build(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: github/gh-aw, actions/cache, actions/download-artifact and docker/login-action.

Updates github/gh-aw from 0.56.2 to 0.67.0

Release notes

Sourced from github/gh-aw's releases.

v0.67.0

🌟 Release Highlights

This release delivers a major observability milestone with full OTLP trace export support, resolves critical GitHub MCP App token authentication bugs, expands the environment variable reference documentation, and addresses a wave of community-reported issues across self-hosted runners, cross-repo workflows, and the Codex engine.

✨ What's New

📡 OTLP Trace Export (observability.otlp)

Workflows can now export structured OpenTelemetry spans to any OTLP-compatible backend (e.g. Honeycomb, Grafana Tempo, Sentry) with a single frontmatter block:

observability:
  otlp:
    endpoint: $\{\{ secrets.GH_AW_OTEL_ENDPOINT }}
    headers: $\{\{ secrets.GH_AW_OTEL_HEADERS }}

Every job emits setup and conclusion spans with rich attributes (gh-aw.job.name, gh-aw.workflow.name, gh-aw.engine.id, token usage, and more). Cross-job trace correlation is wired automatically — all jobs in a run share a single trace ID originating from the activation job. Dispatched child workflows inherit the parent's trace context via aw_context, giving you end-to-end visibility across composite workflow chains. When a static endpoint URL is provided, its hostname is automatically added to the AWF firewall allowlist.

📚 Environment Variable Reference

A new comprehensive Environment Variables reference section covers CLI configuration (DEBUG, GH_AW_FEATURES, …), per-phase model override variables (GH_AW_MODEL_AGENT_*), and guard policy fallback variables (GH_AW_GITHUB_BLOCKED_USERS, GH_AW_GITHUB_TRUSTED_USERS) — previously discoverable only by reading source code.

🐛 Bug Fixes & Improvements

• GitHub MCP App token always empty — actions/create-github-app-token masks its output token and GitHub Actions runner v2.308+ silently drops masked values from job outputs, causing github_mcp_app_token to always arrive empty in the agent job (GitHub MCP server ran unauthenticated). The token is now minted directly in the agent job to avoid the cross-job output masking issue. (closes #24569)

• Duplicate "Generate GitHub App token" step — when multiple checkout: entries fell back to the top-level github-app:, the compiler produced steps with the same name, causing a duplicate-step validation error. Each step is now uniquely named. (closes #24573)

• Tavily MCP docs and mcp inspect missing servers — the web-search guide referenced the wrong npm package (@tavily/mcp-server → @tavily/mcp) and a dead GitHub URL. Additionally, gh aw mcp inspect now correctly reports MCP servers defined in imported workflows and handles on: issues string triggers. (closes #24567)

• repo-memory file-glob patterns silently skipping files — documentation and several built-in workflow templates incorrectly instructed agents to prefix file-glob patterns with the branch path (e.g. memory/branch-name/*.json). Patterns are matched against relative paths from the artifact directory, so bare extension patterns (*.json) are correct. All affected workflows and the reference docs have been fixed.

• Remote workflow calls — fixed a regression that broke workflow_call triggers in cross-repository setups. (closes #24422)

• workflow_call missing ref: in cross-repo checkout — activation job now correctly passes ref: when checking out a target repository for workflow_call triggers. (closes #20508)

• setup.sh create_dir() fails on self-hosted Linux runners — create_dir() now uses sudo when the runner user lacks write access to /opt/. (closes #20283)

• Codex engine on self-hosted runners — the vendored codex-x86_64-unknown-linux-musl binary now correctly supports --dangerously-bypass-approvals-and-sandbox. (closes #20157)

• GH_AW_SAFE_OUTPUTS_CONFIG_PATH / GH_AW_SAFE_OUTPUTS_TOOLS_PATH not available as env vars — these paths are now written to both GITHUB_OUTPUT and GITHUB_ENV so downstream jobs can reference them as environment variables. (closes #23092)

• agent_version: latest causes 400 Bad Request with Gemini models — version resolution now correctly handles latest for model/version combinations that do not support it. (closes #20833)

• Runtime parameterization of frontmatter fields — compile-time frontmatter fields can now be overridden at runtime via $\{\{ vars.* }} or $\{\{ secrets.* }} expressions in supported fields. (closes #23724)

🔧 Internal

... (truncated)

Commits

• 245d168 ci-cleaner: switch to Claude with max-turns, scope recompile, add exit guardr...
• 73887bf Fix invalid Tavily MCP package name/link in docs and mcp inspect missing serv...
• c816157 refactor: extract shared OTLP observability config, import in 30% of workflow...
• 16c5c53 fix: move selection to agent, keep only log download as pre-step (#24637)
• cbe27b7 fix: move optimizer data loading to pre-agentic steps (#24625)
• 7acccb4 fix: correct file-glob pattern docs and workflows for repo-memory (#24621)
• 730ce5e fix: update broken anchor link in glossary.md for audit diff command (#24620)
• c69880d fix: unique step names for checkout GitHub App token minting steps (#24609)
• 021d1a9 fix: remove branch-name prefix from repo-memory glob filter (#24613)
• 1a77097 feat: propagate pre-activation trace-id to activation job and reduce setup.sh...
• Additional commits viewable in compare view

Updates actions/cache from 5.0.3 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/[email protected] #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• b7e8d49 Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests
• 984a21b Add traffic sanity check step
• acf2f1f Fix resolution
• 95a07c5 Add wait for proxy
• Additional commits viewable in compare view

Updates actions/download-artifact from 8.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• See full diff in compare view

Updates docker/login-action from 4.0.0 to 4.1.0

Release notes

Sourced from docker/login-action's releases.

v4.1.0

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in docker/login-action#945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in docker/login-action#930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in docker/login-action#932 docker/login-action#936
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/login-action#952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in docker/login-action#942
• Bump flatted from 3.3.3 to 3.4.2 in docker/login-action#944
• Bump glob from 10.3.12 to 10.5.0 in docker/login-action#940
• Bump handlebars from 4.7.8 to 4.7.9 in docker/login-action#949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in docker/login-action#937
• Bump lodash from 4.17.23 to 4.18.1 in docker/login-action#958
• Bump minimatch from 3.1.2 to 3.1.5 in docker/login-action#941
• Bump picomatch from 4.0.3 to 4.0.4 in docker/login-action#948
• Bump undici from 6.23.0 to 6.24.1 in docker/login-action#938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

Commits

• 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 1e233e6 chore: update generated content
• 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
• ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
• a6f092b chore: update generated content
• 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
• 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 102c0e6 chore: update generated content
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[fr4nc1sc0-r4m0n]

LGTM