chore(deps): bump the github-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates in the / directory:

Package	From	To
actions/upload-artifact	7.0.0	7.0.1
github/gh-aw	0.61.2	0.68.1
docker/build-push-action	7.0.0	7.1.0
taiki-e/install-action	2.68.36	2.75.9
sigstore/cosign-installer	4.1.0	4.1.1
crate-ci/typos	1.44.0	1.45.1

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates github/gh-aw from 0.61.2 to 0.68.1

Release notes

Sourced from github/gh-aw's releases.

v0.68.1

🌟 Release Highlights

This release delivers a critical Copilot CLI reliability hotfix, a new engine.bare control for AI context management, significant security hardening, and resolutions for 9 community-reported issues.

✨ What's New

• engine.bare frontmatter field — Disable automatic context loading for supported engines, giving you full control over what the AI agent sees. Use bare: true with copilot (suppresses AGENTS.md and user instructions) or claude (suppresses CLAUDE.md memory files). Unsupported engines emit a compiler warning. (#25661)

• Frontmatter hash checker improvements — When a stale lock file is detected, the activation job now emits step-by-step [hash-debug] log lines and creates a clear, actionable issue/comment (with progressive disclosure) to guide you through fixing it. (#25571)

• actions/github-script upgraded to v9 — Scripts now get getOctokit as a built-in context parameter, eliminating the need for dynamic @actions/github imports in safe-output handlers. (#25553)

• Squash-merge fallback in gh aw add — When a repository disallows merge commits, the setup PR now automatically falls back to squash merge rather than failing. (#25609)

🐛 Bug Fixes & Improvements

• [Critical] Copilot CLI pinned to v1.0.21 — Fixes Copilot-engine workflows that were hanging indefinitely or producing 0-byte output due to incompatibilities with v1.0.22. v1.0.21 is the last confirmed working version. (#25689)

• Security: agent-stdio.log permissions hardened — Log file is now pre-created with 0600 permissions before tee writes, preventing world-readable exposure of MCP gateway bearer tokens. Dynamic gateway token redaction added to redact_secrets.cjs. (#25618)

• Agent file injection fixed for Codex and Gemini — Both engines now read INSTRUCTION from prompt.txt (already assembled by the compiler), eliminating fragile shell-variable injection and double-inclusion of agent file content. (#25681)

• Claude agent file injection fixed — Claude now reliably reads its agent file via prompt.txt in AWF sandbox mode, resolving crashes caused by --env-all not propagating shell variables into AWF containers. (#25589)

• Write-to-read codemod no longer converts id-token/copilot-requests — The "Convert write permissions to read" codemod now correctly skips write-only permissions that cannot meaningfully be set to read. (#25604)

• Race condition in PR checkout — When a PR is merged milliseconds after triggering a workflow (stale state: open in the payload), the agent now re-queries the API before treating the checkout failure as a hard error. (#25581)

• CLI consistency fixes — Aligned --dir flag semantics across add/add-wizard/compile/fix/upgrade; added missing --dir flag to remove; corrected misleading --no-fix description; improved help text for trial, run, mcp add, and pr transfer. (#25658)

• smoke-gemini now triggers on the smoke label — Fixes the Gemini smoke test being excluded from the standard PR smoke suite. (#25639)

📚 Documentation

• firewall-audit-logs artifact reference — New docs/reference/artifacts.md documents all artifact names, their download paths, and the correct way to access token usage data (it lives in firewall-audit-logs, not agent). (#25684)

🌍 Community Contributions

@adamhenson

• compiled lock files hardcode github.token in Configure Git credentials steps -- breaks in sandboxed runners (direct issue)

@bbonafed

• MCP Gateway container missing ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN env vars (direct issue)

... (truncated)

Commits

• 5a06d31 fix: bump Copilot CLI from v1.0.20 to v1.0.21 (#25689)
• cc56642 Doc: document firewall-audit-logs artifact name for downstream consumers (#...
• 5b9e980 feat: add engine.bare frontmatter field to suppress automatic context loading...
• 17dff22 fix: set supportsNativeAgentFile=false for Codex and Gemini engines; remove a...
• a0803a5 fix(cli): address 7 CLI consistency issues across help text and flag behavior...
• e61c83d security: fix agent-stdio.log world-readable exposure and MCP gateway token l...
• 314d821 refactor: centralize close-flow logic into shared createCloseEntityHandler ...
• 7b2108a fix(smoke-gemini): trigger on "smoke" label instead of "water" (#25639)
• c144ee3 test: add regression coverage for .github/agents/ root-relative import path...
• a8dedce chore: remove dead functions — 5 functions removed (#25630)
• Additional commits viewable in compare view

Updates docker/build-push-action from 7.0.0 to 7.1.0

Release notes

Sourced from docker/build-push-action's releases.

