build(deps): bump github/gh-aw-actions from 0.77.5 to 0.78.3

[dependabot]

Bumps github/gh-aw-actions from 0.77.5 to 0.78.3.

Release notes

Sourced from github/gh-aw-actions's releases.

v0.78.3

Sync of actions from gh-aw at v0.78.3.

v0.78.2

Sync of actions from gh-aw at v0.78.2.

v0.78.1

Sync of actions from gh-aw at v0.78.1.

v0.78.0

Sync of actions from gh-aw at v0.78.0.

v0.77.6

Sync of actions from gh-aw at v0.77.6.

Commits

• 8cfea5a chore: sync actions from gh-aw@v0.78.3 (#140)
• c30a47b Align Validate compat.json CI check with current compat metadata schema (#138)
• 268bf92 chore: sync actions from gh-aw@v0.78.2 (#136)
• 0fa9baa Sync workflow now includes models.json and model-multipliers.json (#135)
• 73ed520 chore: sync actions from gh-aw@v0.78.1 (#132)
• 166f6e3 chore: sync actions from gh-aw@v0.78.0 (#131)
• 3928d9c chore: sync actions from gh-aw@v0.77.6 (#130)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 2:23 AM ET / 06:23 UTC.

Summary
This PR updates the pinned github/gh-aw-actions setup/setup-cli references from v0.77.5 to v0.78.3 in the Copilot setup, localization audit, and repo-assist workflows.

Reproducibility: not applicable. this is a dependency update PR rather than a bug report. Source inspection confirms current main still has the old v0.77.5 pins that the PR updates.

Review metrics: 2 noteworthy metrics.

• Workflow pins updated: 3 files, 15 references changed. All local changes are SHA/comment updates for the same GitHub Action across setup and generated workflow files.
• Upstream action delta: 7 verified commits, 97 upstream files changed. The dependency version carries runtime action changes that are larger than the local pin-only diff.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Wait for the in-progress build jobs or equivalent workflow evidence before merging.

Risk before merge

• [P1] The updated action code is executed by workflow automation that uses repository tokens and write permissions, so local .NET tests alone do not prove the setup/setup-cli runtime paths are safe.
• [P1] The upstream dependency delta is larger than the local diff: seven verified upstream commits and 97 changed upstream files, including setup, harness, and safe-output scripts.
• [P1] At inspection, some PR check runs were still in progress; merge should wait for current workflow evidence rather than relying only on source inspection.

Maintainer options:

1. Wait For Workflow Evidence (recommended)
   Merge after the PR head has successful checks for the affected setup/build paths or an equivalent maintainer-reviewed workflow run using the new pinned action SHA.
2. Accept The Pinned Upstream Bump
   Maintainers can merge based on the immutable upstream release and narrow local diff if they are comfortable that normal CI coverage is enough for this automation update.

Next step before merge

• [P2] No repair lane is needed; the PR has no actionable patch defect and should proceed through workflow checks plus maintainer merge review.

Security
Cleared: No concrete security regression was found in the local diff: the PR keeps immutable SHA pins and targets a published upstream v0.78.3 release, though the workflow-action bump remains supply-chain-sensitive.

Review details

Best possible solution:

Merge the dependency bump only after the affected workflow paths, especially Copilot setup and the generated agentic workflows, have successful status evidence against the new pinned action SHA.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency update PR rather than a bug report. Source inspection confirms current main still has the old v0.77.5 pins that the PR updates.

Is this the best way to solve the issue?

Yes; updating the existing immutable SHA pins and matching comments is the narrowest maintainable way to take this dependency bump. The remaining decision is workflow validation and maintainer trust in the upstream action release, not a code repair.

AGENTS.md: found, but no applicable review policy affected this item.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8bcd0f399abd.

Label changes

Label justifications:

• P3: This is a low-risk dependency maintenance PR with limited repository-local changes, but it still needs ordinary maintainer workflow validation.
• merge-risk: 🚨 automation: The PR changes GitHub Action code used by Copilot setup and generated agentic workflows, so merge could affect CI or repository automation even with a narrow local diff.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable because this is a Dependabot bot dependency PR; workflow status evidence is still merge-relevant but contributor-supplied real behavior proof is not required.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; it requires validation after changes, but this review made no repository changes and was explicitly read-only. (AGENTS.md:1, 8bcd0f399abd)
• Current main still has old Copilot setup pin: Current main pins github/gh-aw-actions/setup-cli to 3ea13c02d765410340d533515cb31a7eef2baaf0 with the v0.77.5 comment. (.github/workflows/copilot-setup-steps.yml:24, 8bcd0f399abd)
• Generated workflow setup pins are still old on main: Current main has v0.77.5 setup references in the generated localization and repo-assist lock workflows, including runtime setup steps. (.github/workflows/localization-audit.lock.yml:88, 8bcd0f399abd)
• PR diff is narrow in this repository: The PR changes only three workflow files, replacing old SHA/comment pairs with the v0.78.3 SHA/comment pair. (a7f87d435b25)
• Workflow automation uses repository tokens and write permissions: The affected generated workflows include secrets and jobs with write permissions, so the action bump is automation-sensitive even though the local diff is only pin updates. (.github/workflows/repo-assist.lock.yml:113, 8bcd0f399abd)
• Upstream release exists for requested pin: The upstream v0.78.3 release is published, immutable, non-prerelease, and the PR pins to the corresponding upstream commit. (8cfea5ae9bee)

Likely related people:

• Christine Yan: Git history shows commit 85445c7 introduced the three affected workflow files now being updated. (role: introduced workflow files; confidence: high; commits: 85445c78066b; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/localization-audit.lock.yml, .github/workflows/repo-assist.lock.yml)
• dependabot[bot]: The same three workflow files were most recently updated on main by a prior gh-aw-actions Dependabot bump in commit 4a74527. (role: recent dependency pin updater; confidence: medium; commits: 4a74527773ce; files: .github/workflows/copilot-setup-steps.yml, .github/workflows/localization-audit.lock.yml, .github/workflows/repo-assist.lock.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.