chore(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: github/gh-aw, taiki-e/install-action, sigstore/cosign-installer and crate-ci/typos.

Updates github/gh-aw from 0.61.2 to 0.67.0

Release notes

Sourced from github/gh-aw's releases.

v0.67.0

🌟 Release Highlights

This release delivers a major observability milestone with full OTLP trace export support, resolves critical GitHub MCP App token authentication bugs, expands the environment variable reference documentation, and addresses a wave of community-reported issues across self-hosted runners, cross-repo workflows, and the Codex engine.

✨ What's New

📡 OTLP Trace Export (observability.otlp)

Workflows can now export structured OpenTelemetry spans to any OTLP-compatible backend (e.g. Honeycomb, Grafana Tempo, Sentry) with a single frontmatter block:

observability:
  otlp:
    endpoint: $\{\{ secrets.GH_AW_OTEL_ENDPOINT }}
    headers: $\{\{ secrets.GH_AW_OTEL_HEADERS }}

Every job emits setup and conclusion spans with rich attributes (gh-aw.job.name, gh-aw.workflow.name, gh-aw.engine.id, token usage, and more). Cross-job trace correlation is wired automatically — all jobs in a run share a single trace ID originating from the activation job. Dispatched child workflows inherit the parent's trace context via aw_context, giving you end-to-end visibility across composite workflow chains. When a static endpoint URL is provided, its hostname is automatically added to the AWF firewall allowlist.

📚 Environment Variable Reference

A new comprehensive Environment Variables reference section covers CLI configuration (DEBUG, GH_AW_FEATURES, …), per-phase model override variables (GH_AW_MODEL_AGENT_*), and guard policy fallback variables (GH_AW_GITHUB_BLOCKED_USERS, GH_AW_GITHUB_TRUSTED_USERS) — previously discoverable only by reading source code.

🐛 Bug Fixes & Improvements

• GitHub MCP App token always empty — actions/create-github-app-token masks its output token and GitHub Actions runner v2.308+ silently drops masked values from job outputs, causing github_mcp_app_token to always arrive empty in the agent job (GitHub MCP server ran unauthenticated). The token is now minted directly in the agent job to avoid the cross-job output masking issue. (closes #24569)

• Duplicate "Generate GitHub App token" step — when multiple checkout: entries fell back to the top-level github-app:, the compiler produced steps with the same name, causing a duplicate-step validation error. Each step is now uniquely named. (closes #24573)

• Tavily MCP docs and mcp inspect missing servers — the web-search guide referenced the wrong npm package (@tavily/mcp-server → @tavily/mcp) and a dead GitHub URL. Additionally, gh aw mcp inspect now correctly reports MCP servers defined in imported workflows and handles on: issues string triggers. (closes #24567)

• repo-memory file-glob patterns silently skipping files — documentation and several built-in workflow templates incorrectly instructed agents to prefix file-glob patterns with the branch path (e.g. memory/branch-name/*.json). Patterns are matched against relative paths from the artifact directory, so bare extension patterns (*.json) are correct. All affected workflows and the reference docs have been fixed.

• Remote workflow calls — fixed a regression that broke workflow_call triggers in cross-repository setups. (closes #24422)

• workflow_call missing ref: in cross-repo checkout — activation job now correctly passes ref: when checking out a target repository for workflow_call triggers. (closes #20508)

• setup.sh create_dir() fails on self-hosted Linux runners — create_dir() now uses sudo when the runner user lacks write access to /opt/. (closes #20283)

• Codex engine on self-hosted runners — the vendored codex-x86_64-unknown-linux-musl binary now correctly supports --dangerously-bypass-approvals-and-sandbox. (closes #20157)

• GH_AW_SAFE_OUTPUTS_CONFIG_PATH / GH_AW_SAFE_OUTPUTS_TOOLS_PATH not available as env vars — these paths are now written to both GITHUB_OUTPUT and GITHUB_ENV so downstream jobs can reference them as environment variables. (closes #23092)

• agent_version: latest causes 400 Bad Request with Gemini models — version resolution now correctly handles latest for model/version combinations that do not support it. (closes #20833)

• Runtime parameterization of frontmatter fields — compile-time frontmatter fields can now be overridden at runtime via $\{\{ vars.* }} or $\{\{ secrets.* }} expressions in supported fields. (closes #23724)

🔧 Internal

... (truncated)

Commits

• 245d168 ci-cleaner: switch to Claude with max-turns, scope recompile, add exit guardr...
• 73887bf Fix invalid Tavily MCP package name/link in docs and mcp inspect missing serv...
• c816157 refactor: extract shared OTLP observability config, import in 30% of workflow...
• 16c5c53 fix: move selection to agent, keep only log download as pre-step (#24637)
• cbe27b7 fix: move optimizer data loading to pre-agentic steps (#24625)
• 7acccb4 fix: correct file-glob pattern docs and workflows for repo-memory (#24621)
• 730ce5e fix: update broken anchor link in glossary.md for audit diff command (#24620)
• c69880d fix: unique step names for checkout GitHub App token minting steps (#24609)
• 021d1a9 fix: remove branch-name prefix from repo-memory glob filter (#24613)
• 1a77097 feat: propagate pre-activation trace-id to activation job and reduce setup.sh...
• Additional commits viewable in compare view

Updates taiki-e/install-action from 2.68.36 to 2.73.0

Release notes

Sourced from taiki-e/install-action's releases.

