diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index a4d78b7fdc6..2d1437ab728 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -136,7 +136,12 @@
     "docker/login-action@v4": {
       "repo": "docker/login-action",
       "version": "v4",
-      "sha": "b45d80f862d83dbcd57f89517bcf500b2ab88fb2"
+      "sha": "4907a6ddec9925e35a0a9e82d7399ccc52663121"
+    },
+    "docker/login-action@v4.1.0": {
+      "repo": "docker/login-action",
+      "version": "v4.1.0",
+      "sha": "4907a6ddec9925e35a0a9e82d7399ccc52663121"
     },
     "docker/metadata-action@v6": {
       "repo": "docker/metadata-action",
@@ -168,6 +173,11 @@
       "version": "v9.0.6",
       "sha": "7683f9d6900857a9e6dad8a3277a33bcc0b51d44"
     },
+    "github/stale-repos@v9.0.7": {
+      "repo": "github/stale-repos",
+      "version": "v9.0.7",
+      "sha": "25946246f29e8692a397502045e457c4dc96c6e4"
+    },
     "haskell-actions/setup@v2.10.3": {
       "repo": "haskell-actions/setup",
       "version": "v2.10.3",
@@ -192,6 +202,11 @@
       "repo": "super-linter/super-linter",
       "version": "v8.5.0",
       "sha": "61abc07d755095a68f4987d1c2c3d1d64408f1f9"
+    },
+    "super-linter/super-linter@v8.6.0": {
+      "repo": "super-linter/super-linter",
+      "version": "v8.6.0",
+      "sha": "9e863354e3ff62e0727d37183162c4a88873df41"
     }
   }
 }
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index aa3a26e5483..ea15c431c9e 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -26,7 +26,7 @@
 #   Imports:
 #     - shared/community-attribution.md
 #
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"128dc3cf2dcc46fc99c649a218664042fa068fc3aaf79bde247c915caa21d4dd","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8320cf3937aa521ad81e03ae14a98a09e0bce08e0f87cd11a904d2226bd7c649","strict":true,"agent_id":"copilot"}
 
 name: "Release"
 "on":
@@ -148,14 +148,14 @@ jobs:
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
           {
-          cat << 'GH_AW_PROMPT_c788804fc69d8ab9_EOF'
+          cat << 'GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF'
           <system>
-          GH_AW_PROMPT_c788804fc69d8ab9_EOF
+          GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_c788804fc69d8ab9_EOF'
+          cat << 'GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF'
           <safe-output-tools>
           Tools: update_release, missing_tool, missing_data, noop
           </safe-output-tools>
@@ -187,13 +187,13 @@ jobs:
           {{/if}}
           </github-context>
           
-          GH_AW_PROMPT_c788804fc69d8ab9_EOF
+          GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_c788804fc69d8ab9_EOF'
+          cat << 'GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF'
           </system>
           {{#runtime-import .github/workflows/shared/community-attribution.md}}
           {{#runtime-import .github/workflows/release.md}}
-          GH_AW_PROMPT_c788804fc69d8ab9_EOF
+          GH_AW_PROMPT_0ea4ee22b5eb16b8_EOF
           } > "$GH_AW_PROMPT"
       - name: Interpolate variables and render templates
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -374,12 +374,12 @@ jobs:
           mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_9e329ef68acc25ed_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_75aaf3586803c630_EOF'
           {"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"update_release":{"max":1}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_9e329ef68acc25ed_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_75aaf3586803c630_EOF
       - name: Write Safe Outputs Tools
         run: |
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_93b4bd7c76cce012_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_552aefe14a45f5be_EOF'
           {
             "description_suffixes": {
               "update_release": " CONSTRAINTS: Maximum 1 release(s) can be updated."
@@ -387,8 +387,8 @@ jobs:
             "repo_params": {},
             "dynamic_tools": []
           }
-          GH_AW_SAFE_OUTPUTS_TOOLS_META_93b4bd7c76cce012_EOF
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_5a31d409180c0962_EOF'
+          GH_AW_SAFE_OUTPUTS_TOOLS_META_552aefe14a45f5be_EOF
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_aa58c13243672dd6_EOF'
           {
             "missing_data": {
               "defaultMax": 20,
@@ -473,7 +473,7 @@ jobs:
               }
             }
           }
-          GH_AW_SAFE_OUTPUTS_VALIDATION_5a31d409180c0962_EOF
+          GH_AW_SAFE_OUTPUTS_VALIDATION_aa58c13243672dd6_EOF
           node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
       - name: Generate Safe Outputs MCP Server Config
         id: safe-outputs-config
@@ -543,7 +543,7 @@ jobs:
           export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.11'
           
