Applied /diagnose. The actionlint pattern fix is correct and safe. Two minor non-blocking observations: (1) the PR description incorrectly claims no .lock.yml files are touched — 4 are changed; (2) the awk tool-allowlist additions to lock files are bundled without mention in the description. All changes are CI-config only with no production risk.