diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index c9ea38685d2..3688f8f2b9e 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -125,6 +125,11 @@
       "version": "v2.0.3",
       "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb"
     },
+    "docker/build-push-action@v6": {
+      "repo": "docker/build-push-action",
+      "version": "v6",
+      "sha": "ee4ca427a2f43b6a16632044ca514c076267da23"
+    },
     "docker/build-push-action@v6.18.0": {
       "repo": "docker/build-push-action",
       "version": "v6.18.0",
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index 3a4828e86df..626adc4d786 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -1196,7 +1196,7 @@ jobs:
       - name: Setup Docker Buildx (pre-validation)
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Build Docker image (validation only)
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@ee4ca427a2f43b6a16632044ca514c076267da23 # v6
         with:
           build-args: |
             BINARY=dist/linux-amd64
@@ -1285,7 +1285,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
       - name: Build and push Docker image (amd64)
         id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@ee4ca427a2f43b6a16632044ca514c076267da23 # v6
         with:
           build-args: |
             BINARY=dist/linux-amd64
diff --git a/docs/src/content/docs/reference/tokens.md b/docs/src/content/docs/reference/tokens.md
index ab4f7660155..df67635df12 100644
--- a/docs/src/content/docs/reference/tokens.md
+++ b/docs/src/content/docs/reference/tokens.md
@@ -10,11 +10,11 @@ disable-agentic-editing: true
 
 GitHub Actions automatically provides a default `GITHUB_TOKEN` that works for most workflows. However, depending on what your workflow needs to do, you may need additional tokens:
 
-- **Cross-repo access or remote GitHub tools** – Add [`GH_AW_GITHUB_TOKEN`](#ghawaithubtoken-enhanced-pat-for-cross-repo-and-remote-tools)
-- **Copilot engine and agent operations** – Add [`COPILOT_GITHUB_TOKEN`](#copilotwithubtoken-copilot-authentication)
-- **GitHub Projects v2 operations** – Add [`GH_AW_PROJECT_GITHUB_TOKEN`](#ghawprojectwithubtoken-github-projects-v2)
-- **Assign Copilot agents to issues/PRs** – Add [`GH_AW_AGENT_TOKEN`](#ghawagenttoken-agent-assignment)
-- **MCP server with isolated permissions** (optional) – Add [`GH_AW_GITHUB_MCP_SERVER_TOKEN`](#ghawgithubmcpservertoken-github-mcp-server)
+- **Cross-repo access or remote GitHub tools** – Add [`GH_AW_GITHUB_TOKEN`](#gh_aw_github_token)
+- **Copilot engine and agent operations** – Add [`COPILOT_GITHUB_TOKEN`](#copilot_github_token)
+- **GitHub Projects v2 operations** – Add [`GH_AW_PROJECT_GITHUB_TOKEN`](#gh_aw_project_github_token)
+- **Assign Copilot agents to issues/PRs** – Add [`GH_AW_AGENT_TOKEN`](#gh_aw_agent_token)
+- **MCP server with isolated permissions** (optional) – Add [`GH_AW_GITHUB_MCP_SERVER_TOKEN`](#gh_aw_github_mcp_server_token)
 
 ## How do I add tokens to my repository?