           mkdir -p /home/runner/.copilot
-          cat << GH_AW_MCP_CONFIG_85c7893264a84bb6_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+          cat << GH_AW_MCP_CONFIG_c313bb4a07e4ca32_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
           {
             "mcpServers": {
               "github": {
@@ -584,7 +584,7 @@ jobs:
               "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
             }
           }
-          GH_AW_MCP_CONFIG_85c7893264a84bb6_EOF
+          GH_AW_MCP_CONFIG_c313bb4a07e4ca32_EOF
       - name: Download activation artifact
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
@@ -1385,7 +1385,7 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
diff --git a/.github/workflows/release.md b/.github/workflows/release.md
index 7c3c4df6aba..a21ed471fa3 100644
--- a/.github/workflows/release.md
+++ b/.github/workflows/release.md
@@ -330,7 +330,7 @@ jobs:
         uses: docker/setup-buildx-action@v4
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md
index aee02e99a58..36782afa401 100644
--- a/.github/workflows/shared/apm.md
+++ b/.github/workflows/shared/apm.md
@@ -58,7 +58,7 @@ jobs:
           working-directory: /tmp/gh-aw/apm-workspace
       - name: Upload APM bundle artifact
         if: success()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ needs.activation.outputs.artifact_prefix }}apm
           path: ${{ steps.apm_pack.outputs.bundle-path }}
@@ -66,7 +66,7 @@ jobs:
 
 steps:
   - name: Download APM bundle artifact
-    uses: actions/download-artifact@v4
+    uses: actions/download-artifact@v8.0.1
     with:
       name: ${{ needs.activation.outputs.artifact_prefix }}apm
       path: /tmp/gh-aw/apm-bundle
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index d7154e9a16c..f687b3b264f 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -796,7 +796,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
       - name: Download APM bundle artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ${{ needs.activation.outputs.artifact_prefix }}apm
           path: /tmp/gh-aw/apm-bundle
@@ -2332,7 +2332,7 @@ jobs:
           working-directory: /tmp/gh-aw/apm-workspace
       - name: Upload APM bundle artifact
         if: success()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ needs.activation.outputs.artifact_prefix }}apm
           path: ${{ steps.apm_pack.outputs.bundle-path }}
diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml
index f6e637133a9..3872cfefeba 100644
--- a/.github/workflows/stale-repo-identifier.lock.yml
+++ b/.github/workflows/stale-repo-identifier.lock.yml
@@ -30,7 +30,7 @@
 #     - shared/reporting.md
 #     - shared/trending-charts-simple.md
 #
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ad4ae7cfa286504852c789e807486605e3da246a6f31154bb025398ff47c8262","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"771b4788c1532c9d57dcb31e2c09ee99602cb99270beebe73d8c1e79e768eda2","strict":true,"agent_id":"copilot"}
 
 name: "Stale Repository Identifier"
 "on":
@@ -149,15 +149,15 @@ jobs:
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
           {
-          cat << 'GH_AW_PROMPT_be259b00779d7244_EOF'
+          cat << 'GH_AW_PROMPT_15bdcf8c07f5565d_EOF'
           <system>
-          GH_AW_PROMPT_be259b00779d7244_EOF
+          GH_AW_PROMPT_15bdcf8c07f5565d_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_be259b00779d7244_EOF'
+          cat << 'GH_AW_PROMPT_15bdcf8c07f5565d_EOF'
           <safe-output-tools>
           Tools: create_issue(max:10), upload_asset, missing_tool, missing_data, noop
           
