chore(deps-dev): bump js-yaml from 5.0.0 to 5.1.0, fix agentic workflow tests, and add cost-focus guardrails

[dependabot]

Bumps the development-dependencies group with 1 update: js-yaml.

Updates js-yaml from 5.0.0 to 5.1.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Additional Changes

In response to review feedback, this PR also fixes the failing CI checks and completes cost-control settings across the agentic news workflows. The js-yaml bump itself was benign.

Failing checks fixed

• Both failing jobs (Unit Tests / Vitest and Node.js Nightly Compat) broke on 3 stale test files asserting the bare-local ./.github/actions/news-prewarm action-ref form, while all 14 news-*.md workflows use the SHA-pinned remote form that gh-aw v0.80.9 requires.
• Updated assertions in news-workflows-imf-secret, news-resolve-inputs, and network-diagnostics to accept both the local and SHA-pinned action-ref forms. Full suite green (7571 passed, 0 failed).

Cost-focus settings (all 14 news workflows)

• Added root-level max-turns: ${{ vars.NEWS_MAX_TURNS || 300 }} — a runaway-loop turn cap tunable repo-wide from a single variable (previously uncapped).
• Added per-tier max-ai-credits: opus analysis/forecast/review workflows 3000, sonnet news-translate 2500, codex news-realtime-monitor 1500 (gh-aw requires a numeric literal for this field).
• Recompiled all 14 .lock.yml files via gh aw compile (0 errors); cost fields verified in the agent-job environment.

Modularisation

• max-turns is single-sourced via the NEWS_MAX_TURNS repo variable; the shared news-prewarm/news-resolve-inputs composite actions and imported prompts/*.md modules remain the structural sharing mechanism (gh-aw imports: merges prompt body only, not frontmatter, so cost fields live per-workflow).

Testing

• ✅ Workflow test suites pass (375 tests)
• ✅ Full Vitest suite passes (7571 passed, 0 failed)
• ✅ Secret scan clean; CodeQL clean (0 actions alerts)
• ✅ All 14 workflows recompile with 0 errors

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

🏷️ Automatic Labeling Summary

This PR has been automatically labeled based on the files changed and PR metadata.

Applied Labels: dependencies,size-s,npm

Label Categories

• 🗳️ Content: news, dashboard, visualization, intelligence
• 💻 Technology: html-css, javascript, workflow, security
• 📊 Data: cia-data, riksdag-data, data-pipeline, schema
• 🌍 I18n: i18n, translation, rtl
• 🔒 ISMS: isms, iso-27001, nist-csf, cis-controls
• 🏗️ Infrastructure: ci-cd, deployment, performance, monitoring
• 🔄 Quality: testing, accessibility, documentation, refactor
• 🤖 AI: agent, skill, agentic-workflow

For more information, see .github/labeler.yml.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[pethers]

@copilot fix all broken test, fix agentic workflows

failing checks
TypeScript & JavaScript Testing / Node.js Nightly Compat (pull_request)
TypeScript & JavaScript Testing / Node.js Nightly Compat (pull_request)Failing after 5m
TypeScript & JavaScript Testing / Unit Tests (Vitest) (pull_request)
TypeScript & JavaScript Testing / Unit Tests (Vitest) (pull_request)Failing after 5m

use gh-aw skills and add AI credits, max turns and and all other missing specs complete all agentic workflows cost focus settings that are missing and improve moduliisation https://github.com/github/gh-aw/blob/main/docs/src/pages/llms-full.txt.ts

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

@copilot fix all broken test, fix agentic workflows

failing checks
...

Done in 8aa1c3f (cost settings) and 6bab7a2 (test fixes).

Failing checks — the js-yaml bump was benign; both jobs failed on 3 stale tests asserting the bare-local ./.github/actions/news-prewarm form while all 14 news-*.md use the SHA-pinned remote form (gh-aw v0.80.9 rejects bare-local refs at compile). Updated the assertions in news-workflows-imf-secret, news-resolve-inputs, and network-diagnostics to accept both forms. Full suite now green (7571 passed, 0 failed).

Cost-focus settings — added root-level guardrails to all 14 news workflows and recompiled every .lock.yml:

• max-turns: ${{ vars.NEWS_MAX_TURNS || 300 }} — runaway-loop cap, tunable repo-wide from one variable (previously uncapped).
• max-ai-credits per AI-credit tier: opus analysis/forecast/review 3000, sonnet news-translate 2500, codex news-realtime-monitor 1500 (gh-aw rejects expressions for this field, so literals are required).

Modularisation — max-turns is now single-sourced via the NEWS_MAX_TURNS repo variable; the shared news-prewarm/news-resolve-inputs composite actions and the imported prompts/*.md modules remain the structural sharing mechanism (gh-aw imports: merges prompt body only, not frontmatter, so cost fields must live per-workflow). Recompile is via the existing workflow_dispatch compile job — running it in-repo will normalise the composite-action pin SHAs against the live action commit.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.