chore(deps): Bump github/gh-aw-actions from 0.74.4 to 0.75.4

[dependabot]

Bumps github/gh-aw-actions from 0.74.4 to 0.75.4.

Release notes

Sourced from github/gh-aw-actions's releases.

v0.75.4

Sync of actions from gh-aw at v0.75.4.

v0.75.3

Sync of actions from gh-aw at v0.75.3.

v0.75.2

Sync of actions from gh-aw at v0.75.2.

v0.75.1

Sync of actions from gh-aw at v0.75.1.

v0.75.0

Sync of actions from gh-aw at v0.75.0.

v0.74.9

Sync of actions from gh-aw at v0.74.9.

v0.74.8

Sync of actions from gh-aw at v0.74.8.

v0.74.7

Sync of actions from gh-aw at v0.74.7.

v0.74.6

Sync of actions from gh-aw at v0.74.6.

v0.74.5

Sync of actions from gh-aw at v0.74.5.

Commits

• 9f05096 chore: sync actions from gh-aw@v0.75.4 (#116)
• 7a36338 chore: sync actions from gh-aw@v0.75.3 (#115)
• 3dc8235 chore: sync actions from gh-aw@v0.75.2 (#114)
• bf62a61 chore: sync actions from gh-aw@v0.75.1 (#113)
• f889c9c chore: sync actions from gh-aw@v0.75.0 (#112)
• 318d7f4 chore: sync actions from gh-aw@v0.74.9 (#111)
• efa5584 chore: sync actions from gh-aw@v0.74.8 (#110)
• b33de57 chore: sync actions from gh-aw@v0.74.7 (#109)
• 8c8a264 chore: sync actions from gh-aw@v0.74.6 (#108)
• 3360552 Sync agent compatibility matrix from gh-aw (#103)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 4:39 AM ET / 08:39 UTC.

Summary
Updates existing github/gh-aw-actions setup/setup-cli references in the Copilot setup workflow and two generated gh-aw lock workflows from v0.74.4 to v0.75.4.

Reproducibility: not applicable. this is a GitHub Actions dependency bump, not a reported runtime bug with reproduction steps.

Review metrics: 2 noteworthy metrics.

• Workflow files changed: 3 modified; 15 additions, 15 deletions. The diff is narrow but all changed files are GitHub Actions automation surfaces.
• Pinned gh-aw refs bumped: 15 occurrences from v0.74.4/d3abfe9 to v0.75.4/9f05096. The update consistently applies the same new upstream action commit across the affected workflows.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Run or wait for an affected gh-aw workflow check/smoke before merging.

Risk before merge

• This PR changes a GitHub Action that is executed by repository automation with secrets and write-capable jobs; normal code tests do not exercise the scheduled/on-demand gh-aw runtime path.
• The two .lock.yml files are generated workflows while their .md sources are unchanged, so maintainers should watch that a future gh aw compile does not unintentionally revert or desynchronize the dependency pin.

Maintainer options:

1. Smoke the affected workflows (recommended)
   Trigger or wait for an affected gh-aw workflow run so the updated setup action is exercised with this repository's workflow inputs before merge.
2. Accept the pinned update
   If maintainers are comfortable with the upstream gh-aw action sync, merge the exact-SHA Dependabot bump and monitor the next scheduled automation run.
3. Regenerate from gh-aw source
   If source/generated drift is a concern, regenerate the lock workflows from the .md sources with the intended gh-aw dependency update before merging.

Next step before merge
A maintainer should merge only after the updated action has acceptable workflow/runtime validation; there is no narrow ClawSweeper repair to queue.

Security
Cleared: No concrete security or supply-chain defect was found: the action remains pinned to a specific upstream commit, and the upstream target commit is GitHub-signed.

Review details

Best possible solution:

Merge the pinned Dependabot bump after the affected workflow checks or an equivalent maintainer smoke run exercises the updated action.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a GitHub Actions dependency bump, not a reported runtime bug with reproduction steps.

Is this the best way to solve the issue?

Yes, for the intended maintenance task: the PR preserves exact SHA pinning and updates the existing action references consistently, with workflow smoke/status checks as the remaining safety gate.

AGENTS.md: found but not applied because it conflicted with ClawSweeper's review contract.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ef6ac8acbab2.

Label changes

Label changes:

• add P3: This is a routine dependency maintenance PR with low direct product impact, but it still needs normal automation validation.
• add merge-risk: 🚨 automation: Merging changes the action code used by repository agentic workflows, which regular application tests do not fully validate.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency updates are not subject to the contributor real-behavior-proof gate.

Label justifications:

• P3: This is a routine dependency maintenance PR with low direct product impact, but it still needs normal automation validation.
• merge-risk: 🚨 automation: Merging changes the action code used by repository agentic workflows, which regular application tests do not fully validate.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency updates are not subject to the contributor real-behavior-proof gate.

Evidence reviewed

Acceptance criteria:

• Trigger or observe the affected GitHub Actions workflows that use github/gh-aw-actions/setup or setup-cli.
• Confirm required PR checks are green after the dependency bump.

What I checked:

• Repository policy checked: Read the full 48-line AGENTS.md; its validation guidance was noted, but this review stayed read-only and did not run build/test commands that would create artifacts. (AGENTS.md:1, ef6ac8acbab2)
• Current main still uses old pinned action ref: Current main uses github/gh-aw-actions/setup-cli at d3abfe96... with the v0.74.4 comment in the Copilot setup workflow, so the PR bump is not already implemented on main. (.github/workflows/copilot-setup-steps.yml:24, ef6ac8acbab2)
• Generated lock workflows use the same old ref: Current main uses github/gh-aw-actions/setup at d3abfe96... in the generated Repo Assist and Localization Audit workflows; the PR updates those existing call sites rather than adding a new workflow. (.github/workflows/repo-assist.lock.yml:136, ef6ac8acbab2)
• PR scope from supplied GitHub context: The PR changes only three workflow files, with 15 additions and 15 deletions, replacing d3abfe96... / v0.74.4 with 9f050961... / v0.75.4. (0b18b0932208)
• Upstream action provenance inspected: The upstream compare from d3abfe96... to 9f050961... reports 11 commits, and the target upstream commit is a verified GitHub-signed sync commit for gh-aw@v0.75.4. (9f050961da58)
• Workflow ownership history sampled: Blame and log history show Scott Hanselman introduced or merged the central gh-aw workflow files, while dependabot[bot] made the prior v0.72.1 to v0.74.4 bump on the exact action-reference lines. (.github/workflows/repo-assist.lock.yml:136, c6b921879c42)

Likely related people:

• Scott Hanselman: Git history attributes the introduction/merge of the gh-aw workflow files and localization automation to Scott Hanselman commits in this area. (role: automation workflow introducer and recent area contributor; confidence: high; commits: c499c294b764, 6eb18a6cdcdd, bcdb4bce377b; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/repo-assist.lock.yml, .github/workflows/localization-audit.lock.yml)
• dependabot[bot]: The exact current action-reference lines were last changed by the prior merged Dependabot bump from v0.72.1 to v0.74.4. (role: recent dependency bump author; confidence: high; commits: c6b921879c42; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/repo-assist.lock.yml, .github/workflows/localization-audit.lock.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Moonlit Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: guards the happy path.
Image traits: location proof lagoon; accessory proof snapshot camera; palette pearl, teal, and neon green; mood determined; pose leaning over a miniature review desk; shell woven fiber shell; lighting calm overcast light; background tiny shells and proof notes.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Moonlit Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.