Bump the github-actions-minor-patch group with 2 updates

[dependabot]

Bumps the github-actions-minor-patch group with 2 updates: github/gh-aw and GabrielBB/xvfb-action.

Updates github/gh-aw from 0.43.22 to 0.47.4

Release notes

Sourced from github/gh-aw's releases.

v0.47.4

🌟 Release Highlights

This release focuses on reliability and correctness — tightening compiler validations, fixing several silent failure modes, and improving GitHub App token handling.

✨ What's New

• Engine environment variable overrides — You can now override agentic engine environment variables using custom secrets via engine.env, giving you fine-grained control over engine configuration without modifying workflow source. (#17211)
• Stricter compiler validation — The compiler now rejects workflows that set both tools.github.app and tools.github.github-token simultaneously, preventing ambiguous token configurations that could lead to unexpected behavior. (#17259)
• Safe-outputs completeness check — A new compiler check verifies that all registered safe-outputs are present in the tools JSON, catching mismatches at compile time rather than at runtime. (#17251)

🐛 Bug Fixes & Improvements

• GitHub App token for MCP — When a GitHub App is configured, GITHUB_MCP_SERVER_TOKEN now correctly uses the App token instead of falling back to an incorrect token. (#17253)
• Checkout branch fix — Fixed an issue where checkout used github.sha instead of the base branch, which could cause incorrect file state in certain workflow runs. (#17249)
• Silent tool drop fixed — The compiler no longer silently drops the update-issue tool when target-repo: "*" is set. (#17247)
• Safe-outputs message parsing — Resolved parsing gaps for detection-failure and agent-failure-* message types in safe-outputs schema. (#17207)
• No-break space in frontmatter — Unicode no-break whitespace (U+00A0) is now sanitized before YAML parsing, preventing subtle parse failures in copy-pasted workflow frontmatter. (#17262)
• Interactive workflow init tool fix — Corrected an invalid add_issue_comment tool reference generated during interactive workflow initialization. (#17264)

📚 Documentation

• Added a Copilot license and inference troubleshooting section to help diagnose common Copilot engine activation issues. (#17242)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix safe-outputs message parsing and schema gaps for detection-failure and agent-failure-* by @​Copilot in github/gh-aw#17207
• Allow overriding agentic engine env vars with custom secrets in engine.env by @​Copilot in github/gh-aw#17211
• docs: add Copilot license/inference troubleshooting section by @​Copilot in github/gh-aw#17242
• Remove duplicate section headers by @​PetroSilenius in github/gh-aw#17255
• [ca] fix: use GitHub App token for GITHUB_MCP_SERVER_TOKEN when app is configured by @​github-actions[bot] in github/gh-aw#17253
• Fix: compiler silently drops update-issue tool when target-repo: "*" is set by @​Copilot in github/gh-aw#17247
• [code-simplifier] refactor: extract setStringFromMap helper in parseMessagesConfig by @​github-actions[bot] in github/gh-aw#17258
• Add compiler check: verify all registered safe-outputs are present in tools JSON by @​Copilot in github/gh-aw#17251
• feat: reject workflows that set both tools.github.app and tools.github.github-token by @​Copilot in github/gh-aw#17259
• 🔀 Fix checkout to use base branch instead of github.sha by @​dsyme in github/gh-aw#17249
• Sanitize no-break whitespace (U+00A0) in frontmatter before YAML parsing by @​Copilot in github/gh-aw#17262
• Fix invalid add_issue_comment tool in interactive workflow init by @​Copilot in github/gh-aw#17264

New Contributors

• @​PetroSilenius made their first contribution in github/gh-aw#17255

Full Changelog: github/gh-aw@v0.47.3...v0.47.4

... (truncated)

Changelog

Sourced from github/gh-aw's changelog.

Changelog

All notable changes to this project will be documented in this file.

v0.40.1 - 2026-02-03

Move from githubnext/gh-aw to github/gh-aw

If you were a former user of the githubnext Agentic Workflows you might have to re-register the extension to reflect the new location. As the gh-aw project moved from githubnext to github please delete the old channel and register the new one.

Example:

gh extension list
NAME   REPO              VERSION
gh aw  githubnext/gh-aw  v0.36.0
gh extension upgrade --all
[aw]: already up to date
gh extension remove gh-aw
gh extension install github/gh-aw
✓ Installed extension github/gh-aw
gh extension list
NAME   REPO          VERSION
gh aw  github/gh-aw  v0.40.1

Bug Fixes

Handle 502 Bad Gateway errors in assign_to_agent handler by treating them as success. The cloud gateway may return 502 errors during agent assignment, but the assignment typically succeeds despite the error. The handler now logs 502 errors for troubleshooting but does not fail the workflow.

Add discussion interaction to smoke workflows and serialize the discussion

flag in safe-outputs handler config.

Smoke workflows now select a random discussion and post thematic comments to validate discussion comment functionality. The compiler now emits the "discussion": true flag in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG when a workflow requests discussion output, and lock files include discussions: write permission where applicable.

Add discussion interaction to smoke workflows; compiler now serializes the discussion flag into the safe-outputs handler config so workflows can post comments to discussions. Lock files include discussions: write where applicable.

Smoke workflows pick a random discussion and post a thematic comment (copilot: playful, claude: comic-book, codex: mystical oracle, opencode: space mission). This is a non-breaking tooling/workflow change.

Add discussion interaction to smoke workflows; deprecate the discussion flag and

... (truncated)

Commits

• da463a7 Fix invalid add_issue_comment tool in interactive workflow init (#17264)
• 5d5dd74 Sanitize no-break whitespace (U+00A0) in frontmatter before YAML parsing (#17...
• b392fc2 checkout base branch not github.sha (#17249)
• f4a0eab feat: reject workflows that set both tools.github.app and tools.github.github...
• 3d31ecb Add compiler check: verify all registered safe-outputs are present in tools J...
• 86ac7ac refactor: extract setStringFromMap helper in parseMessagesConfig (#17258)
• cd47154 Fix: compiler silently drops update-issue tool when target-repo: "*" is set (...
• 2da7b89 fix: use GitHub App token for GITHUB_MCP_SERVER_TOKEN when app is configured ...
• c4c1290 Remove duplicate section headers (#17255)
• 7c1adbc docs: add Copilot license/inference troubleshooting section (#17242)
• Additional commits viewable in compare view

Updates GabrielBB/xvfb-action from 1.6 to 1.7

Commits

• b706e4e Format index.js
• 50ab602 Update package-lock.json
• 1783bd4 Update package.json
• 4ab69a7 Update README.md
• e399575 Update index.js
• 6cc7492 Update index.js
• e3744ae Update index.js
• b2cde5e Merge pull request #38 from hamirmahal/fix/usage-of-node12-which-is-deprecated
• 2859b7c fix: usage of node12 which is deprecated
• 0ec1511 chore: changes from formatting on save
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions