Bump the all-actions group with 3 updates

[dependabot]

Bumps the all-actions group with 3 updates: github/gh-aw, actions/checkout and actions/download-artifact.

Updates github/gh-aw from 0.57.2 to 0.60.1

Release notes

Sourced from github/gh-aw's releases.

v0.60.0

🌟 Release Highlights

v0.60.0 focuses on security hardening through a smarter guard policy system, expanded GitHub Enterprise Server (GHES) support, and a wave of reliability fixes — including a critical bot-detection failure that was affecting 84% of runs.

⚠️ Breaking Changes

• Automatic lockdown replaced by automatic guard policies (#21287, #21294) — The runtime no longer auto-emits lockdown=true for public repos. Instead, it automatically configures min_integrity and repos guard policy fields on the GitHub MCP server for all repository types. Public repos get min_integrity=approved; private/internal repos get min_integrity=none. Remove any explicit lockdown: false from your workflow frontmatter as it is no longer needed.

✨ What's New

• GHES domain auto-allowlisting (#21301) — When engine.api-target is set for a GitHub Enterprise Server instance, the compiler now automatically adds the GHES API and base hostnames to the firewall allow-list. Previously, every recompile silently blocked GHES API traffic.

• github-app: auth in APM dependencies (#21286) — APM dependencies: now supports cross-org private package access via github-app: auth, solving failures where GITHUB_TOKEN couldn't reach packages in other organizations.

• APM version pinning (#21297) — The compiler now pins microsoft/APM to v0.8.0 in generated workflow steps, ensuring reproducible APM package resolution.

• Cross-host workflow resolution for GHE (#21349) — gh aw add and gh aw add-wizard now correctly resolve workflows from github.com when GH_HOST points to a GHE instance, preventing HTTP 404 errors on cross-host operations.

• Runtime safe-outputs tools loading (#21323) — safe_outputs_tools.json is now loaded from actions/setup at runtime instead of being inlined at compile time, enabling schema updates without workflow recompilation.

🐛 Bug Fixes & Improvements

• Bot detection reliability (#21386) — Fixed an expired GH_AW_BOT_DETECTION_TOKEN causing an 84% failure rate. The step now correctly falls back to GITHUB_TOKEN when the dedicated token is unavailable.

• checkout: false Git credentials (#21325) — Compiler no longer emits "Configure Git credentials" steps when checkout: false is set, eliminating fatal: not a git repository errors in workflows that skip checkout.

• Safe-outputs prompt clarity (#21307) — The built-in prompt now correctly instructs agents to use safe-outputs only for "GitHub writes and completion signaling," preventing agents from ignoring mounted GitHub MCP read tools.

• Error chain formatting (#21384) — Wrapped error chains are now displayed with newlines and indentation, making multi-layer errors significantly easier to debug.

• Guard policies for non-GitHub MCP servers (#21342) — Write-sink guard policies are now correctly applied to non-GitHub MCP servers (Playwright, Serena, mcp-scripts, etc.) during auto-lockdown.

• gh aw new engine list (#21348) — The interactive new command no longer offers the removed custom engine, preventing immediate compilation failures for newly created workflows.

• audit absolute paths (#21331) — gh aw audit now returns absolute paths for downloaded files, improving compatibility with downstream tooling.

📚 Documentation

• New /reference/auth-projects/ reference page for project authentication (#21280)
• Documented automatic minimum-integrity-approved guard policy for public repositories (#21298)
• Condensed Multi-Repo Operations best practices guide (#21311)

---

For complete details, see CHANGELOG.

Generated by Release

... (truncated)

Commits

• 5cb9ec0 Add missing safe-output test workflows and Go compiler tests (#21427)
• fc23139 Inject GH_HOST configuration step into compiled agent job for GHE Cloud data ...
• 33200cd fix: remove unused import of safe-output-app from changeset workflow
• 32c3dc2 Fix client-side request forgery in editor URL fetching (#21423)
• ae39867 fix: remove first empty comment line from lock.yml files (#21413)
• 5798209 Add daily-safe-output-integrator agentic workflow (#21415)
• fb7d3e8 docs(aw): add "Creating Command Workflows" section to create-agentic-workflow...
• 667cd0b Add FAQ entry about using Claude plugins with APM dependencies (#21409)
• 0b6fd62 feat: detect ACTIONS_RUNNER_DEBUG and enable full logging (#21406)
• e9d33d2 [docs] Update Astro dependencies - 2026-03-17 (#21394)
• Additional commits viewable in compare view

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/download-artifact from 8.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stormcomui	Ready	Preview, Comment	Mar 24, 2026 2:59am

[github-actions]

Automated review (GitHub Models):

The PR’s proposed dependency updates (github/gh-aw[mention removed], actions/checkout[mention removed], actions/download-artifact[mention removed]) are reflected in the repository’s workflow and lock files. This indicates the changes are already applied and the PR is resolved.

Confidence: 0.97

Evidence:

• .github/workflows/ : The workflows reference actions/checkout[mention removed] and actions/download-artifact[mention removed]; search indicates latest versions used.
• package-lock.json : GitHub Actions dependencies for github/gh-aw, actions/checkout, and actions/download-artifact reflect upgraded versions matching the PR.
• yarn.lock : Lockfile entries for github/gh-aw[mention removed], actions/checkout[mention removed], actions/download-artifact[mention removed] found, confirming update.