chore(deps): bump the github-actions group with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates: taiki-e/install-action, github/codeql-action, github/gh-aw and actions/setup-node.

Updates taiki-e/install-action from 2.68.16 to 2.68.25

Release notes

Sourced from taiki-e/install-action's releases.

2.68.25

• Update zizmor@latest to 1.23.1.

• Update tombi@latest to 0.9.4.

• Update cargo-semver-checks@latest to 0.47.0.

2.68.24

• Avoid triggering zizmor ref-confusion when using this action in form of uses: taiki-e/install-action@v2 or uses: taiki-e/install-action@<tool_name>.

2.68.23

• Update zizmor@latest to 1.23.0.

• Update tombi@latest to 0.9.3.

• Update mise@latest to 2026.3.5.

2.68.22

• Update release-plz@latest to 0.3.157.

• Update cargo-binstall@latest to 1.17.7.

• Update mise@latest to 2026.3.4.

2.68.21

• Update tombi@latest to 0.9.2.

• Update uv@latest to 0.10.9.

• Update rclone@latest to 1.73.2.

• Update cargo-sort@latest to 2.1.1.

2.68.20

• Update tombi@latest to 0.9.1.

• Update cargo-neat@latest to 0.3.2.

2.68.19

• Update mise@latest to 2026.3.3.

• Update cargo-auditable@latest to 0.7.4.

• Update cargo-sort@latest to 2.1.0.

2.68.18

• Update uv@latest to 0.10.8.

• Update grcov@latest to 0.10.7.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.68.25] - 2026-03-08

• Update zizmor@latest to 1.23.1.

• Update tombi@latest to 0.9.4.

• Update cargo-semver-checks@latest to 0.47.0.

[2.68.24] - 2026-03-08

• Avoid triggering zizmor ref-confusion when using this action in form of uses: taiki-e/install-action@v2 or uses: taiki-e/install-action@<tool_name>.

[2.68.23] - 2026-03-08

• Update zizmor@latest to 1.23.0.

• Update tombi@latest to 0.9.3.

• Update mise@latest to 2026.3.5.

[2.68.22] - 2026-03-07

• Update release-plz@latest to 0.3.157.

• Update cargo-binstall@latest to 1.17.7.

• Update mise@latest to 2026.3.4.

[2.68.21] - 2026-03-07

• Update tombi@latest to 0.9.2.

• Update uv@latest to 0.10.9.

• Update rclone@latest to 1.73.2.

• Update cargo-sort@latest to 2.1.1.

... (truncated)

Commits

• a37010d Release 2.68.25
• ffc2b1c Update zizmor@latest to 1.23.1
• 8f3b52a Update tombi@latest to 0.9.4
• df9c07a Update cargo-semver-checks@latest to 0.47.0
• 3c19ebd zizmor: Enable ref-confusion
• b18b9d9 Release 2.68.24
• 5ccf629 codegen: Avoid allocation in workspace_root()
• 93ea0b3 Avoid triggering zizmor ref-confusion
• 7c8485f Update script and CI config
• fc2a2b3 Release 2.68.23
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.5 to 4.32.6

Release notes

Sourced from github/codeql-action's releases.

v4.32.6

• Update default CodeQL bundle version to 2.24.3. #3548

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

• Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

• Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409

... (truncated)

Commits

• 0d579ff Merge pull request #3551 from github/update-v4.32.6-72d2d850d
• d4c6be7 Update changelog for v4.32.6
• 72d2d85 Merge pull request #3548 from github/update-bundle/codeql-bundle-v2.24.3
• 23f983c Merge pull request #3544 from github/dependabot/github_actions/dot-github/wor...
• 832e97c Merge pull request #3545 from github/dependabot/github_actions/dot-github/wor...
• 5ef38c0 Merge pull request #3546 from github/dependabot/npm_and_yarn/tar-7.5.10
• 80c9cda Add changelog note
• f2669dd Update default bundle to codeql-bundle-v2.24.3
• bd03c44 Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actio...
• 102d762 Bump tar from 7.5.7 to 7.5.10
• Additional commits viewable in compare view

Updates github/gh-aw from 0.51.6 to 0.56.2

Release notes

Sourced from github/gh-aw's releases.

v0.56.2

🌟 Release Highlights

This release focuses on reliability improvements across protected-file handling, setup CLI pinning, and cross-repo workflows — along with an upgrade to GitHub MCP server v0.32.0 and a new strict allowlist feature for protected-file protection.

✨ What's New

• allowed-files strict allowlist for protected-file PR safe outputs (#20051) — You can now configure an explicit allowlist of files that are permitted in protected-file PRs. Any file outside the allowlist is blocked, giving teams tighter control over what agents can modify in sensitive branches.

🐛 Bug Fixes & Improvements

• Protected-file fallback-to-issue now works when workflows permission is absent (#20106) — When an agent patch touches .github/workflows/ files and the GitHub App lacks workflows permission, gh-aw now correctly creates a fallback review issue rather than silently failing.
• Default branch no longer hardcoded to main (#20099) — create_pull_request and related operations now query the repository's actual default branch, fixing failures in repos using master, develop, or any non-main default.
• add-wizard correctly syncs working tree after PR merge (#20094) — Switching to the default branch after merging a wizard-created PR ensures workflow files are visible immediately, eliminating "workflow file not found" errors.
• setup-cli action now respects pinned version input (#20081) — The action verifies the installed version matches the requested version after gh extension install, falling back to a manual binary download if there's a mismatch.
• Safe output handler gracefully handles custom safe output job types (#20114) — Unknown job types no longer surface as unhandled errors; they are now logged and skipped cleanly.

⚡ Performance

• Compiled regex patterns moved to package-level variables (#20073, #20079) — regexp.MustCompile calls across pkg/cli, pkg/workflow, and the expression-validation hot path are now initialized once at startup rather than on every invocation, reducing allocation pressure in high-frequency compilation paths.

🔧 Dependencies & Infrastructure

• GitHub MCP server upgraded to v0.32.0 (#20100) — Picks up the latest GitHub MCP tooling improvements and bug fixes.

📚 Documentation

• New Cost Management reference page (#20078) — Added guidance on understanding and controlling the compute costs associated with running agentic workflows.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

• @dsyme for Change to protected file not correctly using a fallback issue (#20103)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Add missing scanner.Buffer() calls to prevent silent truncation in gateway_logs.go by @​Copilot in github/gh-aw#20074
• chore: hoist regexp.MustCompile calls to package-level vars across pkg/cli and pkg/workflow by @​Copilot in github/gh-aw#20073
• perf: hoist regexp.MustCompile calls to package-level vars in validateExpressionForDangerousProps by @​Copilot in github/gh-aw#20079
• IMP-003: Move generateCustomJobToolDefinition to safe_outputs_config_generation.go by @​Copilot in github/gh-aw#20080
• docs: add Cost Management reference page by @​Copilot in github/gh-aw#20078

... (truncated)

Commits

• f1073c5 refactor: simplify generateCustomJobToolDefinition and extractDispatchWorkflo...
• 984fc7a Fix safe output handler to gracefully ignore custom safe output job types (#2...
• 5ab3d52 Add allowed-files strict allowlist for protected-file protection on PR safe...
• 63f1ea4 Upgrade GitHub MCP server to v0.32.0, recompile workflows (#20100)
• b554e94 Update MCP gateway GitHub guard terminology (#20096)
• 32c7af7 fix: create protected-file review issue when push fails due to workflows perm...
• 59d071d fix: switch to default branch before pulling after add-wizard PR merge (#20094)
• e43b634 chore: remove 9 unreachable dead functions (#20101)
• cc0d007 fix: query repo default branch instead of hardcoding 'main' (#20098) (#20099)
• 482aa92 Fix setup-cli action ignoring pinned version input (#20081)
• Additional commits viewable in compare view

Updates actions/setup-node from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-node's releases.

v6.3.0

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in actions/setup-node#1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in actions/setup-node#1491
• Replace uuid with crypto.randomUUID() by @​trivikr in actions/setup-node#1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-node#1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in actions/setup-node#1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in actions/setup-node#1495

New Contributors

• @​susnux made their first contribution in actions/setup-node#1283

Full Changelog: actions/setup-node@v6...v6.3.0

Commits

• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Benchmark Results

No benchmarks configured. Add benchmarks to benches/ directory.

Full results available in CI artifacts.