v7.1.0

• Git context query format support by @​crazy-max in docker/build-push-action#1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in docker/build-push-action#1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/build-push-action#1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in docker/build-push-action#1489
• Bump flatted from 3.3.3 to 3.4.2 in docker/build-push-action#1491
• Bump glob from 10.3.12 to 10.5.0 in docker/build-push-action#1490
• Bump handlebars from 4.7.8 to 4.7.9 in docker/build-push-action#1497
• Bump lodash from 4.17.23 to 4.18.1 in docker/build-push-action#1510
• Bump picomatch from 4.0.3 to 4.0.4 in docker/build-push-action#1496
• Bump undici from 6.23.0 to 6.24.1 in docker/build-push-action#1486
• Bump vite from 7.3.1 to 7.3.2 in docker/build-push-action#1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

Commits

• bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
• 18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 46580d2 chore: update generated content
• 3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
• efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
• ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
• db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
• ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
• 2d8f2a1 chore: update generated content
• 919ac7b fix test since secrets are not written to temp path anymore
• Additional commits viewable in compare view

Updates taiki-e/install-action from 2.68.36 to 2.75.9

Release notes

Sourced from taiki-e/install-action's releases.

2.75.9

• Enhance security when cargo-binstall fallback is used. (acc1621b)

2.75.8

• Update vacuum@latest to 0.25.8.

• Update mise@latest to 2026.4.9.

• Update cargo-binstall@latest to 1.18.0.

• Update gungraun-runner@latest to 0.18.1.

2.75.7

• Update covgate@latest to 0.1.4.

• Update wasm-bindgen@latest to 0.2.118.

2.75.6

• Update mise@latest to 2026.4.8.

• Update cargo-deny@latest to 0.19.1.

2.75.5

• Update biome@latest to 2.4.11.

• Update wasmtime@latest to 43.0.1.

• Update uv@latest to 0.11.6.

• Update mise@latest to 2026.4.7.

• Update gungraun-runner@latest to 0.18.0.

2.75.4

• Enhance security when cargo-binstall fallback is enabled. (08a38582, ba626b4d)

• Update martin@latest to 1.5.0.

• Update uv@latest to 0.11.5.

• Update syft@latest to 1.42.4.

• Update dprint@latest to 0.54.0.

2.75.3

• Enhance security when cargo-binstall fallback is disabled. (77557fa3)

• Update rclone@latest to 1.73.4.

2.75.2

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.75.9] - 2026-04-13

• Enhance security when cargo-binstall fallback is used. (acc1621b)

[2.75.8] - 2026-04-13

• Update vacuum@latest to 0.25.8.

• Update mise@latest to 2026.4.9.

• Update cargo-binstall@latest to 1.18.0.

• Update gungraun-runner@latest to 0.18.1.

[2.75.7] - 2026-04-11

• Update covgate@latest to 0.1.4.

• Update wasm-bindgen@latest to 0.2.118.

[2.75.6] - 2026-04-11

• Update mise@latest to 2026.4.8.

• Update cargo-deny@latest to 0.19.1.

[2.75.5] - 2026-04-10

• Update biome@latest to 2.4.11.

• Update wasmtime@latest to 43.0.1.

• Update uv@latest to 0.11.6.

• Update mise@latest to 2026.4.7.

• Update gungraun-runner@latest to 0.18.0.

... (truncated)

Commits

• d0f2322 Release 2.75.9
• c5c9b05 Fix typo
• b5b77c6 Update changelog
• acc1621 Pass --disable-strategies compile to cargo-binstall and fallback to
• 921a402 Release 2.75.8
• 122f71c Update changelog
• f8fc63d Update zizmor manifest
• 29a1462 Update vacuum@latest to 0.25.8
• 1a5ef93 Update mise@latest to 2026.4.9
• c439146 Update cargo-binstall@latest to 1.18.0
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.1

What's Changed

• chore: update default cosign-release to v3.0.5 in sigstore/cosign-installer#223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

Commits

• cad07c2 chore: update default cosign-release to v3.0.5 (#223)
• See full diff in compare view

Updates crate-ci/typos from 1.44.0 to 1.45.1

Release notes

Sourced from crate-ci/typos's releases.

v1.45.1

[1.45.1] - 2026-04-13

Fixes

• (action) Use a temp dir for caching

v1.45.0

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

Changelog

Sourced from crate-ci/typos's changelog.

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased] - ReleaseDate

[1.45.1] - 2026-04-13

Fixes

• (action) Use a temp dir for caching

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

[1.44.0] - 2026-02-27

Features

• Updated the dictionary with the February 2026 changes

[1.43.5] - 2026-02-16

Fixes

• (pypi) Hopefully fix the sdist build

[1.43.4] - 2026-02-09

Fixes

• Don't correct pincher

[1.43.3] - 2026-02-06

Fixes

• (action) Adjust how typos are reported to github

[1.43.2] - 2026-02-05

Fixes

• Don't correct certifi in Python

... (truncated)

Commits

• cf5f1c2 chore: Release
• 485d425 docs: Update changelog
• 2fe77ce Merge pull request #1539 from epage/action
• a9595ea fix(action): Leave binary in temp dir
• 02ea592 chore: Release
• b859c0d chore: Release
• 6fd32ce docs: Update changelog
• 7626d89 Merge pull request #1530 from crate-ci/renovate/j178-prek-action-2.x
• 2c9510c Merge pull request #1532 from epage/march
• 265b88f feat(dict): March updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.