@@ -191,9 +191,9 @@ jobs:
           {{/if}}
           </github-context>
           
-          GH_AW_PROMPT_be259b00779d7244_EOF
+          GH_AW_PROMPT_15bdcf8c07f5565d_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_be259b00779d7244_EOF'
+          cat << 'GH_AW_PROMPT_15bdcf8c07f5565d_EOF'
           </system>
           {{#runtime-import .github/workflows/shared/github-guard-policy.md}}
           {{#runtime-import .github/workflows/shared/python-dataviz.md}}
@@ -201,7 +201,7 @@ jobs:
           {{#runtime-import .github/workflows/shared/trending-charts-simple.md}}
           {{#runtime-import .github/workflows/shared/reporting.md}}
           {{#runtime-import .github/workflows/stale-repo-identifier.md}}
-          GH_AW_PROMPT_be259b00779d7244_EOF
+          GH_AW_PROMPT_15bdcf8c07f5565d_EOF
           } > "$GH_AW_PROMPT"
       - name: Interpolate variables and render templates
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -397,7 +397,7 @@ jobs:
           ORGANIZATION: ${{ env.ORGANIZATION }}
         id: stale-repos
         name: Run stale-repos tool
-        uses: github/stale-repos@7683f9d6900857a9e6dad8a3277a33bcc0b51d44 # v9.0.6
+        uses: github/stale-repos@25946246f29e8692a397502045e457c4dc96c6e4 # v9.0.7
       - env:
           INACTIVE_REPOS: ${{ steps.stale-repos.outputs.inactiveRepos }}
         name: Save stale repos output
@@ -467,12 +467,12 @@ jobs:
           mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_92764b1d01a6befe_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_44ccd17c6debcb36_EOF'
           {"create_issue":{"expires":48,"group":true,"labels":["stale-repository","automated-analysis","cookie"],"max":10,"title_prefix":"[Stale Repository] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_92764b1d01a6befe_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_44ccd17c6debcb36_EOF
       - name: Write Safe Outputs Tools
         run: |
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_cc2e01d80ecf1001_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_2da6dc811fdfcdc4_EOF'
           {
             "description_suffixes": {
               "create_issue": " CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Stale Repository] \". Labels [\"stale-repository\" \"automated-analysis\" \"cookie\"] will be automatically added.",
@@ -481,8 +481,8 @@ jobs:
             "repo_params": {},
             "dynamic_tools": []
           }
-          GH_AW_SAFE_OUTPUTS_TOOLS_META_cc2e01d80ecf1001_EOF
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9aeb01a057a49082_EOF'
+          GH_AW_SAFE_OUTPUTS_TOOLS_META_2da6dc811fdfcdc4_EOF
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9839b8d8917b59f2_EOF'
           {
             "create_issue": {
               "defaultMax": 1,
@@ -584,7 +584,7 @@ jobs:
               }
             }
           }
-          GH_AW_SAFE_OUTPUTS_VALIDATION_9aeb01a057a49082_EOF
+          GH_AW_SAFE_OUTPUTS_VALIDATION_9839b8d8917b59f2_EOF
           node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
       - name: Generate Safe Outputs MCP Server Config
         id: safe-outputs-config
@@ -655,7 +655,7 @@ jobs:
           export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.11'
           
