`gh aw upgrade` adds new action version to actions-lock.json but doesn't update the source .md file

[sg650]

Summary

gh aw upgrade bumps action versions in actions-lock.json but does not update the uses: reference in workflow or shared-component .md source files. This leaves a dangling lockfile entry that nothing resolves — compiled .lock.yml files continue using the old version until the developer manually edits the source.

This happens regardless of whether the action reference is in a shared component or directly in a workflow .md file.

Steps to Reproduce

1. Have a workflow or shared component that pins an action version:

   steps:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1.309.0

2. Run gh aw upgrade
3. Observe output:

   ℹ Updating GitHub Actions versions...
   ✓ Updated ruby/setup-ruby from v1.309.0 to v1.310.0
   ✓ Updated 1 action(s):
     • ruby/setup-ruby
   ℹ Updated actions-lock.json file
   

Actual Result

• actions-lock.json now has both v1.309.0 and v1.310.0 entries
• The source .md file still says ruby/setup-ruby@v1.309.0
• All .lock.yml files still compile against the old SHA
• The v1.310.0 lockfile entry is unused/dangling
• Same behavior whether the uses: is in a shared component or a main workflow .md

Expected Result

Either:

1. gh aw upgrade updates the uses: version in the source .md file(s) and adds the lockfile entry (fully automated upgrade), or
2. gh aw upgrade only reports the available update without modifying actions-lock.json, deferring the lockfile entry to gh aw compile after the developer bumps the source

The current behavior is an incomplete middle ground — it claims the update succeeded but nothing actually consumes the new version.

Environment

• gh-aw v0.74.8
• Action affected: ruby/setup-ruby (v1.309.0 → v1.310.0)