chore(deps): bump github/gh-aw-actions from 0.79.8 to 0.80.8

[dependabot]

Bumps github/gh-aw-actions from 0.79.8 to 0.80.8.

Release notes

Sourced from github/gh-aw-actions's releases.

v0.80.8

Sync of actions from gh-aw at v0.80.8.

v0.80.7

Sync of actions from gh-aw at v0.80.7.

v0.80.6

Sync of actions from gh-aw at v0.80.6.

v0.80.4

Sync of actions from gh-aw at v0.80.4.

v0.80.3

Sync of actions from gh-aw at v0.80.3.

v0.80.2

Sync of actions from gh-aw at v0.80.2.

v0.80.1

Sync of actions from gh-aw at v0.80.1.

v0.80.0

Sync of actions from gh-aw at v0.80.0.

Commits

• bee9622 chore: sync actions from gh-aw@v0.80.8 (#165)
• 7f7cdc7 chore: sync actions from gh-aw@v0.80.7 (#164)
• c20f9e7 chore: sync actions from gh-aw@v0.80.6 (#163)
• 00c24a5 chore: sync actions from gh-aw@v0.80.4 (#161)
• 53aef6c chore: sync actions from gh-aw@v0.80.3 (#160)
• 2702b42 chore: sync actions from gh-aw@v0.80.2 (#157)
• 489221e chore: sync actions from gh-aw@v0.80.1 (#156)
• c106acf chore: sync actions from gh-aw@v0.80.0 (#155)
• a22c324 Migrate runtime threat scan to CopilotRequestWrite (#153)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 22, 2026, 3:27 AM ET / 07:27 UTC.

Summary
The PR updates the pinned github/gh-aw-actions/setup-cli GitHub Action commit in the Copilot setup workflow from v0.79.8 to v0.80.8.

Reproducibility: not applicable. this is a dependency maintenance PR rather than a reported bug with runtime reproduction steps.

Review metrics: 2 noteworthy metrics.

• Workflow files changed: 1 changed. The patch is limited to the Copilot setup workflow, which keeps the local repository blast radius small.
• Action pin movement: 0.79.8 to 0.80.8. The update changes third-party GitHub Actions code while preserving commit-SHA pinning.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] This changes code executed inside GitHub Actions setup, so maintainers should rely on the green Copilot setup check and the focused upstream action diff before merging.

Maintainer options:

1. Merge after workflow-check review (recommended)
   Accept the dependency bump with the current green Copilot setup check and the upstream setup-cli diff limited to output-color handling.
2. Pause for broader gh-aw release review
   If maintainers want to audit the larger upstream gh-aw-actions release train, leave this PR open until that release review is complete.

Next step before merge

• No automated repair is needed; this is a clean dependency PR awaiting normal maintainer merge judgment.

Security
Cleared: The local patch keeps commit pinning, and the relevant upstream setup-cli path only adds no-color output handling plus tests; no concrete supply-chain regression was found.

Review details

Best possible solution:

Merge the pinned action bump if maintainers are comfortable with the upstream setup-cli diff and the current green Copilot setup check.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR rather than a reported bug with runtime reproduction steps.

Is this the best way to solve the issue?

Yes; preserving the commit-SHA pin while updating the version comment is the narrow maintainable way to take this GitHub Actions dependency update.

AGENTS.md: found, but no applicable review policy affected this item.

Codex review notes: model internal, reasoning high; reviewed against 6283fb174ead.

Label changes

Label changes:

• add P3: This is a low-touch dependency maintenance PR affecting a setup workflow rather than product runtime behavior.
• add merge-risk: 🚨 automation: The changed dependency runs inside the Copilot setup workflow, so a bad upstream action change could break agent setup even when product tests pass.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PR; the external contributor proof gate does not apply, and the PR's Copilot setup workflow check is the relevant validation signal.

Label justifications:

• P3: This is a low-touch dependency maintenance PR affecting a setup workflow rather than product runtime behavior.
• merge-risk: 🚨 automation: The changed dependency runs inside the Copilot setup workflow, so a bad upstream action change could break agent setup even when product tests pass.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PR; the external contributor proof gate does not apply, and the PR's Copilot setup workflow check is the relevant validation signal.

Evidence reviewed

What I checked:

• Current workflow: Current main runs the Copilot setup job with contents: read and installs gh-aw through github/gh-aw-actions/setup-cli pinned to c0338fef... v0.79.8 with CLI version v0.72.1. (.github/workflows/copilot-setup-steps.yml:24, 6283fb174ead)
• PR diff: The PR changes only the setup-cli action reference from c0338fef... to bee9622... and leaves the requested CLI version unchanged. (.github/workflows/copilot-setup-steps.yml:24, 94acfb1bf97e)
• Upstream setup-cli action: The setup-cli/action.yml file is identical at the old and new pinned commits; the composite action still runs install.sh with INPUT_VERSION and GH_TOKEN. (bee9622162d2)
• Upstream setup-cli script: The relevant upstream setup-cli/install.sh patch adds a CI/no-color gate and a sync note; it does not add new downloads, permissions, or token handling to this action path. (bee9622162d2)
• Checks: GitHub reports the PR merge state as clean and the Copilot Setup Steps check completed successfully on the PR head. (94acfb1bf97e)
• Workflow history: The Copilot setup workflow was introduced by b637369...; later commits are dependency bumps on the same action pin. (.github/workflows/copilot-setup-steps.yml:24, b637369fbc56)

Likely related people:

• Scott Hanselman: git blame attributes the Copilot setup workflow structure and setup-cli step context to commit b637369fbc56be8e8efefd65a30f6cb8a7453f1d. (role: introduced workflow; confidence: high; commits: b637369fbc56; files: .github/workflows/copilot-setup-steps.yml)
• dependabot[bot]: git log and blame show the current pinned setup-cli SHA line was last updated by Dependabot in commit c75140696d4d3eb73d9d61fbb2b251f576d01557, and this PR continues that maintenance path. (role: recent dependency updater; confidence: high; commits: c75140696d4d, 94acfb1bf97e; files: .github/workflows/copilot-setup-steps.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.