Split out from #1014 (which is now scoped to items 1, 3, 4 — all addressed in PR #1016).
Context
Originally item #2 in #1014. Separated because it is blocked on an upstream release and should not gate the other P0 fixes.
Required change
Bump github/gh-aw-actions/setup in .github/aw/actions-lock.json from v0.68.3 to v0.68.7.
Security rationale (from audit #92)
v0.68.7 adds:
- XPIA sanitization
- Cache-memory planted executable fix
- Steganographic injection fix
- Safe-output injection hardening (homoglyphs, NFKC, heredoc, protocol-relative URLs)
Blocker
The local gh-aw CLI compiler is currently at v0.68.3. When it compiles .lock.yml files, it emits uses: github/gh-aw-actions/setup@v0.68.3 regardless of what the lock file authorizes. Manually bumping the lock entry to v0.68.7 would create drift between the lock and the compiled workflows.
This work should begin when: the github/gh-aw CLI extension ships a release that compiles against gh-aw-actions/setup@v0.68.7 (or later).
Acceptance criteria
Refs #92
Split out from #1014 (which is now scoped to items 1, 3, 4 — all addressed in PR #1016).
Context
Originally item #2 in #1014. Separated because it is blocked on an upstream release and should not gate the other P0 fixes.
Required change
Bump
github/gh-aw-actions/setupin.github/aw/actions-lock.jsonfrom v0.68.3 to v0.68.7.Security rationale (from audit #92)
v0.68.7 adds:
Blocker
The local gh-aw CLI compiler is currently at v0.68.3. When it compiles
.lock.ymlfiles, it emitsuses: github/gh-aw-actions/setup@v0.68.3regardless of what the lock file authorizes. Manually bumping the lock entry to v0.68.7 would create drift between the lock and the compiled workflows.This work should begin when: the
github/gh-awCLI extension ships a release that compiles againstgh-aw-actions/setup@v0.68.7(or later).Acceptance criteria
actions-lock.jsonentry forgithub/gh-aw-actions/setupupdated to v0.68.7 with verified commit SHA.lock.ymlfiles recompiled and committedRefs #92