Bump github/gh-aw from 0.67.4 to 0.68.1

[dependabot]

Bumps github/gh-aw from 0.67.4 to 0.68.1.

Release notes

Sourced from github/gh-aw's releases.

v0.68.1

🌟 Release Highlights

This release delivers a critical Copilot CLI reliability hotfix, a new engine.bare control for AI context management, significant security hardening, and resolutions for 9 community-reported issues.

✨ What's New

• engine.bare frontmatter field — Disable automatic context loading for supported engines, giving you full control over what the AI agent sees. Use bare: true with copilot (suppresses AGENTS.md and user instructions) or claude (suppresses CLAUDE.md memory files). Unsupported engines emit a compiler warning. (#25661)

• Frontmatter hash checker improvements — When a stale lock file is detected, the activation job now emits step-by-step [hash-debug] log lines and creates a clear, actionable issue/comment (with progressive disclosure) to guide you through fixing it. (#25571)

• actions/github-script upgraded to v9 — Scripts now get getOctokit as a built-in context parameter, eliminating the need for dynamic @actions/github imports in safe-output handlers. (#25553)

• Squash-merge fallback in gh aw add — When a repository disallows merge commits, the setup PR now automatically falls back to squash merge rather than failing. (#25609)

🐛 Bug Fixes & Improvements

• [Critical] Copilot CLI pinned to v1.0.21 — Fixes Copilot-engine workflows that were hanging indefinitely or producing 0-byte output due to incompatibilities with v1.0.22. v1.0.21 is the last confirmed working version. (#25689)

• Security: agent-stdio.log permissions hardened — Log file is now pre-created with 0600 permissions before tee writes, preventing world-readable exposure of MCP gateway bearer tokens. Dynamic gateway token redaction added to redact_secrets.cjs. (#25618)

• Agent file injection fixed for Codex and Gemini — Both engines now read INSTRUCTION from prompt.txt (already assembled by the compiler), eliminating fragile shell-variable injection and double-inclusion of agent file content. (#25681)

• Claude agent file injection fixed — Claude now reliably reads its agent file via prompt.txt in AWF sandbox mode, resolving crashes caused by --env-all not propagating shell variables into AWF containers. (#25589)

• Write-to-read codemod no longer converts id-token/copilot-requests — The "Convert write permissions to read" codemod now correctly skips write-only permissions that cannot meaningfully be set to read. (#25604)

• Race condition in PR checkout — When a PR is merged milliseconds after triggering a workflow (stale state: open in the payload), the agent now re-queries the API before treating the checkout failure as a hard error. (#25581)

• CLI consistency fixes — Aligned --dir flag semantics across add/add-wizard/compile/fix/upgrade; added missing --dir flag to remove; corrected misleading --no-fix description; improved help text for trial, run, mcp add, and pr transfer. (#25658)

• smoke-gemini now triggers on the smoke label — Fixes the Gemini smoke test being excluded from the standard PR smoke suite. (#25639)

📚 Documentation

• firewall-audit-logs artifact reference — New docs/reference/artifacts.md documents all artifact names, their download paths, and the correct way to access token usage data (it lives in firewall-audit-logs, not agent). (#25684)

🌍 Community Contributions

@adamhenson

• compiled lock files hardcode github.token in Configure Git credentials steps -- breaks in sandboxed runners (direct issue)

@bbonafed

• MCP Gateway container missing ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN env vars (direct issue)

... (truncated)

Commits

• 5a06d31 fix: bump Copilot CLI from v1.0.20 to v1.0.21 (#25689)
• cc56642 Doc: document firewall-audit-logs artifact name for downstream consumers (#...
• 5b9e980 feat: add engine.bare frontmatter field to suppress automatic context loading...
• 17dff22 fix: set supportsNativeAgentFile=false for Codex and Gemini engines; remove a...
• a0803a5 fix(cli): address 7 CLI consistency issues across help text and flag behavior...
• e61c83d security: fix agent-stdio.log world-readable exposure and MCP gateway token l...
• 314d821 refactor: centralize close-flow logic into shared createCloseEntityHandler ...
• 7b2108a fix(smoke-gemini): trigger on "smoke" label instead of "water" (#25639)
• c144ee3 test: add regression coverage for .github/agents/ root-relative import path...
• a8dedce chore: remove dead functions — 5 functions removed (#25630)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud