Bump github/gh-aw from 0.67.1 to 0.67.4

[dependabot]

Bumps github/gh-aw from 0.67.1 to 0.67.4.

Release notes

Sourced from github/gh-aw's releases.

v0.67.4

🌟 Release Highlights

This release delivers a critical Copilot engine reliability fix that restores all affected workflows, alongside a wave of new agentic workflow templates, meaningful security hardening, and a rich set of bug fixes driven by community reports.

🚨 Critical Fix: Copilot Engine Silent Startup Crash

All Copilot-engine workflows were silently failing for ~35+ hours starting April 8 due to a startup crash in Copilot CLI v1.0.21. This release pins DefaultCopilotVersion to 1.0.20 and recompiles all 187 workflow lock files to restore normal operation immediately.

✨ What's New

• Five new agentic workflow templates — approach-validator, test-quality-sentinel, refactoring-cadence, architecture-guardian, and design-decision-gate expand the built-in workflow library for code quality, ADR enforcement, and architectural governance.

• allowed-events filter for submit-pull-request-review — Workflows can now restrict which review types (APPROVE, COMMENT, REQUEST_CHANGES) the safe-output job may submit, giving maintainers tighter control over automated review actions. (#25484)

• Copilot driver retry logic — The Copilot driver now retries on partial session failures, reducing flaky workflow runs caused by transient CAPI errors. (#25329)

• --runner-guard compilation flag — gh aw compile now accepts --runner-guard to enforce runner constraints in the static-analysis-report workflow. (#25281)

• Version bumps — Firewall updated to v0.25.18 and MCP Gateway to v0.2.17 for all compiled workflows. (#25505)

🔒 Security Hardening

• NFKC normalization + homoglyph detection — SafeOutputs now normalizes Unicode input using NFKC and detects Cyrillic/Greek homoglyph substitutions. The Secret Leak threat detection check is also hardened to catch more patterns. (#25458)

• HTML comment bypass fix — removeXmlComments is now applied before mention neutralization, closing a potential injection path in safe-output processing. (#25462)

🐛 Bug Fixes & Improvements

• gh aw list false positive "Compiled: No" — The compiler now uses a frontmatter content hash instead of file mtime to detect compiled status, fixing incorrect results after git checkout. (#25364)

• safe-outputs type imports — Types declared in imported safe-outputs schemas are no longer silently dropped when the main workflow also defines safe-outputs. (#25402)

• gh aw add-wizard HTTPS auth fix — The wizard no longer fails authentication when the git remote uses an HTTPS URL with an embedded username. (#25375)

• Playwright MCP logs directory — chmod 777 applied to the playwright mcp-logs directory so non-root Docker containers can write logs correctly. (#25417)

• Stale actions-lock.json entries pruned — Compilation now removes stale gh-aw-actions entries from actions-lock.json, preventing stale pin accumulation across releases. (#25361)

• CLI proxy RUNNER_TEMP quoting — \$\{RUNNER_TEMP} in generated shell commands is now properly quoted and template expressions in run: blocks are handled correctly. (#25330)

📚 Documentation

• Developer docs consolidated (v5.6): broken README links fixed and tone updated. (#25446)
• Slash command guidance added for the SideRepoOps pattern.
• dispatch-ops.md condensed by 24% for easier reading. (#25423)

---

🌍 Community Contributions

... (truncated)

Commits

• 78323e8 Fix silent startup crash in Copilot engine by pinning CLI to v1.0.20 (#25499)
• b8fb045 feat(safe-outputs): add allowed-events filter to `submit-pull-request-revie...
• 613551f feat: bump firewall to v0.25.18 and MCPG to v0.2.17 (#25505)
• 51b6638 fix: update sanitize_title test to match NFKC normalization behavior for U+30...
• daedb1e fix: remove observability/OTLP import from smoke-claude and smoke-copilot wor...
• 9aef501 SafeOutputs: add NFKC + Cyrillic/Greek homoglyph normalization; harden threat...
• 9fbff36 fix: discussion label updates truncated to 3 instead of max labels (#25430)
• 03f3cf5 jsweep: clean add_labels.cjs (#25428)
• 8ceb4dc [code-simplifier] refactor: extract resolveProxyContainerImage helper in comp...
• efde1b5 Create shared/security-analysis-base.md for daily security scan workflows (#2...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud