[actions] Update GitHub Actions versions - 2026-06-03

[github-actions]

GitHub Actions Updates - 2026-06-03

This PR updates GitHub Actions versions in .github/aw/actions-lock.json to their latest compatible releases.

📦 Actions Updated (full list)

Actions Updated

• actions/checkout: v4 + v6.0.2 → v6.0.3 (df4cb1c069e1874edd31b4311f1884172cec0e10)
• actions/setup-python: removed v5 alias (v6.2.0 remains)
• docker/build-push-action: v7.1.0 → v7.2.0 (f9f3042f7e2789586610d6e8b85c8f03e5195baf)
• docker/login-action: v4.1.0 → v4.2.0 (55f6f8f90d0a5da216c1cf8c5bc1db7e53ded68b)
• github/codeql-action/upload-sarif: v4.36.0 → v4.36.1 (87557b9c84dde89fdd9b10e88954ac2f4248e463)
• github/stale-repos: removed v9.0.8 alias (v9.0.14 remains)

Summary

• Total actions updated: 6 entries consolidated/updated
• Update command: gh aw update
• Workflow lock files: Not included (will be regenerated on next compile)

Notes

• All action updates respect semantic versioning and maintain compatibility
• Actions are pinned to commit SHAs for security
• Workflow .lock.yml files are excluded from this PR and will be regenerated during the next compilation

Testing

The updated actions will be automatically used in workflow compilations. No manual testing required.

---

This PR was automatically created by the Daily Workflow Updater workflow.

Generated by 🔧 Daily Workflow Updater · sonnet46 91.8K · ◷

• expires on Jun 4, 2026, 12:42 AM UTC-08:00

[github-actions]

Hey @app/github-actions 👋 — thanks for keeping the GitHub Actions versions up to date! This automated bump to .github/aw/actions-lock.json is clean and well-described.

A couple of things flagged by the checklist:

• Dependency changes — the rules ask for a quick discussion before merging any PR that modifies a dependency manifest (even a lock file). A core team member should sign off that the bumped versions (e.g. actions/checkout v6.0.3, docker/build-push-action v7.2.0) are safe to roll forward before this lands.
• No test changes — automated workflow updates don't always need new tests, but confirming that the existing CI suite passes against the bumped action versions would provide extra confidence.

If a core team member wants to fast-track validation, here's a ready-to-use agent prompt:

Review the GitHub Actions version bumps in `.github/aw/actions-lock.json` introduced in PR #36593.
For each updated action, verify:
1. The new pinned SHA matches the advertised tag in the upstream repository.
2. The release notes for the new version contain no breaking changes relevant to this repo's workflows.
3. All existing CI checks pass with the updated lock file.
Report any concerns before approving the merge.

Generated by ✅ Contribution Check · sonnet46 2.4M · ◷