment: true  # Must explicitly enable

Workflows relying on automatic status comments when ai-reaction is set will need to add status-comment: true. Learn more about message configuration

SRT (Sandbox Runtime) Removed (#15834)

AWF (Agent Workflow Firewall) is now the only supported sandbox implementation. Legacy workflows using sandbox.agent: srt or sandbox: sandbox-runtime are automatically migrated to AWF during compilation, but explicit updates are recommended.

✨ What's New

Role-Based Workflow Skipping (#15988)

Skip workflows based on repository permissions with on.skip-roles:

on:
  skip-roles: [admin, maintain]  # Skip for admins/maintainers

Perfect for workflows that should only run for external contributors or specific permission levels. The pre-activation job checks roles before workflow execution. Documentation

Bot-Based Workflow Skipping (#15993)

Cancel workflows for specific GitHub actors (bots or users) with on.skip-bots:

on:
  skip-bots: [dependabot, renovate]

Supports flexible bot name matching—github-actions matches both github-actions and github-actions[bot] actors. Complements skip-roles for fine-grained workflow control.

... (truncated)

Commits

• 58d1d15 Update ai-moderator workflow to use codex engine (#16010)
• f752c42 Add flexible workflow name matching to logs command (#16007)
• b0dda80 Remove srt and sandbox-runtime from schema, retain migration codemod (#15999)
• 18ccec6 Refactor locked issue error handling into shared helper (#15998)
• 525da85 Specify MCP server constraint enforcement for immediate LLM feedback (#15996)
• b1279ad Resolve nested imports and symlinks (#15987)
• 5b2bc34 Fix sandbox detection for legacy Type field configurations (#15995)
• 98f80cf Add on.skip-bots field to cancel workflows for specific GitHub actors (#15993)
• c16fce0 Add skip-roles to conditionally skip workflows based on repository permission...
• 2b94110 Move issue unlocking to dedicated job with if: always() (#15969)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.71%	82.86%	📈 +0.15%
Statements	82.63%	82.78%	📈 +0.15%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.78%	74.88%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.1% → 84.7% (+0.56%)	83.4% → 83.9% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Mossaka]

Closing and reopening to retrigger CI after secret update

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

Node.js Build Test Results

All projects tested successfully! ✅

Project	Install	Tests	Status
clsx	✅	✅	PASS
execa	✅	✅	PASS
p-limit	✅	✅	PASS

Overall: PASS 🎉

Generated by Build Test Node.js for issue #890

[github-actions]

Merged PRs reviewed:

• [docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation
• fix: remove .claude.json file bind mount regression
  Tests: GitHub MCP merged PRs ✅
  Tests: safeinputs-gh pr list ✅
  Tests: Playwright title check ✅
  Tests: Tavily search ❌ (tool unavailable)
  Tests: file write+cat ✅, build ✅, discussion comment ✅
  Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #890

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

Generated by Build Test C++ for issue #890

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built and tested successfully.

Generated by Build Test Rust for issue #890

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

Generated by Build Test Deno for issue #890

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored, built, and ran.

Generated by Build Test .NET for issue #890

[github-actions]

Smoke Test Results (Run 22081206156)

Last 2 Merged PRs:

• fix: remove .claude.json file bind mount regression #911: fix: remove .claude.json file bind mount regression (@Mossaka)
• [docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation #867: [docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation

Test Results:

• ✅ GitHub MCP: Retrieved recent PRs
• ✅ Playwright: Page title verified ("GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Write: Created /tmp/gh-aw/agent/smoke-test-copilot-22081206156.txt
• ✅ Bash Tool: File content verified

Status: PASS

cc: @Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #890

[github-actions]

Go Build Test Results ✅

All Go projects tested successfully!

Project	Download	Tests	Status
color	✅	1/1	PASS ✅
env	✅	1/1	PASS ✅
uuid	✅	1/1	PASS ✅

Overall: PASS ✅

All module downloads completed successfully and all tests passed.

Generated by Build Test Go for issue #890

[github-actions]

☕ Java Build Test Results

All Java projects compiled and tested successfully through the firewall!

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Maven dependencies were successfully downloaded through the Squid proxy, and all test suites passed.

Generated by Build Test Java for issue #890

[dependabot]

Superseded by #942.