chore(deps): bump the github-actions group with 2 updates

[dependabot]

Bumps the github-actions group with 2 updates: github/gh-aw and actions/cache.

Updates github/gh-aw from 0.58.3 to 0.62.5

Release notes

Sourced from github/gh-aw's releases.

v0.62.5

🌟 Release Highlights

This release focuses on security hardening, reliability fixes across safe-outputs and activation, and a significant documentation expansion — with a couple of quality-of-life feature additions along the way.

⚠️ Security

Two important security improvements ship in this release:

• Supply chain protection: The Trivy vulnerability scanner action has been removed following the discovery of a supply chain compromise (#22007, #22065). Vulnerability scanning has been replaced with an alternative approach.
• Public repo integrity hardening: GitHub App authentication no longer exempts public repositories from the automatic minimum-integrity guard policy (#21969). This closes a gap where same-repo untrusted content could bypass integrity checks on public repos.

✨ What's New

• Timezone support for scheduled workflows: on.schedule cron entries now accept an optional timezone field, letting you express schedules in local time rather than UTC (#22018).
• Boolean expression optimizer: Condition node trees are now optimized at compile time, producing cleaner and more efficient if: expressions in compiled workflows (#22025).
• Wildcard target-repo in safe-output handlers: Safe-output handlers now accept target-repo: "*" to match any repository, making reusable handler definitions much more flexible (#21877).

🐛 Bug Fixes & Improvements

• Bot comment activation fixed: slash_command workflows now correctly activate on bot comments that append metadata after a newline separator — a common pattern with GitHub Apps (#22013).
• Signed commits on new branches: create-pull-request no longer fails when a "Require signed commits" branch ruleset is active and the target branch doesn't yet exist on the remote (#22012).
• Agent output artifact path: Fixed a nested-path issue where GH_AW_AGENT_OUTPUT artifacts were not found because the file resided outside the /tmp/gh-aw/ artifact root (#21968).
• GHE: agentics URL resolution: githubnext/agentics now correctly resolves to github.com when a GitHub Enterprise Server host is configured, preventing failed action lookups on GHE (#22014).
• gh aw new safe-output validation: Safe-output names entered via gh aw new are now validated against the JSON schema, preventing invalid configurations from being written (#21981).
• Smoke-codex stability: Eliminated a race condition causing intermittent safe_outputs failures on scheduled smoke runs and spurious wrong-PR comments (#22039).
• Code-push skip no longer triggers fail-fast: When a code-push step is intentionally skipped, the workflow now continues rather than halting with a failure (#21976).
• MCP Gateway updated to v0.1.20 (#21946).

📚 Documentation

A substantial documentation push accompanies this release:

• New: Integrity reference guide — covers trust levels, filtering behavior, and policy configuration (#22044).
• New: GHE Cloud data residency debugging guide — step-by-step troubleshooting for GitHub Enterprise Cloud data residency connectivity issues (#21993).
• Expanded checkout: frontmatter reference — the checkout section now documents all supported options with examples (#22041).
• GitHub MCP access control spec v1.1.0 — updated to document blocked-users and approval-labels fields (#22023).
• Streamlined agentic-authoring guide — reduced size and improved focus for faster onboarding (#22054).

---

For complete details, see the CHANGELOG.

Generated by Release

---

What's Changed

• Update MCP Gateway v0.1.19 → v0.1.20 by @​Copilot in github/gh-aw#21946

... (truncated)

Commits

• 48d8fdf Remove session management from safe outputs MCP HTTP server (#22056)
• 492682b chore: remove trivy (#22065)
• 78ef8b9 fix: cache action inputs in actions-lock.json for deterministic smoke-codex c...
• d5bae98 feat: add boolean expression optimizer for ConditionNode trees (#22025)
• 5dc9fa1 docs: add integrity.md reference documentation (#22044)
• 63e9d6b docs: document safe-outputs actions field in github-agentic-workflows.md (#22...
• 0e91af2 docs: unbloat agentic-authoring guide (#22054)
• 5d6443c chore(deps): bump h3 (#22043)
• 946e07a docs: expand checkout: section in frontmatter reference (#22041)
• 58acd3e fix(smoke-codex): eliminate safe_outputs instability on schedule runs and wro...
• Additional commits viewable in compare view

Updates actions/cache from 5.0.3 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• b7e8d49 Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests
• 984a21b Add traffic sanity check step
• acf2f1f Fix resolution
• 95a07c5 Add wait for proxy
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.