chore(deps): bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
actions/upload-artifact	7.0.0	7.0.1
github/gh-aw	0.61.2	0.68.3
actions/cache	5.0.4	5.0.5
docker/build-push-action	7.0.0	7.1.0
taiki-e/install-action	2.68.36	2.75.18
sigstore/cosign-installer	4.1.0	4.1.1
crate-ci/typos	1.44.0	1.45.1

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates github/gh-aw from 0.61.2 to 0.68.3

Release notes

Sourced from github/gh-aw's releases.

v0.68.3

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New

• Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#26229)
• checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#26292)
• env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#26113)
• Time Between Turns (TBT) metric — gh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#26321)
• OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#26121)
• API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#26150)

🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

• File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#26287)
• Copy/rename detection and C-quoted filenames are now handled correctly. (#26277)
• Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#26259)
• Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#26306)
• Submodule entries now fall back to a plain git push instead of erroring. (#26298)

Other notable fixes:

• on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#26137)
• copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#26146)
• add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#26288)
• safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#26291)
• engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#26122)
• Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#26074)
• GH_HOST env var used for GH CLI calls — gh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#26311)
• resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#26114)
• --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#26160)

📚 Documentation

• Gemini AI engine added to the introduction/how-they-work guide. (#26147)
• github-app documented as a top-level Allowed Import Field in the imports reference. (#26119)
• New working-directory navigation example in the side-repo-ops pattern. (#26123)
• Comprehensive new guide: Maintaining repos with agentic workflows at scale. (#26073)

🌍 Community Contributions

@arthurfvives

• Feature: Auto-detect available models or gracefully fallback on 400 errors (Copilot Pro/Education) (direct issue)

... (truncated)

Commits

• ce17949 fix: use GH_HOST env var instead of --hostname flag for gh repo view and gh p...
• c25673e fix: --topo-order and merge commit fallback in push_signed_commits.cjs (#26306)
• d37c7c6 fix(USE-001): add standardized ERR_* error codes to two non-conformant handle...
• 9939478 fix(USE-003): emit staged mode preview summary in upload_artifact handler (#2...
• b8e0b8a fix: expose safe-outputs.actions custom action tools to agent MCP toolset (#2...
• 549223d feat: support checkout field in importable shared workflows (#26292)
• ace4abb Split frontmatter_types.go into types, parsing, and serialization files (#2...
• b048b08 Split gateway_logs.go into concern-aligned files (#26296)
• a12b147 refactor: split audit_report_render.go into domain-specific files (#26304)
• f109ff0 Handle submodule entries in push_signed_commits by falling back to git push (...
• Additional commits viewable in compare view

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates docker/build-push-action from 7.0.0 to 7.1.0

Release notes

Sourced from docker/build-push-action's releases.

v7.1.0

• Git context query format support by @​crazy-max in docker/build-push-action#1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in docker/build-push-action#1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/build-push-action#1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in docker/build-push-action#1489
• Bump flatted from 3.3.3 to 3.4.2 in docker/build-push-action#1491
• Bump glob from 10.3.12 to 10.5.0 in docker/build-push-action#1490
• Bump handlebars from 4.7.8 to 4.7.9 in docker/build-push-action#1497
• Bump lodash from 4.17.23 to 4.18.1 in docker/build-push-action#1510
• Bump picomatch from 4.0.3 to 4.0.4 in docker/build-push-action#1496
• Bump undici from 6.23.0 to 6.24.1 in docker/build-push-action#1486
• Bump vite from 7.3.1 to 7.3.2 in docker/build-push-action#1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

Commits

• bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
• 18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 46580d2 chore: update generated content
• 3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
• efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
• ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
• db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
• ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
• 2d8f2a1 chore: update generated content
• 919ac7b fix test since secrets are not written to temp path anymore
• Additional commits viewable in compare view

Updates taiki-e/install-action from 2.68.36 to 2.75.18

Release notes

Sourced from taiki-e/install-action's releases.

2.75.18

• Update vacuum@latest to 0.26.1.

• Update wasm-tools@latest to 1.247.0.

• Update mise@latest to 2026.4.16.

• Update espup@latest to 0.17.1.