2.73.0

• Introduce dependency cooldown when installing with taiki-e/install-action@<tool_name>, tool: <tool_name>@latest, or tool: <tool_name>@<omitted_version> to mitigate the risk of supply chain attacks by default. (#1666)

  This action without this cooldown already takes a few hours to a few days for new releases to be reflected (as with other common package managers that verify checksums or signatures), so this should not affect most users.

  See the "Security" section in readme for more details.

• Improve robustness for network failure.

• Documentation improvements.

2.72.0

• Support cargo-xwin. (#1659, thanks @​daxpedda)

• Support trailing comma in tool input option.

• Update tombi@latest to 0.9.14.

2.71.3

• Update wasm-tools@latest to 1.246.2.

• Update mise@latest to 2026.4.3.

2.71.2

• Implement workaround for windows-11-arm runner bug which sometimes causes installation failure. (#1657)

  This addresses an issue that was attempted to be worked around in 2.71.0 but was insufficient.

• Update mise@latest to 2026.4.1.

• Update uv@latest to 0.11.3.

2.71.1

• Fix a regression that caused an execution policy violation on self-hosted Windows runner due to use of non-default powershell shell, introduced in 2.71.0.

• Update dprint@latest to 0.53.2.

2.71.0

• Support wasm-tools. (#1642, thanks @​crepererum)

• Support covgate. (#1613, thanks @​jesse-black)

• Implement potential workaround for windows-11-arm runner bug which sometimes causes issue that the action successfully completes but the tool is not installed. (#1647)

• Update typos@latest to 1.45.0.

• Update mise@latest to 2026.4.0.

• Update cargo-careful@latest to 0.4.10.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

• Update just@latest to 1.49.0.

• Update mise@latest to 2026.4.4.

• Support cargo-deb. (#1669)

[2.73.0] - 2026-04-05

• Introduce dependency cooldown when installing with taiki-e/install-action@<tool_name>, tool: <tool_name>@latest, or tool: <tool_name>@<omitted_version> to mitigate the risk of supply chain attacks by default. (#1666)

  This action without this cooldown already takes a few hours to a few days for new releases to be reflected (as with other common package managers that verify checksums or signatures), so this should not affect most users.

  See the "Security" section in readme for more details.

• Improve robustness for network failure.

• Documentation improvements.

[2.72.0] - 2026-04-04

• Support cargo-xwin. (#1659, thanks @​daxpedda)

• Support trailing comma in tool input option.

• Update tombi@latest to 0.9.14.

[2.71.3] - 2026-04-04

• Update wasm-tools@latest to 1.246.2.

• Update mise@latest to 2026.4.3.

[2.71.2] - 2026-04-02

• Implement workaround for windows-11-arm runner bug which sometimes causes installation failure. (#1657)

  This addresses an issue that was attempted to be worked around in 2.71.0 but was insufficient.

... (truncated)

Commits

• 7a562df Release 2.73.0
• 561f72e Revert "Remove duplicated retry"
• eab6539 codegen: Exclude very recently released version from candidate for
• 11f5a99 codegen: Detect deleted releases
• 5311ff9 ci: Update release workflow
• de6f061 Release 2.72.0
• bdc2e27 Add warning for disabling checksum
• 3f315c9 Update changelog
• c4735dd Replace some grep with [[ == ]]
• f43d7b2 Accept trailing comma in tool input option
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.1

What's Changed

• chore: update default cosign-release to v3.0.5 in sigstore/cosign-installer#223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

Commits

• cad07c2 chore: update default cosign-release to v3.0.5 (#223)
• See full diff in compare view

Updates crate-ci/typos from 1.44.0 to 1.45.0

Release notes

Sourced from crate-ci/typos's releases.

v1.45.0

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

Changelog

Sourced from crate-ci/typos's changelog.

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased] - ReleaseDate

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

[1.44.0] - 2026-02-27

Features

• Updated the dictionary with the February 2026 changes

[1.43.5] - 2026-02-16

Fixes

• (pypi) Hopefully fix the sdist build

[1.43.4] - 2026-02-09

Fixes

• Don't correct pincher

[1.43.3] - 2026-02-06

Fixes

• (action) Adjust how typos are reported to github

[1.43.2] - 2026-02-05

Fixes

• Don't correct certifi in Python

[1.43.1] - 2026-02-03

Fixes

• Don't correct consts

... (truncated)

Commits

• 02ea592 chore: Release
• b859c0d chore: Release
• 6fd32ce docs: Update changelog
• 7626d89 Merge pull request #1530 from crate-ci/renovate/j178-prek-action-2.x
• 2c9510c Merge pull request #1532 from epage/march
• 265b88f feat(dict): March updates
• 5baf2ce chore(deps): Update compatible (#1529)
• 0442cb7 chore(deps): Update j178/prek-action action to v2
• 8f11c0d Merge pull request #1524 from epage/update
• ecdbfab chore: Update dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.