Bump github/gh-aw from 0.64.0 to 0.64.2

[dependabot]

Bumps github/gh-aw from 0.64.0 to 0.64.2.

Release notes

Sourced from github/gh-aw's releases.

v0.64.2

🌟 Release Highlights

This release delivers a new cross-run security audit report command, an important YAML injection security fix, several resilience improvements for large repositories and PR creation workflows, and resolves three community-reported issues.

✨ What's New

gh aw audit report — Cross-Run Security Audit Reports

A new gh aw audit report subcommand aggregates firewall behavior across multiple workflow runs, producing an executive summary, domain inventory, and per-run breakdown — ideal for security reviews and compliance checks.

gh aw audit report --workflow "agent-task" --last 10       # Markdown (default)
gh aw audit report --last 5 --json                         # JSON for dashboards
gh aw audit report --format pretty --repo owner/repo       # Console output

Supports --workflow, --last, --format (markdown/pretty/json), and --repo flags.

🐛 Bug Fixes & Improvements

• Security: YAML env injection prevention — All env: emission sites in the compiler now use %q-escaped YAML scalars, preventing newlines or quote characters in frontmatter values (e.g. bot names) from injecting sibling env variables into .lock.yml files. A bots schema pattern now rejects structurally dangerous characters at parse time.

• Fix ENOBUFS crash in push_repo_memory on large repos — Repos with 10K+ files (e.g. Azure/azure-sdk-for-js) no longer crash during memory operations. Replaced git rm -r -f (which overflowed the pipe buffer) with git read-tree --empty + fs.rmSync, and removed the unnecessary git sparse-checkout disable call.

• Fix gh aw upgrade when no GitHub Releases exist — gh aw upgrade now falls back to git tag scanning when the Releases API returns an empty list (e.g. for github/gh-aw-actions/setup). Both resolution paths filter out prerelease versions to ensure stable upgrades.

• Fix gh aw init MCP configuration for VS Code — The generated .vscode/mcp.json no longer includes an unsupported cwd field that caused spawn gh ENOENT errors in Copilot CLI.

• Pin setup-cli action to commit SHA — generateInstallCLISteps now resolves the setup-cli action through the ActionSHAResolver (consistent with all other generated actions), replacing mutable tag references with pinned SHAs.

• PR creation resilience: conflict fallback — When git am --3way fails due to merge conflicts, PR creation now falls back to the original base commit so GitHub can surface the conflicts for manual resolution, rather than failing outright.

• Fix signed-commit push for CI trigger token — When GH_AW_CI_TRIGGER_TOKEN is set and pushSignedCommits creates a branch via GraphQL, the follow-up empty commit push no longer fails with a non-fast-forward error.

• microsoft/apm-action bumped to v1.4.1 — Fixes token handling for cross-org private repository installs where v1.4.0 shadowed the caller-provided GITHUB_TOKEN.

• ci-doctor: paginate check-runs API — CI Doctor now uses --paginate to collect all check runs, fixing silent truncation at 30 items on PRs with large CI suites.

• Improved branch sync error messaging — Branch sync failures now surface the underlying error message at warning level for easier debugging.

• Detection model aligned with agent default — GetDefaultDetectionModel now returns claude-sonnet-4.6, matching the main agent default.

---

🌍 Community Contributions

... (truncated)

Commits

• 72346ee research: update Ubuntu runner image analysis for 2026-03-26 (#23177)
• 338c08a fix: escape YAML env values to prevent structure injection (all remaining sit...
• 6607ddb fix: align GetDefaultDetectionModel with main agent default (claude-sonnet-4....
• 561874d build(deps): bump fast-xml-parser (#23164)
• a68967c bump microsoft/apm-action to v1.4.1, add DefaultAPMActionVersion constant, re...
• e3484fe Fix: fallback to git tags when GitHub Releases API returns empty for gh aw up...
• eae570b fix: SHA-pin setup-cli action references in maintenance workflow generation (...
• bbdbca3 fix: fetch remote branch before pushing CI trigger empty commit to avoid non-...
• 92f66ac Fall back to original base commit when git am --3way fails due to merge confl...
• 476d00c Remove unsupported cwd from generated .vscode/mcp.json (#23144)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud