chore(deps): bump the github-actions-minor-patch group across 1 directory with 3 updates

[dependabot]

Bumps the github-actions-minor-patch group with 3 updates in the / directory: github/gh-aw, actions/upload-artifact and actions/download-artifact.

Updates github/gh-aw from 0.51.6 to 0.68.3

Release notes

Sourced from github/gh-aw's releases.

v0.68.3

🌟 Release Highlights

This release delivers a major overhaul of push_signed_commits.cjs for edge-case reliability, significant improvements to shared workflow imports, smarter AI model error handling, and a wave of community-driven fixes.

✨ What's New

• Model-not-supported detection — When a model is unavailable or not supported by your Copilot plan, the workflow now stops retrying and surfaces a clear, actionable error in the failure report rather than spinning indefinitely. (#26229)
• checkout field in shared imports — Shared importable workflows now support a checkout field, giving you control over which ref is checked out when importing a shared workflow. (#26292)
• env field in shared imports — You can now pass environment variables via env: in shared import blocks, eliminating the need for workarounds when shared workflows require custom env context. (#26113)
• Time Between Turns (TBT) metric — gh aw audit and gh aw logs now report Time Between Turns, a key indicator of whether LLM prompt caching is effective for your workflows. (#26321)
• OTEL token breakdown — Conclusion spans now include token category breakdowns as attributes, enabling richer cost analysis in your observability dashboards. (#26121)
• API consumption charts as inline images — API consumption reports now render charts as inline Markdown images for instant visibility without requiring external image hosting. (#26150)

🐛 Bug Fixes & Improvements

push_signed_commits.cjs — five targeted fixes:

• File content is now read from commit objects (not the working tree), preventing stale-file bugs in agent-driven commits. (#26287)
• Copy/rename detection and C-quoted filenames are now handled correctly. (#26277)
• Non-100644 file modes (executables, symlinks) are detected and handled gracefully. (#26259)
• Commit ordering uses --topo-order and merge commits are handled with a git push fallback. (#26306)
• Submodule entries now fall back to a plain git push instead of erroring. (#26298)

Other notable fixes:

• on.github-token propagated to activation job — Cross-org workflow_call setups no longer fail because the GitHub token was missing from checkout and hash-check steps. (#26137)
• copilot-driver --resume auth recovery — Authentication failures during --continue/--resume are now handled instead of crashing the driver. (#26146)
• add_comment gains reply_to_id — The reply_to_id parameter is now documented in the MCP tool schema so agents reliably pass it when threading replies. (#26288)
• safe-outputs.actions tools exposed — Custom action tools defined in safe-outputs.actions are now included in the agent's MCP toolset. (#26291)
• engine.max-turns preserved through shared imports — The max-turns setting no longer silently drops when the engine config is sourced from a shared import. (#26122)
• Docker no longer required for gh aw compile --validate — Validation now skips Docker image checks when Docker is unavailable; opt in with --validate-images when needed. (#26074)
• GH_HOST env var used for GH CLI calls — gh repo view and gh pr create now respect GH_HOST, fixing failures in GHES and cross-org contexts. (#26311)
• resolveIssueNumber strips stray quotes — Item numbers wrapped in quotes no longer cause resolution failures. (#26114)
• --safe-update renamed to --approve — The flag name now more clearly conveys its intent. (#26160)

📚 Documentation

• Gemini AI engine added to the introduction/how-they-work guide. (#26147)
• github-app documented as a top-level Allowed Import Field in the imports reference. (#26119)
• New working-directory navigation example in the side-repo-ops pattern. (#26123)
• Comprehensive new guide: Maintaining repos with agentic workflows at scale. (#26073)

🌍 Community Contributions

@arthurfvives

• Feature: Auto-detect available models or gracefully fallback on 400 errors (Copilot Pro/Education) (direct issue)

... (truncated)

Commits

• ce17949 fix: use GH_HOST env var instead of --hostname flag for gh repo view and gh p...
• c25673e fix: --topo-order and merge commit fallback in push_signed_commits.cjs (#26306)
• d37c7c6 fix(USE-001): add standardized ERR_* error codes to two non-conformant handle...
• 9939478 fix(USE-003): emit staged mode preview summary in upload_artifact handler (#2...
• b8e0b8a fix: expose safe-outputs.actions custom action tools to agent MCP toolset (#2...
• 549223d feat: support checkout field in importable shared workflows (#26292)
• ace4abb Split frontmatter_types.go into types, parsing, and serialization files (#2...
• b048b08 Split gateway_logs.go into concern-aligned files (#26296)
• a12b147 refactor: split audit_report_render.go into domain-specific files (#26304)
• f109ff0 Handle submodule entries in push_signed_commits by falling back to git push (...
• Additional commits viewable in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates actions/download-artifact from 8.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions