merge queue: embarking main (139da33), #1859, #1940 and #1954 together

[mergify]

✨ The pull request #1954 has been manually updated. ✨

Branch main (139da33), #1859, #1940 and #1954 are embarked together for merge.

This pull request has been created by Mergify to speculatively check the mergeability of #1954.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.

Required conditions of queue rule Github Actions Updates for merge:

• any of [🛡 GitHub repository ruleset rule main]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections

Required conditions to stay in the queue:

• any of [🛡 GitHub repository ruleset rule main]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections
• author = renovate[bot]
  • Update github/codeql-action action to v4.36.0 #1954
• any of:
  • files ~= ^.github/workflows
  • files ~= action.yaml$

---
checking_base_sha: 9e62e704aa7b5318c73e0ce0cc7714e37d6b834e
previous_failed_batches: []
pull_requests:
  - number: 1954
    scopes: []
scopes: []
...

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/agentics-maintenance.yml	14% smaller
.github/workflows/ci_tools.yaml	14% smaller
.github/workflows/daily-malicious-code-scan.lock.yml	5% smaller
.github/workflows/agents-md-maintenance.lock.yml	0% smaller
.github/workflows/ci-coach.lock.yml	0% smaller
.github/workflows/ci-doctor.lock.yml	0% smaller
.github/workflows/code-simplifier.lock.yml	0% smaller
pyproject.toml	Unsupported file format
uv.lock	Unsupported file format

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	agno@​2.6.6 ⏵ 2.6.7	+1

View full report

[sourcery-ai]

Reviewer's Guide

This PR updates GitHub Actions workflow references to newer pinned commits for the gh-aw setup/setup-cli actions and CodeQL upload-sarif, and bumps the agno library dependency (and corresponding uv.lock) to a newer patch version.

File-Level Changes

Change	Details	Files
Update gh-aw GitHub Actions to v0.75.1 across CI and maintenance workflows.	Replace github/gh-aw-actions/setup@v0.74.8 with a pinned commit corresponding to v0.75.1 in multiple *.lock.yml workflows Replace github/gh-aw-actions/setup@v0.74.9 with the same v0.75.1 pinned commit in non-lock workflows Update github/gh-aw-actions/setup-cli@v0.74.9 to the v0.75.1 pinned commit where the CLI is installed	.github/workflows/ci-doctor.lock.yml .github/workflows/agents-md-maintenance.lock.yml .github/workflows/code-simplifier.lock.yml .github/workflows/ci-coach.lock.yml .github/workflows/daily-malicious-code-scan.lock.yml .github/workflows/agentics-maintenance.yml .github/workflows/ci_tools.yaml
Update CodeQL SARIF upload action to the latest patch version in the daily malicious code scan workflow.	Change github/codeql-action/upload-sarif from v4.35.5 to v4.36.0 using a new pinned commit SHA	.github/workflows/daily-malicious-code-scan.lock.yml
Bump agno Python dependency to a newer patch version and refresh the lockfile.	Increase agno[google,qdrant] minimum version from 2.6.6 to 2.6.7 in pyproject.toml Regenerate uv.lock to match the new dependency constraints	pyproject.toml uv.lock

Possibly linked issues

• #0: The PR upgrades gh-aw actions in agents-md-maintenance workflows, which likely resolves the AGENTS.md Maintenance failure.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.