• Update trivy@latest to 0.70.0.

2.75.17

• Update tombi@latest to 0.9.18.

• Update mise@latest to 2026.4.15.

2.75.16

• Update uv@latest to 0.11.7.

• Update mise@latest to 2026.4.14.

• Update vacuum@latest to 0.25.9.

• Update cargo-machete@latest to 0.9.2.

• Update cargo-deny@latest to 0.19.4.

2.75.15

• Update cargo-nextest@latest to 0.9.133.

• Update biome@latest to 2.4.12.

2.75.14

• Implement potential workaround for windows-11-arm runner bug which sometimes causes installation failure.

  The issue where this bug affected the startup of bash was addressed in 2.71.2, but we received a report that the same problem seems to occur when starting other commands as well.

• Update cargo-deny@latest to 0.19.2.

2.75.13

• Update zizmor@latest to 1.24.1.

2.75.12

• Update typos@latest to 1.45.1.

• Update cargo-xwin@latest to 0.21.5.

• Update cargo-binstall@latest to 1.18.1.

2.75.11

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

• Update rclone@latest to 1.73.5.

• Update mise@latest to 2026.4.17.

[2.75.18] - 2026-04-19

• Update vacuum@latest to 0.26.1.

• Update wasm-tools@latest to 1.247.0.

• Update mise@latest to 2026.4.16.

• Update espup@latest to 0.17.1.

• Update trivy@latest to 0.70.0.

[2.75.17] - 2026-04-17

• Update tombi@latest to 0.9.18.

• Update mise@latest to 2026.4.15.

[2.75.16] - 2026-04-17

• Update uv@latest to 0.11.7.

• Update mise@latest to 2026.4.14.

• Update vacuum@latest to 0.25.9.

• Update cargo-machete@latest to 0.9.2.

• Update cargo-deny@latest to 0.19.4.

[2.75.15] - 2026-04-16

• Update cargo-nextest@latest to 0.9.133.

... (truncated)

Commits

• 055f5df Release 2.75.18
• eabf603 Add note about unset
• 4637b48 Early handle inputs
• 7a6306e Update vacuum@latest to 0.26.1
• cb13f5e Update mise manifest
• 18cc1a4 Update wasm-tools@latest to 1.247.0
• c7b0507 Update mise@latest to 2026.4.16
• 0ef4e76 Update espup@latest to 0.17.1
• 56ec35f Update trivy@latest to 0.70.0
• 6874db1 Update vacuum manifest
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.1

What's Changed

• chore: update default cosign-release to v3.0.5 in sigstore/cosign-installer#223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

Commits

• cad07c2 chore: update default cosign-release to v3.0.5 (#223)
• See full diff in compare view

Updates crate-ci/typos from 1.44.0 to 1.45.1

Release notes

Sourced from crate-ci/typos's releases.

v1.45.1

[1.45.1] - 2026-04-13

Fixes

• (action) Use a temp dir for caching

v1.45.0

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

Changelog

Sourced from crate-ci/typos's changelog.

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased] - ReleaseDate

[1.45.1] - 2026-04-13

Fixes

• (action) Use a temp dir for caching

[1.45.0] - 2026-04-01

Features

• Updated the dictionary with the March 2026 changes

[1.44.0] - 2026-02-27

Features

• Updated the dictionary with the February 2026 changes

[1.43.5] - 2026-02-16

Fixes

• (pypi) Hopefully fix the sdist build

[1.43.4] - 2026-02-09

Fixes

• Don't correct pincher

[1.43.3] - 2026-02-06

Fixes

• (action) Adjust how typos are reported to github

[1.43.2] - 2026-02-05

Fixes

• Don't correct certifi in Python

... (truncated)

Commits

• cf5f1c2 chore: Release
• 485d425 docs: Update changelog
• 2fe77ce Merge pull request #1539 from epage/action
• a9595ea fix(action): Leave binary in temp dir
• 02ea592 chore: Release
• b859c0d chore: Release
• 6fd32ce docs: Update changelog
• 7626d89 Merge pull request #1530 from crate-ci/renovate/j178-prek-action-2.x
• 2c9510c Merge pull request #1532 from epage/march
• 265b88f feat(dict): March updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.