Merge branch 'main' into settings-env

Author: averikitsch

.github/labels.yaml

@@ -79,4 +79,8 @@
 
 - name: 'status: waiting for response'
   color: 8befd7
-  description: 'Status: reviewer is awaiting feedback or responses from the author before proceeding.'
+  description: 'Status: reviewer is awaiting feedback or responses from the author before proceeding.'
+
+- name: 'release-please:force-run'
+  color: bdca82
+  description: Manually trigger the release please workflow on a PR.

.github/workflows/assign-prs.yml

@@ -15,13 +15,14 @@
 name: PR assignment
 
 on:
-  pull_request:
-    types: [opened, edited, synchronize, reopened]
+  pull_request_target:
+    types: [opened, edited, reopened]
 
 jobs:
   auto-assign:
     runs-on: ubuntu-latest
     permissions:
+      issues: write
       pull-requests: write
     steps:
       - name: "Auto-assign PR"

.github/workflows/header-check.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Check License Header
-        uses: apache/skywalking-eyes/header@5c5b974209f0de5d905f37deb69369068ebfc15c # v0.7.0
+        uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0

.github/workflows/json-lint.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Run JSON Lint
         run: jq . gemini-extension.json

.github/workflows/markdown-checks.yml

@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
+        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0
         with:
           # There is no security token. So, it would fail on any links which aren't public.
           args: "--verbose --no-progress **/*.md"

.github/workflows/mirror-changelog.yml

@@ -82,9 +82,26 @@ jobs:
               // Match and extract changelog item
               const itemMatch = trimmedLine.match(/^[*-]\s(.*)$/);
               if (itemMatch) {
-                const originalContent = itemMatch[1]; 
+                let originalContent = itemMatch[1]; 
+
+                // This is a two-step process to prevent `release-please` from
+                // creating mangled, doubly-nested links for PRs.
+
+                // STEP 1: CLEAN THE INPUT.
+                // The source changelog contains a zero-width space as an HTML entity (`​`).
+                // This breaks the regex in the next step, so we must remove it first.
+                // E.g., "[#​1770](...)" becomes "[#1770](...)"
+                originalContent = originalContent.replace(/​/g, '');
+
+                // STEP 2: PROTECT THE OUTPUT.
+                // `release-please` aggressively tries to auto-link any text that looks like `#1234`.
+                // To prevent this, we insert an invisible Unicode zero-width space (`\u200B`)
+                // between the '#' and the number in the link text. This breaks the parser's
+                // pattern matching without changing the visual appearance of the link.
+                // E.g., "[#1770](...)" becomes "[genai-toolbox#​1770](...)"
+                originalContent = originalContent.replace(/\[#(\d+)\](\([^)]+\))/g, '[genai-toolbox#\u200B$1]$2');
+                
                 const lineAsLowerCase = originalContent.toLowerCase();
-
                 const hasPrefix = prefixesToFilter.some(prefix => lineAsLowerCase.includes(prefix));
                 
                 // Check if the line includes ANY of the required keywords

.github/workflows/package-and-upload-assets.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: Checkout code at the new tag
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.event.release.tag_name }}
 
@@ -103,7 +103,7 @@ jobs:
           echo "ARCHIVE_PATH=${ARCHIVE_NAME}" >> $GITHUB_OUTPUT
 
       - name: Upload archive as workflow artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
         with:
           name: ${{ steps.vars.outputs.archive_name }}
           path: ${{ steps.create_archive.outputs.ARCHIVE_PATH }}
@@ -117,10 +117,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Download all archives from workflow artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
         with:
           path: release-archives
 

.github/workflows/presubmit-tests.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Install Gemini CLI
         run: npm install @google/gemini-cli

.github/workflows/sync-labels.yaml

@@ -29,7 +29,7 @@ jobs:
       issues: 'write'
       pull-requests: 'write'
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.licenserc.yaml

@@ -16,6 +16,7 @@ header:
   license:
     spdx-id: "Apache-2.0"
     copyright-owner: "Google LLC"
+    copyright-year: "2025"
   paths:
     - "**/*.yaml"
     - "**/*.yml"