chore(deps-dev): bump @github/copilot-sdk from 1.0.0 to 1.0.1 in /actions/setup/js

[dependabot]

Bumps @github/copilot-sdk from 1.0.0 to 1.0.1.

Release notes

Sourced from @​github/copilot-sdk's releases.

GitHub Copilot SDK for Java 1.0.1

Installation

⚠️ Artifact versioning plan: Releases of this implementation track releases of the reference implementation. For each release of the reference implementation, there may follow a corresponding release of this implementation with the same number as the reference implementation. Release identifiers of the reference implementation are in the form vMaj.Min.Micro. For example v0.1.32. The corresponding maven version for the release will be Maj.Min.Micro-java.N, where Maj, Min and Micro are the corresponding numbers for the reference implementation release, and N is a monotonically increasing sequence number starting with 0 for each release. See the corresponding architectural decision record for more information in the docs/adr directory of the source code.

📦 [View on Maven Central](https://github.com/github/copilot-sdk/blob/HEAD/(central.sonatype.com/redacted)

📖 [Documentation](https://github.com/github/copilot-sdk/blob/HEAD/(github.github.io/redacted) · [Javadoc](https://github.com/github/copilot-sdk/blob/HEAD/(github.github.io/redacted)

Maven

<dependency>
    <groupId>com.github</groupId>
    <artifactId>copilot-sdk-java</artifactId>
    <version>1.0.1</version>
</dependency>

Gradle (Kotlin DSL)

implementation("com.github:copilot-sdk-java:1.0.1")

Gradle (Groovy DSL)

implementation 'com.github:copilot-sdk-java:1.0.1'

---

Feature: @CopilotExperimental compile-time gate for experimental APIs

Experimental SDK APIs are now guarded by the @CopilotExperimental annotation. Using them causes a compile error by default; opt in by annotating the consuming class or method with @AllowCopilotExperimental, or pass -Acopilot.experimental.allowed=true to the Java compiler. (#1601)

`@AllowCopilotExperimental`
public class MyHandler {
    // may use `@CopilotExperimental` APIs here
}

Feature: open-canvases snapshot on CopilotSession

CopilotSession.getOpenCanvases() now returns the live set of canvas instances open for the session, bringing the Java SDK to parity with the other SDK languages. The snapshot is seeded from the session create/resume response and kept current via session.canvas.opened and session.canvas.closed events. (#1606)

List<OpenCanvasInstance> open = session.getOpenCanvases();

... (truncated)

Commits

• f2e8469 # Java codegen: clean output directory before generating to prevent orphan ac...
• 53ffb24 Update @​github/copilot to 1.0.61 (#1612)
• 3cbeae5 Add E2E coverage for newly added RPC methods across all SDKs (#1610)
• 9e9cfbe Add @CopilotExperimental compile-time gate for experimental APIs (#1601)
• 391bcd4 Handle session.canvas.closed by removing from open_canvases snapshot (#1604)
• ba94f95 Update @​github/copilot to 1.0.60 (#1597)
• 7d6bc92 Fix flaky SessionFs workspace metadata E2E test (#1599)
• 7de72a6 Update grep replay snapshot for absolute paths (#1598)
• f54e3ac Fix Go and Rust code generators (#1596)
• 9c4d637 Stop compiling Java in dependency update workflow (#1594)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Thanks for the automated bump of @github/copilot-sdk to 1.0.1, @dependabot! 🤖 The direct change is a clean one-liner in package.json, but the lock file update pulls in new transitive packages that were not present before and warrant a quick maintainer review:

• os-theme@0.0.8 + platform binaries (os-theme/darwin-arm64, os-theme/linux-x64, os-theme/win32-x64) — a new dependency of github/copilot@1.0.63
• typescript@5.9.3 — added as a peer dependency of os-theme

Before merging, it is worth verifying these additions are expected and trusted. Here is a prompt for an agent to do that check:

Review the new transitive dependencies introduced by the copilot-sdk 1.0.0 to 1.0.1 bump in actions/setup/js/package-lock.json:
- os-theme@0.0.8 (and os-theme/darwin-arm64, os-theme/linux-x64, os-theme/win32-x64)
- typescript@5.9.3 (peer dep of os-theme)

For each new package:
1. Confirm it appears in the copilot-sdk or copilot release notes as an intentional addition.
2. Check that the resolved registry URL is npmjs.org and the integrity hash is present in the lock file.
3. Summarise whether these additions are safe to approve or flag any concerns.

Generated by ✅ Contribution Check · 515.4 AIC · ⌖ 13.5 AIC · ⊞ 24.7K · ◷