chore(deps): bump the all-github-actions group with 7 updates

[dependabot]

Bumps the all-github-actions group with 7 updates:

Package	From	To
github/gh-aw	0.42.17	0.45.2
aquasecurity/trivy-action	0.33.1	0.34.0
amannn/action-semantic-pull-request	5	6
docker/login-action	3.6.0	3.7.0
docker/setup-qemu-action	3.2.0	3.7.0
sigstore/cosign-installer	3.5.0	4.0.0
docker/build-push-action	5.4.0	6.19.2

Updates github/gh-aw from 0.42.17 to 0.45.2

Release notes

Sourced from github/gh-aw's releases.

v0.45.2

🌟 Release Highlights

This release focuses on improving reliability, developer experience, and custom agent compatibility with GitHub Copilot.

⚠️ Breaking Changes

• Custom Agent Frontmatter (#16221): The infer: false field has been renamed to disable-model-invocation: true for clarity. Update your custom agent files to use the new field name.

🐛 Bug Fixes & Improvements

• Playwright MCP on GitHub Actions (#16262): Fixed initialization failures when running Playwright MCP on GitHub Actions runners, ensuring browser automation works reliably in CI environments
• MCP Tool JSON Output (#16261): Fixed audit MCP tool returning debug logs instead of clean JSON, improving MCP server integration
• GitHub Copilot Compatibility (#16259): Added user-invokable to ignored frontmatter fields, enabling gh-aw workflows to work seamlessly as GitHub Copilot custom agents
• AI Moderator Enhancement (#16230): Added pull_request.opened event support, expanding automated moderation capabilities
• Test Reliability (#16242, #16235, #16240): Fixed test suite issues and improved Claude smoke test validation to catch startup failures earlier

🏗️ Architecture Improvements

• Prompt Generation (#16209): Moved prompt generation to activation job with artifact transfer, improving workflow structure and debuggability
• CI Validation (#16232): Added CI validation for agent file URLs and enhanced lock file checks, catching configuration errors before deployment

📚 Documentation

• Developer Experience (#16248, #16244): Consolidated developer specifications and added --fail-fast flag documentation, making it easier to develop and debug workflows

🔧 Dependencies

• AWF Firewall (#16256): Updated to v0.19.1 for improved security and stability

---

For complete details, see the CHANGELOG.

Generated by Release

---

What's Changed

• Add CI check to prevent release-compiled lock files by @​Copilot in github/gh-aw#16216
• Rename infer: false to disable-model-invocation: true in custom agent frontmatter by @​Copilot in github/gh-aw#16221
• Move prompt generation to activation job with artifact transfer by @​Copilot in github/gh-aw#16209
• Add CI validation for agent file URLs and enhance lock file checks by @​Copilot in github/gh-aw#16232
• Add pull_request.opened event support to ai-moderator by @​Copilot in github/gh-aw#16230
• Fix indentation in compiler_activation_jobs.go by @​Copilot in github/gh-aw#16235
• [instructions] Add --fail-fast flag to compilation options by @​github-actions[bot] in github/gh-aw#16244
• Fix test comparing step order across different workflow jobs by @​Copilot in github/gh-aw#16242
• Fail Claude smoke runs when startup exits before structured log output by @​Copilot in github/gh-aw#16240
• [docs] Consolidate developer specifications - quality verification v2.3 by @​github-actions[bot] in github/gh-aw#16248
• Fix audit MCP tool returning debug logs instead of JSON by @​Copilot in github/gh-aw#16261

... (truncated)

Commits

• d6cbdd2 Fix Playwright MCP initialization failure on GitHub Actions runners (#16262)
• cedf004 Add user-invokable to ignored frontmatter fields (#16259)
• b8b2d99 chore: update AWF firewall to v0.19.1 (#16256)
• b3632ef Fix audit MCP tool returning debug logs instead of JSON (#16261)
• 4e1524f Update developer documentation to v2.3 - quality verification (#16248)
• f75f2dd Fail Claude smoke runs when startup exits before structured log output (#16240)
• 27ad1a5 Fix test comparing step order across different workflow jobs (#16242)
• 65c9a15 Add --fail-fast flag to compilation options (#16244)
• 143966b Fix indentation in compiler_activation_jobs.go (#16235)
• ad8fe27 Add pull_request.opened event support to ai-moderator (#16230)
• Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.33.1 to 0.34.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.34.0

What's Changed

• ci: use setup-bats in bump-trivy workflow by @​nikpivkin in aquasecurity/trivy-action#494
• chore: update README by @​nikpivkin in aquasecurity/trivy-action#493
• ci: install trivy in bump-trivy workflow and update tests by @​nikpivkin in aquasecurity/trivy-action#495
• chore(deps): Update trivy to v0.68.1 by @​aqua-bot in aquasecurity/trivy-action#496
• ci: use checks bundle v2 in sync workflow by @​nikpivkin in aquasecurity/trivy-action#505
• chore(deps): Update trivy to v0.69.1 by @​aqua-bot in aquasecurity/trivy-action#506

Full Changelog: aquasecurity/trivy-action@0.33.1...0.34.0

Commits

• c1824fd chore(deps): Update trivy to v0.69.1 (#506)
• bc61dc5 Merge commit from fork
• 5eb7ef2 ci: use checks bundle v2 in sync workflow (#505)
• 22438a4 Merge pull request #496 from aquasecurity/bump-trivy-1765431074
• 0024b3f chore(deps): Update trivy to v0.68.1
• 83690f7 ci: install trivy in bump-trivy workflow and update tests (#495)
• df65449 chore: update README (#493)
• 0317097 ci: use setup-bats in bump-trivy workflow (#494)
• See full diff in compare view

Updates amannn/action-semantic-pull-request from 5 to 6

Release notes

Sourced from amannn/action-semantic-pull-request's releases.

v6.0.0

6.0.0 (2025-08-13)

⚠ BREAKING CHANGES

• Upgrade action to use Node.js 24 and ESM (#287)

Features

• Upgrade action to use Node.js 24 and ESM (#287) (bc0c9a7)

v5.5.3

5.5.3 (2024-06-28)

Bug Fixes

• Bump braces dependency (#269. by @​EelcoLos) (2d952a1)

v5.5.2

5.5.2 (2024-04-24)

Bug Fixes

• Bump tar from 6.1.11 to 6.2.1 (#262 by @​EelcoLos) (9a90d5a)

v5.5.1

5.5.1 (2024-04-24)

Bug Fixes

• Bump ip from 2.0.0 to 2.0.1 (#263 by @​EelcoLos) (5e7e9ac)

v5.5.0

5.5.0 (2024-04-23)

Features

• Add outputs for type, scope and subject (#261 by @​bcaurel) (b05f5f6)

v5.4.0

5.4.0 (2023-11-03)

... (truncated)

Changelog

Sourced from amannn/action-semantic-pull-request's changelog.

Changelog

6.1.1 (2025-08-22)

Bug Fixes

• Parse headerPatternCorrespondence properly (#295) (800da4c)

6.1.0 (2025-08-19)

Features

• Support providing regexps for types (#292) (a30288b)

Bug Fixes

• Remove trailing whitespace from "unknown release type" error message (#291) (afa4edb)

6.0.1 (2025-08-13)

Bug Fixes

• Actually execute action (#289) (58e4ab4)

6.0.0 (2025-08-13)

⚠ BREAKING CHANGES

• Upgrade action to use Node.js 24 and ESM (#287)

Features

• Upgrade action to use Node.js 24 and ESM (#287) (bc0c9a7)

5.5.3 (2024-06-28)

Bug Fixes

• Bump braces dependency (#269. by @​EelcoLos) (2d952a1)

5.5.2 (2024-04-24)

Bug Fixes

• Bump tar from 6.1.11 to 6.2.1 (#262 by @​EelcoLos) (9a90d5a)

5.5.1 (2024-04-24)

... (truncated)

Commits

• 48f2562 chore: Release 6.1.1 [skip ci]
• 800da4c fix: Parse headerPatternCorrespondence properly (#295)
• 677b895 test: Fix broken test
• 24e6f01 ci: Fix permissions for tagger
• 7f33ba7 chore: Release 6.1.0 [skip ci]
• afa4edb fix: Remove trailing whitespace from "unknown release type" error message (#291)
• a30288b feat: Support providing regexps for types (#292)
• a46a7c8 build: Move Vitest to devDependencies (#290)
• fdd4d3d chore: Release 6.0.1 [skip ci]
• 58e4ab4 fix: Actually execute action (#289)
• Additional commits viewable in compare view

Updates docker/login-action from 3.6.0 to 3.7.0

Release notes

Sourced from docker/login-action's releases.

v3.7.0

• Add scope input to set scopes for the authentication token by @​crazy-max in docker/login-action#912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in docker/login-action#914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in docker/login-action#911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in docker/login-action#915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits

• c94ce9f Merge pull request #915 from docker/dependabot/npm_and_yarn/lodash-4.17.23
• 8339c95 Merge pull request #912 from docker/scope
• c83e932 build(deps): bump lodash from 4.17.21 to 4.17.23
• b268aa5 chore: update generated content
• a603229 documentation for scope input
• 7567f92 Add scope input to set scopes for the authentication token
• 0567fa5 Merge pull request #914 from dphi/add-support-for-amazonaws.eu
• f6ef577 feat: add support for AWS European Sovereign Cloud ECR registries
• 916386b Merge pull request #911 from crazy-max/ensure-redact
• 5b3f94a chore: update generated content
• Additional commits viewable in compare view

Updates docker/setup-qemu-action from 3.2.0 to 3.7.0

Release notes

Sourced from docker/setup-qemu-action's releases.

v3.7.0

• Bump @​docker/actions-toolkit from 0.56.0 to 0.67.0 in docker/setup-qemu-action#217 docker/setup-qemu-action#230
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/setup-qemu-action#220
• Bump form-data from 2.5.1 to 2.5.5 in docker/setup-qemu-action#218
• Bump tmp from 0.2.3 to 0.2.4 in docker/setup-qemu-action#221
• Bump undici from 5.28.4 to 5.29.0 in docker/setup-qemu-action#219

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

v3.6.0

• Display binfmt version by @​crazy-max in docker/setup-qemu-action#202

Full Changelog: docker/setup-qemu-action@v3.5.0...v3.6.0

v3.5.0

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-qemu-action#205

Full Changelog: docker/setup-qemu-action@v3.4.0...v3.5.0

v3.4.0

• Bump @​docker/actions-toolkit from 0.49.0 to 0.54.0 in docker/setup-qemu-action#193 docker/setup-qemu-action#197

Full Changelog: docker/setup-qemu-action@v3.3.0...v3.4.0

v3.3.0

• Add cache-image input to enable/disable caching of binfmt image by @​crazy-max in docker/setup-qemu-action#130
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/setup-qemu-action#172
• Bump @​docker/actions-toolkit from 0.35.0 to 0.49.0 in docker/setup-qemu-action#187
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/setup-qemu-action#182
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/setup-qemu-action#162

Full Changelog: docker/setup-qemu-action@v3.2.0...v3.3.0

Commits

• c7c5346 Merge pull request #230 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 3a517a1 chore: update generated content
• a5b45ed build(deps): bump @​docker/actions-toolkit from 0.62.1 to 0.67.0
• 3a64278 Merge pull request #220 from docker/dependabot/npm_and_yarn/brace-expansion-1...
• 94906ba chore: update generated content
• 4027abf build(deps): bump brace-expansion from 1.1.11 to 1.1.12
• bee0aaa Merge pull request #221 from docker/dependabot/npm_and_yarn/tmp-0.2.4
• 0d7e257 chore: update generated content
• b869601 build(deps): bump tmp from 0.2.3 to 0.2.4
• 3a043ed Merge pull request #219 from docker/dependabot/npm_and_yarn/undici-5.29.0
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.5.0 to 4.0.0

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.0.0

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

• Add support for Cosign v3 releases (#201)

v3.10.1

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#203)

v3.10.0

What's Changed

• Bump default Cosign to v2.6.0 in sigstore/cosign-installer#200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

What's Changed

• not fail fast and setup permissions in sigstore/cosign-installer#195
• drop old unsupported versions <v2.0.0 in sigstore/cosign-installer#192
• Update default to v2.5.3 in sigstore/cosign-installer#196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

What's Changed

• default action install to use release v2.5.1 by @​cpanato in sigstore/cosign-installer#193
• default cosign to v2.5.2 by @​cpanato in sigstore/cosign-installer#194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

What's Changed

• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in sigstore/cosign-installer#189
• bump cosign install to use release v2.5.0 as default by @​cpanato in sigstore/cosign-installer#191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

v3.8.2

... (truncated)

Commits

• faadad0 add support for cosign v3 releases (#201)
• d7543c9 Bump default Cosign to v2.6.0 (#200)
• 920f20f Bump actions/setup-go from 5.5.0 to 6.0.0 (#199)
• bb9dfc1 Bump actions/github-script from 7.0.1 to 8.0.0 (#198)
• 074636b Bump actions/checkout from 4.2.2 to 5.0.0 (#197)
• d58896d Update default to v2.5.3 (#196)
• e40248c drop old unsupported versions <v2.0.0 (#192)
• d9374b9 not fail fast and setup permissions (#195)
• 398d4b0 default cosign to v2.5.2 (#194)
• 84f54a2 default action install to use release v2.5.1 (#193)
• Additional commits viewable in compare view

Updates docker/build-push-action from 5.4.0 to 6.19.2

Release notes

Sourced from docker/build-push-action's releases.

v6.19.2

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in docker/build-push-action#1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in docker/build-push-action#1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

• Scope default git auth token to github.com by @​crazy-max in docker/build-push-action#1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/build-push-action#1396
• Bump form-data from 2.5.1 to 2.5.5 in docker/build-push-action#1391
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/build-push-action#1429
• Bump lodash from 4.17.21 to 4.17.23 in docker/build-push-action#1446
• Bump tmp from 0.2.3 to 0.2.4 in docker/build-push-action#1398
• Bump undici from 5.28.4 to 5.29.0 in docker/build-push-action#1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

v6.15.0

• Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0 in docker/build-push-action#1330

Full Changelog: docker/build-push-action@v6.14.0...v6.15.0

v6.14.0

... (truncated)

Commits

• 10e90e3 Merge pull request #1458 from crazy-max/git-auth-port
• 5262538 chore: update generated content
• cd130e4 preserve port in GIT_AUTH_TOKEN host
• 806c751 Merge pull request #1452 from crazy-max/update-yarn
• 601a80b Merge pull request #1456 from crazy-max/auth-token-dyn-host
• 8f7fd7c chore: update generated content
• 710e335 derive GIT_AUTH_TOKEN host from GitHub server URL
• c4ca848 update yarn to 4.9.2
• ee4ca42 Merge pull request #1398 from docker/dependabot/npm_and_yarn/tmp-0.2.4
• f1b3bb5 chore: update generated content
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.30%	82.45%	📈 +0.15%
Statements	82.23%	82.37%	📈 +0.14%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.46%	74.55%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.2% → 83.8% (+0.55%)	82.5% → 83.0% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

PR titles: chore(deps): bump the all-github-actions group with 7 updates | chore(deps): bump the all-npm-dependencies group with 7 updates
GitHub MCP merged PRs: ✅
safeinputs-gh pr list: ✅
Playwright title check: ✅
Tavily search: ❌ (tool unavailable)
File write: ✅
Bash cat verify: ✅
Discussion query: ✅
Build npm ci && npm run build: ✅
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.