build(deps): bump github/gh-aw-actions from 0.78.3 to 0.79.8

[dependabot]

Bumps github/gh-aw-actions from 0.78.3 to 0.79.8.

Release notes

Sourced from github/gh-aw-actions's releases.

v0.79.8

Sync of actions from gh-aw at v0.79.8.

v0.79.7

Sync of actions from gh-aw at v0.79.7.

v0.79.6

Sync of actions from gh-aw at v0.79.6.

v0.79.5

Sync of actions from gh-aw at v0.79.5.

v0.79.4

Sync of actions from gh-aw at v0.79.4.

v0.79.3

Sync of actions from gh-aw at v0.79.3.

v0.79.2

Sync of actions from gh-aw at v0.79.2.

v0.79.1

Sync of actions from gh-aw at v0.79.1.

v0.79.0

Sync of actions from gh-aw at v0.79.0.

Commits

• c0338fe chore: sync actions from gh-aw@v0.79.8 (#154)
• c71b1e2 chore: sync actions from gh-aw@v0.79.7 (#152)
• 5c2fe86 chore: sync actions from gh-aw@v0.79.6 (#150)
• 8462d26 chore: sync actions from gh-aw@v0.79.5 (#149)
• d059700 chore: sync actions from gh-aw@v0.79.4 (#148)
• ff3d7ec chore: sync actions from gh-aw@v0.79.3 (#147)
• 9b1d730 chore: sync actions from gh-aw@v0.79.2 (#146)
• ed887f6 chore: sync actions from gh-aw@v0.79.1 (#144)
• abd5e72 chore: sync actions from gh-aw@v0.79.0 (#142)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 15, 2026, 2:24 AM ET / 06:24 UTC.

Summary
This PR updates pinned github/gh-aw-actions setup and setup-cli references from v0.78.3 to v0.79.8 in three GitHub workflow files.

Reproducibility: not applicable. this is a dependency update PR rather than a bug report. Source and diff inspection verify that current main still has v0.78.3 pins and the PR updates them to v0.79.8.

Review metrics: 3 noteworthy metrics.

• Workflow pins updated: 3 files, 15 references changed. Every repository-local change is a pinned GitHub Action SHA/comment update in automation workflows.
• Upstream action delta: 9 commits, 116 files changed upstream. The dependency carries substantially more executable automation code change than the local workflow diff shows.
• Current check gap: 2 setup e2e checks pending. The remaining pending checks exercise setup paths that are more relevant to this dependency bump than application unit tests alone.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Wait for the two pending setup e2e checks or provide equivalent affected-workflow runtime evidence before merge.

Risk before merge

• [P1] The bumped action runs inside Copilot setup, Localization Audit, and Repo Assist automation, including jobs that use repository write permissions and configured secrets.
• [P1] The upstream dependency delta is larger than the local diff: 9 verified commits and 116 upstream files, including setup, harness, and safe-output runtime code.
• [P1] Two setup e2e checks were still pending at inspection time, so merge should wait for those checks or explicit maintainer acceptance of the automation risk.

Maintainer options:

1. Verify affected workflow runtime (recommended)
   Wait for the pending setup e2e jobs and, if needed, run a focused Copilot setup or gh-aw workflow smoke before merge.
2. Accept the pinned upstream bump
   Maintainers can merge after ordinary checks if they are comfortable relying on the immutable SHA pin and verified GitHub-owned upstream commits.
3. Regenerate locks if compatibility fails
   If the newer setup action does not work with the existing generated lock workflows, replace this Dependabot patch with regenerated gh-aw lock output.

Next step before merge

• [P2] No repair lane is needed; the remaining action is maintainer judgment after pending checks or equivalent affected-workflow evidence.

Security
Cleared: No concrete security or supply-chain defect was found in the local diff: the PR preserves immutable SHA pins and targets verified upstream commits, while automation runtime risk is tracked separately for maintainer review.

Review details

Best possible solution:

Land the pinned action bump after affected workflow and current-head e2e checks prove runtime compatibility, or explicitly accept the pinned upstream automation risk.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency update PR rather than a bug report. Source and diff inspection verify that current main still has v0.78.3 pins and the PR updates them to v0.79.8.

Is this the best way to solve the issue?

Yes, conditionally; updating the existing full-SHA pins is the narrow maintenance path. The remaining requirement is affected-workflow validation or explicit maintainer acceptance of the automation risk.

AGENTS.md: found, but no applicable review policy affected this item.

Codex review notes: model internal, reasoning high; reviewed against cb68abf8e75e.

Label changes

Label justifications:

• P3: This is routine dependency maintenance with impact limited to repository automation unless the updated action breaks workflow setup.
• merge-risk: 🚨 automation: The diff changes GitHub Action setup code used by Copilot setup and generated agentic workflows, which can fail outside normal application test coverage.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Contributor real behavior proof is not required for this Dependabot bot dependency PR; workflow check evidence remains merge-relevant.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; its validation-after-change policy does not require local build/test execution because this review made no repository changes and the prompt requires a read-only checkout. (AGENTS.md:1, cb68abf8e75e)
• Current main still uses old action pin: Current main still references github/gh-aw-actions/setup-cli at the v0.78.3 full SHA, so the dependency bump is not already implemented on main. (.github/workflows/copilot-setup-steps.yml:24, cb68abf8e75e)
• PR head updates the pins consistently: The PR head changes the affected workflow references and version comments to c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8. (.github/workflows/copilot-setup-steps.yml:24, b01d3b421c72)
• Local diff scope: The repository-local diff is limited to three workflow files with 15 insertions and 15 deletions, all replacing the old gh-aw-actions pin/comment with the new one. (b01d3b421c72)
• Upstream action delta: The upstream compare from the previous pin to v0.79.8 is 9 verified commits across 116 files, including setup scripts, harnesses, and safe-output runtime code. (c0338fef4749)
• Privileged automation context: The affected Repo Assist workflow consumes the bumped setup action in jobs with repository write permissions, so ordinary app tests do not fully prove the workflow runtime path. (.github/workflows/repo-assist.lock.yml:113, cb68abf8e75e)

Likely related people:

• Christine Yan: Git history shows commit 85445c7 added all three affected workflow files. (role: introduced workflow files; confidence: medium; commits: 85445c78066b; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/localization-audit.lock.yml, .github/workflows/repo-assist.lock.yml)
• dependabot[bot]: git log --follow shows recent current-main gh-aw-actions pin bumps in the same workflow files before this PR. (role: recent dependency pin updater; confidence: high; commits: 71d249711d63, 4a74527773ce; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/localization-audit.lock.yml, .github/workflows/repo-assist.lock.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.