build(deps): bump github/gh-aw from 0.71.1 to 0.71.5 in the actions group

[dependabot]

Bumps the actions group with 1 update: github/gh-aw.

Updates github/gh-aw from 0.71.1 to 0.71.5

Release notes

Sourced from github/gh-aw's releases.

v0.71.5

🌟 Release Highlights

This release focuses on reliability and correctness across the engine.env compilation pipeline, the security check layer, and the Claude engine — with five community-reported issues resolved.

🐛 Bug Fixes & Improvements

• Claude engine stability — Workflows using the claude engine no longer crash mid-session with "Fast mode unavailable". CLAUDE_CODE_DISABLE_FAST_MODE=1 is now set automatically to suppress an incompatible server-side flag introduced in Claude Code 2.1.120+.

• engine.env multi-line values — Block-scalar engine.env values (written with >- and extra-indented continuation lines) previously compiled to broken YAML with embedded newlines. These now compile correctly into valid multi-line env: entries. (Reported by @jeffhandley in #30204)

• engine.env needs expressions — Custom job references in engine.env values (e.g. ${{ needs.my_job.outputs.value }}) were silently dropped from the agent job's needs list, causing those expressions to evaluate to empty strings at runtime. The compiler now correctly wires these dependencies. (Reported by @jeffhandley in #30232)

• gh aw upgrade false BYOK warning — gh aw upgrade was incorrectly warning "Remove unsafe secrets from engine.env" for COPILOT_PROVIDER_API_KEY and COPILOT_PROVIDER_BEARER_TOKEN, silently stripping legitimate BYOK configuration. gh aw upgrade now matches gh aw compile in allowing these keys. (Reported by @MauroDruwel in #30178)

• pull_request_review activation signal — Workflows triggered by pull_request_review events no longer silently skip the 👀 reaction and run-started comment. The buildReactionLikeCondition allowlist now includes this event type. (Reported by @mason-tim in #30336)

• Confused-deputy false positive for bot-menu patterns — The security check introduced in v0.71.4 was blocking the legitimate pattern where a bot posts a checkbox-menu comment and a human maintainer edits it to tick a box (issue_comment:edited). The check now automatically detects [bot]-authored comments and skips the guard for that path, while keeping all other issue_comment:created paths fully protected. (Reported by @theletterf in #30327)

✨ What's New

• allow-bot-authored-trigger-comment frontmatter option — For bots that don't follow the standard [bot] naming convention, you can now opt into the confused-deputy bypass explicitly:

  on:
    issue_comment:
      types: [edited]
    allow-bot-authored-trigger-comment: true

• MCP progress notifications — The logs, audit, and audit-diff MCP tools now stream real-time progress updates to AI clients (Copilot, Claude) during long-running operations, eliminating silent 30+ second waits.

• MCP Gateway bump to v0.3.6 — The embedded MCP gateway has been updated to ghcr.io/github/gh-aw-mcpg:v0.3.6 with pinned digest for supply-chain safety.

🌍 Community Contributions

@jeffhandley

• Agent 'needs' does not incorporate jobs in engine.env expressions (direct issue)
• Multi-line expressions unsupported in engine.env values (direct issue)

@mason-tim

• Activation comment / reaction not posted for pull_request_review triggers — buildReactionLikeCondition allowlist is incomplete (direct issue)

@MauroDruwel

• [gh aw upgrade: still warns 'Remove unsafe secrets from engine.env' despite fix in #29378 for compile](github/gh-aw#30178) (direct issue)

... (truncated)

Commits

• 19ac811 Bump default AWF firewall image set to v0.25.40 (#30406)
• ec08489 Fix CJS shard failures caused by template_branch.cjs integration gaps (#30425)
• 377109d Fix js-typecheck failure in template_branch.cjs null-else branch typing (#3...
• 456c1ce Add MCP Gateway v0.3.6 container pin to lock data and embedded pin maps (#30408)
• 8098a8e Rename MustBeWithin → ValidatePathWithinBase in pkg/fileutil (#30421)
• 6a0ab1e chore: update source reference in token optimizer workflows (#30420)
• 53bd0fb feat: Update OTel instrumentation workflow to support multiple endpoints (#30...
• e890d0f fix: use require.Error for error assertion in compile_args_test.go (#30394)
• 2fa5c46 Add redirect from shared/apm.md to microsoft/apm upstream and update docs (#3...
• 19b2170 Add agentic-ops workflows (#30379)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions