[actions] Update GitHub Actions versions - 2026-03-01

[Copilot]

• Apply patch from workflow run to update GitHub Actions versions
• Run make recompile to regenerate 162 workflow lock files
• Fix unit tests in action_pins_test.go and action_pins_logging_test.go
• Regenerate wasm golden test files
• Merge origin/main
• Recompile all 162 workflows after merge
• All tests pass

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[actions] Update GitHub Actions versions - 2026-03-01</issue_title>
<issue_description>## GitHub Actions Updates - 2026-03-01

This PR updates GitHub Actions versions in .github/aw/actions-lock.json to their latest compatible releases.

Actions Updated

• github/stale-repos: v8.0.4 → v9.0.1
• actions/upload-artifact: v5.0.0 / v7.0.0 → v7
• astral-sh/setup-uv: v7.3.0 → v7.3.1
• erlef/setup-beam: v1.20.4 → v1.21.0
• actions/setup-dotnet: v4.3.1 → v5.1.0
• actions/checkout: v5.0.1 → v6.0.2
• actions/download-artifact: v8.0.0 → v8

Summary

• Total actions updated: 8
• Update command: gh aw update
• Workflow lock files: Not included (will be regenerated on next compile)

Notes

• All action updates respect semantic versioning and maintain compatibility
• Actions are pinned to commit SHAs for security
• Workflow .lock.yml files are excluded from this PR and will be regenerated during the next compilation
• Workflow .md source files with embedded action references were also updated

Testing

The updated actions will be automatically used in workflow compilations. No manual testing required.

---

This PR was automatically created by the Daily Workflow Updater workflow.

Generated by Daily Workflow Updater

• expires on Mar 2, 2026, 9:27 AM UTC

---

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent-artifacts artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 22540406258 -n agent-artifacts -D /tmp/agent-artifacts-22540406258

# Create a new branch
git checkout -b daily-workflow-updater-2026-03-01-8c89fbc423df5349

# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22540406258/aw-daily-workflow-updater-2026-03-01.patch

# Push the branch to origin
git push origin daily-workflow-updater-2026-03-01-8c89fbc423df5349

# Create the pull request
gh pr create --title '[actions] Update GitHub Actions versions - 2026-03-01' --base main --head daily-workflow-updater-2026-03-01-8c89fbc423df5349 --repo github/gh-aw

Show patch preview (233 of 233 lines)

From cc91c0e5df1c0472d4364375b87fc54a2b784792 Mon Sep 17 00:00:00 2001
From: GitHub Copilot <copilot@github.com>
Date: Sun, 1 Mar 2026 09:25:37 +0000
Subject: [PATCH] chore: update GitHub Actions versions (2026-03-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- github/stale-repos: v8.0.4 → v9.0.1
- actions/upload-artifact: v5.0.0/v7.0.0 → v7
- astral-sh/setup-uv: v7.3.0 → v7.3.1
- erlef/setup-beam: v1.20.4 → v1.21.0
- actions/setup-dotnet: v4.3.1 → v5.1.0
- actions/checkout: v5.0.1 → v6.0.2
- actions/download-artifact: v8.0.0 → v8

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/aw/actions-lock.json                  | 41 ++++++-------------
 .github/workflows/release.md                  |  2 +-
 .../workflows/shared/ollama-threat-scan.md    |  2 +-
 .github/workflows/shared/python-dataviz.md    |  4 +-
 .../shared/trending-charts-simple.md          |  4 +-
 .github/workflows/stale-repo-identifier.md    |  2 +-
 .github/workflows/super-linter.md             |  4 +-
 7 files changed, 22 insertions(+), 37 deletions(-)

diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 103020b..0530cc3 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -25,11 +25,6 @@
       "version": "v5.0.3",
       "sha": "cdf6c1fa76f9f475f3d7449005a359c84ca0f306"
     },
-    "actions/checkout@v5.0.1": {
-      "repo": "actions/checkout",
-      "version": "v5.0.1",
-      "sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd"
-    },
     "actions/checkout@v6.0.2": {
       "repo": "actions/checkout",
       "version": "v6.0.2",
@@ -40,9 +35,9 @@
       "version": "v3.0.0-beta.2",
       "sha": "bf559f85448f9380bcfa2899dbdc01eb5b37be3a"
     },
-    "actions/download-artifact@v8.0.0": {
+    "actions/download-artifact@v8": {
       "repo": "actions/download-artifact",
-      "version": "v8.0.0",
+      "version": "v8",
    ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes github/gh-aw#19028

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.](https://gh.io/cca-advanced-security)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done — merged origin/main and recompiled all 162 workflows (a9ab550).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build2561765473/b333/embedcfg -pack (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw mTX9RiN/DdTuJrY5-C (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha se 3373019/b179/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build3553373019/b017/vet.cfg 3373019/b267/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 3373019/b019/vet.cfg .cfg -f owner=github -f ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -1 xterm-color (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 3373019/b029/vet.cfg .cfg remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3373019/b021/vet.cfg .cfg -f owner=github -f ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3373019/b030/vet.cfg .cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha se 3373019/b024/vet.cfg .cfg -f owner=github -f ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha se 3373019/b020/vet.cfg .cfg (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows HEAD /usr/sbin/lsb_release (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates pinned GitHub Actions versions across the repo (action pin databases, workflow sources, regenerated workflow lock files, and wasm golden outputs) to align with the latest compatible releases as of 2026-03-01.

Changes:

• Updated action pin databases (.github/aw/actions-lock.json, pkg/workflow/data/action_pins.json) to newer action versions/SHAs (e.g., checkout v6.0.2, upload-artifact v7, download-artifact v8, stale-repos v9.0.1).
• Regenerated compiled workflow lock files to reflect updated pin comments (e.g., # v7 / # v8) and updated workflow markdown sources referencing major tags (e.g., actions/upload-artifact@v7).
• Updated workflow pinning-related unit tests and refreshed wasm golden fixtures to match the new pinned-action rendering.

Reviewed changes

Copilot reviewed 176 out of 176 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/aw/actions-lock.json	Updates the canonical action lock entries (keys/versions/SHAs) used for workflow compilation/pinning.
pkg/workflow/data/action_pins.json	Updates embedded action pin data used by the compiler fallback pinning logic.
pkg/workflow/action_pins_logging_test.go	Aligns pinning/logging tests with updated pinned versions (e.g., checkout v6.0.2, setup-dotnet v5.1.0).
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden	Regenerated wasm golden output to match updated pinned action comment formatting (# v7/# v8).
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Same as above for smoke fixture.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden	Same as above for import fixture.
.github/workflows/release.md	Updates workflow source to use major-tag form for upload-artifact (@v7).
.github/workflows/super-linter.md	Updates workflow source to use actions/upload-artifact@v7 and actions/download-artifact@v8.
.github/workflows/stale-repo-identifier.md	Updates github/stale-repos reference to v9.0.1.
.github/workflows/shared/ollama-threat-scan.md	Updates upload-artifact reference to @v7.
.github/workflows/shared/python-dataviz.md	Updates upload-artifact references to @v7.
.github/workflows/shared/trending-charts-simple.md	Updates upload-artifact references to @v7.
.github/workflows/agentics-maintenance.yml	Updates pinned upload-artifact comment/version marker to match v7 major tag.
.github/workflows/ai-moderator.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/archie.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/artifacts-summary.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/auto-triage-issues.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/blog-auditor.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/bot-detection.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/brave.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/breaking-change-checker.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/chroma-issue-indexer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/commit-changes-analyzer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/contribution-check.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-choice-test.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-fact.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-file-diet.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-security-red-team.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-team-evolution-insights.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/daily-team-status.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/dependabot-burner.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/dev-hawk.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/dev.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/draft-pr-cleanup.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/duplicate-code-detector.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/example-custom-error-patterns.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/example-permissions-warning.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/example-workflow-analyzer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/firewall.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/go-pattern-detector.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/issue-arborist.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/issue-monster.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/issue-triage-agent.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/metrics-collector.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/notion-issue-summary.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/plan.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/repo-tree-map.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/research.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/semantic-function-refactor.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/smoke-agent.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/smoke-test-tools.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/smoke-workflow-call.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/sub-issue-closer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/terminal-stylist.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/test-dispatcher.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/test-project-url-default.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/test-workflow.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/typist.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/video-analyzer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/workflow-generator.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/workflow-normalizer.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.
.github/workflows/workflow-skill-extractor.lock.yml	Regenerated compiled lock to reflect updated pinned artifact actions comment versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.