Bump github/gh-aw from 0.62.4 to 0.64.2 in the github-actions-minor-patch group

[dependabot]

Bumps the github-actions-minor-patch group with 1 update: github/gh-aw.

Updates github/gh-aw from 0.62.4 to 0.64.2

Release notes

Sourced from github/gh-aw's releases.

v0.64.2

🌟 Release Highlights

This release delivers a new cross-run security audit report command, an important YAML injection security fix, several resilience improvements for large repositories and PR creation workflows, and resolves three community-reported issues.

✨ What's New

gh aw audit report — Cross-Run Security Audit Reports

A new gh aw audit report subcommand aggregates firewall behavior across multiple workflow runs, producing an executive summary, domain inventory, and per-run breakdown — ideal for security reviews and compliance checks.

gh aw audit report --workflow "agent-task" --last 10       # Markdown (default)
gh aw audit report --last 5 --json                         # JSON for dashboards
gh aw audit report --format pretty --repo owner/repo       # Console output

Supports --workflow, --last, --format (markdown/pretty/json), and --repo flags.

🐛 Bug Fixes & Improvements

• Security: YAML env injection prevention — All env: emission sites in the compiler now use %q-escaped YAML scalars, preventing newlines or quote characters in frontmatter values (e.g. bot names) from injecting sibling env variables into .lock.yml files. A bots schema pattern now rejects structurally dangerous characters at parse time.

• Fix ENOBUFS crash in push_repo_memory on large repos — Repos with 10K+ files (e.g. Azure/azure-sdk-for-js) no longer crash during memory operations. Replaced git rm -r -f (which overflowed the pipe buffer) with git read-tree --empty + fs.rmSync, and removed the unnecessary git sparse-checkout disable call.

• Fix gh aw upgrade when no GitHub Releases exist — gh aw upgrade now falls back to git tag scanning when the Releases API returns an empty list (e.g. for github/gh-aw-actions/setup). Both resolution paths filter out prerelease versions to ensure stable upgrades.

• Fix gh aw init MCP configuration for VS Code — The generated .vscode/mcp.json no longer includes an unsupported cwd field that caused spawn gh ENOENT errors in Copilot CLI.

• Pin setup-cli action to commit SHA — generateInstallCLISteps now resolves the setup-cli action through the ActionSHAResolver (consistent with all other generated actions), replacing mutable tag references with pinned SHAs.

• PR creation resilience: conflict fallback — When git am --3way fails due to merge conflicts, PR creation now falls back to the original base commit so GitHub can surface the conflicts for manual resolution, rather than failing outright.

• Fix signed-commit push for CI trigger token — When GH_AW_CI_TRIGGER_TOKEN is set and pushSignedCommits creates a branch via GraphQL, the follow-up empty commit push no longer fails with a non-fast-forward error.

• microsoft/apm-action bumped to v1.4.1 — Fixes token handling for cross-org private repository installs where v1.4.0 shadowed the caller-provided GITHUB_TOKEN.

• ci-doctor: paginate check-runs API — CI Doctor now uses --paginate to collect all check runs, fixing silent truncation at 30 items on PRs with large CI suites.

• Improved branch sync error messaging — Branch sync failures now surface the underlying error message at warning level for easier debugging.

• Detection model aligned with agent default — GetDefaultDetectionModel now returns claude-sonnet-4.6, matching the main agent default.

---

🌍 Community Contributions

... (truncated)

Commits

• 72346ee research: update Ubuntu runner image analysis for 2026-03-26 (#23177)
• 338c08a fix: escape YAML env values to prevent structure injection (all remaining sit...
• 6607ddb fix: align GetDefaultDetectionModel with main agent default (claude-sonnet-4....
• 561874d build(deps): bump fast-xml-parser (#23164)
• a68967c bump microsoft/apm-action to v1.4.1, add DefaultAPMActionVersion constant, re...
• e3484fe Fix: fallback to git tags when GitHub Releases API returns empty for gh aw up...
• eae570b fix: SHA-pin setup-cli action references in maintenance workflow generation (...
• bbdbca3 fix: fetch remote branch before pushing CI trigger empty commit to avoid non-...
• 92f66ac Fall back to original base commit when git am --3way fails due to merge confl...
• 476d00c Remove unsupported cwd from generated .vscode/mcp.json (#23144)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like github/gh-aw is updatable in another way, so this is no longer needed.