           mkdir -p /home/runner/.copilot
-          cat << GH_AW_MCP_CONFIG_907a1f67810a7780_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+          cat << GH_AW_MCP_CONFIG_ebcf5ba4522a9a8c_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
           {
             "mcpServers": {
               "github": {
@@ -699,7 +699,7 @@ jobs:
               "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
             }
           }
-          GH_AW_MCP_CONFIG_907a1f67810a7780_EOF
+          GH_AW_MCP_CONFIG_ebcf5ba4522a9a8c_EOF
       - name: Download activation artifact
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
diff --git a/.github/workflows/stale-repo-identifier.md b/.github/workflows/stale-repo-identifier.md
index 170cc65692c..2a85b92a835 100644
--- a/.github/workflows/stale-repo-identifier.md
+++ b/.github/workflows/stale-repo-identifier.md
@@ -71,7 +71,7 @@ env:
 steps:
   - name: Run stale-repos tool
     id: stale-repos
-    uses: github/stale-repos@v9.0.6
+    uses: github/stale-repos@v9.0.7
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       ORGANIZATION: ${{ env.ORGANIZATION }}
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
index d9783bd09f0..d116078d81e 100644
--- a/.github/workflows/super-linter.lock.yml
+++ b/.github/workflows/super-linter.lock.yml
@@ -26,7 +26,7 @@
 #   Imports:
 #     - shared/reporting.md
 #
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5b9cd290de19c2efeff8252adba4ccf92c1ed04fd02a082e0ec221ec5ef8de02","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2ce2d0b512b7d66eaad655313191a13858000f445b94035ad25b974fbe30a84e","strict":true,"agent_id":"copilot"}
 
 name: "Super Linter Report"
 "on":
@@ -138,15 +138,15 @@ jobs:
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
           {
-          cat << 'GH_AW_PROMPT_d6daea83f2b7f2f9_EOF'
+          cat << 'GH_AW_PROMPT_f9312b7d4d7ec843_EOF'
           <system>
-          GH_AW_PROMPT_d6daea83f2b7f2f9_EOF
+          GH_AW_PROMPT_f9312b7d4d7ec843_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_d6daea83f2b7f2f9_EOF'
+          cat << 'GH_AW_PROMPT_f9312b7d4d7ec843_EOF'
           <safe-output-tools>
           Tools: create_issue, missing_tool, missing_data, noop
           </safe-output-tools>
@@ -178,13 +178,13 @@ jobs:
           {{/if}}
           </github-context>
           
-          GH_AW_PROMPT_d6daea83f2b7f2f9_EOF
+          GH_AW_PROMPT_f9312b7d4d7ec843_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_d6daea83f2b7f2f9_EOF'
+          cat << 'GH_AW_PROMPT_f9312b7d4d7ec843_EOF'
           </system>
           {{#runtime-import .github/workflows/shared/reporting.md}}
           {{#runtime-import .github/workflows/super-linter.md}}
-          GH_AW_PROMPT_d6daea83f2b7f2f9_EOF
+          GH_AW_PROMPT_f9312b7d4d7ec843_EOF
           } > "$GH_AW_PROMPT"
       - name: Interpolate variables and render templates
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -384,12 +384,12 @@ jobs:
           mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_a9ec6f51acf85ea6_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_e31b82dc27fd45ad_EOF'
           {"create_issue":{"expires":48,"labels":["automation","code-quality","cookie"],"max":1,"title_prefix":"[linter] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_a9ec6f51acf85ea6_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_e31b82dc27fd45ad_EOF
       - name: Write Safe Outputs Tools
         run: |
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_fb8ab4920bf3ab66_EOF'
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_43d2fc9abe622dfe_EOF'
           {
             "description_suffixes": {
               "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[linter] \". Labels [\"automation\" \"code-quality\" \"cookie\"] will be automatically added."
@@ -397,8 +397,8 @@ jobs:
             "repo_params": {},
             "dynamic_tools": []
           }
-          GH_AW_SAFE_OUTPUTS_TOOLS_META_fb8ab4920bf3ab66_EOF
-          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_a02512d0a41fab85_EOF'
+          GH_AW_SAFE_OUTPUTS_TOOLS_META_43d2fc9abe622dfe_EOF
+          cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_d2eea57464929003_EOF'
           {
             "create_issue": {
               "defaultMax": 1,
@@ -491,7 +491,7 @@ jobs:
               }
             }
           }
-          GH_AW_SAFE_OUTPUTS_VALIDATION_a02512d0a41fab85_EOF
+          GH_AW_SAFE_OUTPUTS_VALIDATION_d2eea57464929003_EOF
           node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
       - name: Generate Safe Outputs MCP Server Config
         id: safe-outputs-config
@@ -561,7 +561,7 @@ jobs:
           export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.11'
           
