Bump act-sdk from 0.2.3 to 0.2.8

[dependabot]

Bumps act-sdk from 0.2.3 to 0.2.8.

Changelog

Sourced from act-sdk's changelog.

[0.2.8] - 2026-03-31

Fixed

• Components no longer need serde or schemars as direct dependencies — the macro injects use ::act_sdk::__private::{serde, schemars} and #[serde(crate = "...")] on generated arg structs

[0.2.7] - 2026-03-31

Added

• act.toml manifest file support — component metadata and capabilities are now read from act.toml at compile time, with fallback to Cargo.toml and #[act_component] attribute overrides
• FilesystemCap, HttpCap, SocketsCap typed capability structs
• Capabilities::has(), Capabilities::fs_mount_root() helper methods
• Serde alias attributes on ComponentInfo for dual CBOR/TOML deserialization

Changed

• Breaking: ComponentInfo.capabilities is now a typed Capabilities struct (was Vec<ComponentCapability>)
• std:capabilities serializes as a CBOR map keyed by capability ID per spec v0.2.0 (was array of structs)
• mount-root moved from top-level std:fs:mount-root into capabilities.wasi:filesystem.mount-root

Removed

• ComponentCapability struct
• COMPONENT_FS_MOUNT_ROOT constant

[0.2.6] - 2026-03-30

Added

• embed_skill!("skill/") macro — embeds an Agent Skills directory as an act:skill WASM custom section (uncompressed tar). See ACT-AGENTSKILLS.md.
• SECURITY.md with supply chain and sandbox policies

Changed

• #[act_component] attributes are now optional — name, version, description default to Cargo.toml values (CARGO_PKG_NAME, CARGO_PKG_VERSION, CARGO_PKG_DESCRIPTION)

[0.2.5] - 2026-03-26

Changed

• Publish workflow now uses crates.io trusted publishing (OIDC) instead of long-lived API token

[0.2.4] - 2026-03-23

Fixed

• decode_content_data now treats application/json as UTF-8 text (same as text/*), instead of attempting CBOR decode and falling back to base64
• IntoResponse for serde_json::Value now encodes as JSON bytes (serde_json::to_vec), not CBOR — previously the data was CBOR-encoded but labeled application/json

Commits

• 6142501 Release 0.2.8
• d4d755a fix(act-sdk-macros): inject serde/schemars imports so components don't need d...
• 5621d6d Release 0.2.7
• 93c168b refactor: deserialize act.toml directly into ComponentInfo
• c01fdf2 feat(act-sdk-macros): read act.toml manifest for component metadata
• 4425056 feat(act-types): replace ComponentCapability with typed Capabilities struct
• 3c0b9b6 Release 0.2.6
• 76dff9f feat: add embed_skill!() macro for act:skill WASM custom section
• 5146277 feat: derive component name/version/description from Cargo.toml
• 1412e75 docs: add SECURITY.md with supply chain and sandbox policies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Looks like act-sdk is up-to-date now, so this is no longer needed.