chore: upgrade all workflows from v0.67.0 to v0.68.0 (#3504)

## Summary

Upgrades all 31 agentic workflows from `v0.67.0` to `v0.68.0`.

## Changes

### Compiler upgrade
- All 31 `.lock.yml` files recompiled with `gh aw v0.68.0`
- Updated `actions-lock.json`, `agentics-maintenance.yml`, agent config

### Remove deprecated `tools.serena`
The v0.68.0 compiler rejects `serena` as an unknown tool name. Removed
from 5 workflows:
- `duplicate-code-detector.md` — was serena-only, replaced with `bash:
true`
- `go-fan.md` — removed tool + stale Serena memory/usage references from
prompt
- `smoke-copilot.md` — removed tool + Serena MCP test steps from prompt
- `test-coverage-improver.md` — removed tool
- `test-improver.md` — removed tool

### Security review
- New action: `github/gh-aw-actions/setup` — first-party GitHub action
for gh-aw setup, safe
- No new secrets introduced
- No new external network access

Author: lpcox

.github/agents/agentic-workflows.agent.md

@@ -30,7 +30,7 @@ Workflows may optionally include:
 - Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
 - Workflow lock files: `.github/workflows/*.lock.yml`
 - Shared components: `.github/workflows/shared/*.md`
-- Configuration: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/github-agentic-workflows.md
+- Configuration: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/github-agentic-workflows.md
 
 ## Problems This Solves
 
@@ -52,7 +52,7 @@ When you interact with this agent, it will:
 ### Create New Workflow
 **Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/create-agentic-workflow.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/create-agentic-workflow.md
 
 **Use cases**:
 - "Create a workflow that triages issues"
@@ -62,7 +62,7 @@ When you interact with this agent, it will:
 ### Update Existing Workflow  
 **Load when**: User wants to modify, improve, or refactor an existing workflow
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/update-agentic-workflow.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/update-agentic-workflow.md
 
 **Use cases**:
 - "Add web-fetch tool to the issue-classifier workflow"
@@ -72,7 +72,7 @@ When you interact with this agent, it will:
 ### Debug Workflow  
 **Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/debug-agentic-workflow.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/debug-agentic-workflow.md
 
 **Use cases**:
 - "Why is this workflow failing?"
@@ -82,7 +82,7 @@ When you interact with this agent, it will:
 ### Upgrade Agentic Workflows
 **Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/upgrade-agentic-workflows.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/upgrade-agentic-workflows.md
 
 **Use cases**:
 - "Upgrade all workflows to the latest version"
@@ -92,7 +92,7 @@ When you interact with this agent, it will:
 ### Create a Report-Generating Workflow
 **Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/report.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/report.md
 
 **Use cases**:
 - "Create a weekly CI health report"
@@ -102,7 +102,7 @@ When you interact with this agent, it will:
 ### Create Shared Agentic Workflow
 **Load when**: User wants to create a reusable workflow component or wrap an MCP server
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/create-shared-agentic-workflow.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/create-shared-agentic-workflow.md
 
 **Use cases**:
 - "Create a shared component for Notion integration"
@@ -112,7 +112,7 @@ When you interact with this agent, it will:
 ### Fix Dependabot PRs
 **Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/dependabot.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/dependabot.md
 
 **Use cases**:
 - "Fix the open Dependabot PRs for npm dependencies"
@@ -122,7 +122,7 @@ When you interact with this agent, it will:
 ### Analyze Test Coverage
 **Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
 
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/test-coverage.md
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/test-coverage.md
 
 **Use cases**:
 - "Create a workflow that comments coverage on PRs"
@@ -169,10 +169,10 @@ gh aw compile --validate
 
 ## Important Notes
 
-- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/github-agentic-workflows.md for complete documentation
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/github-agentic-workflows.md for complete documentation
 - Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
 - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
 - **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
 - Follow security best practices: minimal permissions, explicit network access, no template injection
-- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/v0.67.0/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns.
+- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/v0.68.0/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns.
 - **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.

.github/aw/actions-lock.json

@@ -175,25 +175,15 @@
       "version": "v4.35.1",
       "sha": "0e9f55954318745b37b7933c693bc093f7336125"
     },
-    "github/gh-aw-actions/setup-cli@v0.65.3": {
+    "github/gh-aw-actions/setup-cli@v0.68.0": {
       "repo": "github/gh-aw-actions/setup-cli",
-      "version": "v0.65.3",
-      "sha": "6b4da262b8f7e0e253d1ae84f400a843b918a4ab"
-    },
-    "github/gh-aw-actions/setup-cli@v0.67.0": {
-      "repo": "github/gh-aw-actions/setup-cli",
-      "version": "v0.67.0",
-      "sha": "cde65c546c2b0f6d3f3a9492a04e6687887c4fe8"
-    },
-    "github/gh-aw-actions/setup@v0.65.3": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.65.3",
-      "sha": "6b4da262b8f7e0e253d1ae84f400a843b918a4ab"
+      "version": "v0.68.0",
+      "sha": "0acfb4a691fe207cd8bc982ea5cb9d750d57a702"
     },
-    "github/gh-aw-actions/setup@v0.67.0": {
+    "github/gh-aw-actions/setup@v0.68.0": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.67.0",
-      "sha": "cde65c546c2b0f6d3f3a9492a04e6687887c4fe8"
+      "version": "v0.68.0",
+      "sha": "0acfb4a691fe207cd8bc982ea5cb9d750d57a702"
     },
     "github/gh-aw/actions/setup@v0.65.3": {
       "repo": "github/gh-aw/actions/setup",

.github/workflows/agentics-maintenance.yml

@@ -12,7 +12,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.67.0). DO NOT EDIT.
+# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.68.0). DO NOT EDIT.
 #
 # To regenerate this workflow, run:
 #   gh aw compile
@@ -68,7 +68,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -113,7 +113,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -128,9 +128,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw-actions/setup-cli@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup-cli@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
-          version: v0.67.0
+          version: v0.68.0
 
       - name: Run operation
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -164,7 +164,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -204,7 +204,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -219,9 +219,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw-actions/setup-cli@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0
+        uses: github/gh-aw-actions/setup-cli@0acfb4a691fe207cd8bc982ea5cb9d750d57a702 # v0.68.0
         with:
-          version: v0.67.0
+          version: v0.68.0
 
       - name: Create missing labels
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8