           mkdir -p /home/runner/.copilot
-          cat << GH_AW_MCP_CONFIG_f9d5fed765588cd7_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+          cat << GH_AW_MCP_CONFIG_9891f0fddf3fb195_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
           {
             "mcpServers": {
               "github": {
@@ -602,7 +602,7 @@ jobs:
               "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
             }
           }
-          GH_AW_MCP_CONFIG_f9d5fed765588cd7_EOF
+          GH_AW_MCP_CONFIG_9891f0fddf3fb195_EOF
       - name: Download activation artifact
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
@@ -1162,7 +1162,7 @@ jobs:
           persist-credentials: false
       - name: Super-linter
         id: super-linter
-        uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
+        uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0
         env:
           CREATE_LOG_FILE: "true"
           DEFAULT_BRANCH: main
diff --git a/.github/workflows/super-linter.md b/.github/workflows/super-linter.md
index b37b4c05dbb..7996fc264b9 100644
--- a/.github/workflows/super-linter.md
+++ b/.github/workflows/super-linter.md
@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
       
       - name: Super-linter
-        uses: super-linter/super-linter@v8.5.0 # x-release-please-version
+        uses: super-linter/super-linter@v8.6.0 # x-release-please-version
         id: super-linter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -183,7 +183,7 @@ docker run --rm \
   -e RUN_LOCAL=true \
   -e VALIDATE_MARKDOWN=true \
   -v $(pwd):/tmp/lint \
-  ghcr.io/super-linter/super-linter:slim-v8.5.0
+  ghcr.io/super-linter/super-linter:slim-v8.6.0
 
 # Run super-linter on specific file types only
 # For example, to validate only Markdown files:
@@ -191,7 +191,7 @@ docker run --rm \
   -e RUN_LOCAL=true \
   -e VALIDATE_MARKDOWN=true \
   -v $(pwd):/tmp/lint \
-  ghcr.io/super-linter/super-linter:slim-v8.5.0
+  ghcr.io/super-linter/super-linter:slim-v8.6.0
 ```
 
 **Note**: The Docker command uses the same super-linter configuration as this workflow. Files are mounted from your current directory to `/tmp/lint` in the container.
diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json
index a4d78b7fdc6..2d1437ab728 100644
--- a/pkg/workflow/data/action_pins.json
+++ b/pkg/workflow/data/action_pins.json
@@ -136,7 +136,12 @@
     "docker/login-action@v4": {
       "repo": "docker/login-action",
       "version": "v4",
-      "sha": "b45d80f862d83dbcd57f89517bcf500b2ab88fb2"
+      "sha": "4907a6ddec9925e35a0a9e82d7399ccc52663121"
+    },
+    "docker/login-action@v4.1.0": {
+      "repo": "docker/login-action",
+      "version": "v4.1.0",
+      "sha": "4907a6ddec9925e35a0a9e82d7399ccc52663121"
     },
     "docker/metadata-action@v6": {
       "repo": "docker/metadata-action",
@@ -168,6 +173,11 @@
       "version": "v9.0.6",
       "sha": "7683f9d6900857a9e6dad8a3277a33bcc0b51d44"
     },
+    "github/stale-repos@v9.0.7": {
+      "repo": "github/stale-repos",
+      "version": "v9.0.7",
+      "sha": "25946246f29e8692a397502045e457c4dc96c6e4"
+    },
     "haskell-actions/setup@v2.10.3": {
       "repo": "haskell-actions/setup",
       "version": "v2.10.3",
@@ -192,6 +202,11 @@
       "repo": "super-linter/super-linter",
       "version": "v8.5.0",
       "sha": "61abc07d755095a68f4987d1c2c3d1d64408f1f9"
+    },
+    "super-linter/super-linter@v8.6.0": {
+      "repo": "super-linter/super-linter",
+      "version": "v8.6.0",
+      "sha": "9e863354e3ff62e0727d37183162c4a88873df41"
     }
   }
 }