elastic · strawgate · Apr 1, 2026 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
@@ -30,6 +30,11 @@
       "version": "v5",
       "sha": "e58605a9b6da7c637471fab8847a5e5a6b8df081"
     },
+    "github/gh-aw/actions/setup-cli@v0.65.1": {
+      "repo": "github/gh-aw/actions/setup-cli",
+      "version": "v0.65.1",
+      "sha": "bca8c30ea611a15fbbb4ac488c377c913c8f7e79"
+    },
     "github/gh-aw/actions/setup@v0.43.23": {
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.43.23",
@@ -159,6 +164,11 @@
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.62.4",
       "sha": "a898ed7b8f8238a30d9c9f560813547e695cfb0a"
+    },
+    "github/gh-aw/actions/setup@v0.65.1": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.65.1",
+      "sha": "bca8c30ea611a15fbbb4ac488c377c913c8f7e79"
     }
   }
 }
diff --git a/.github/workflows/agent-deep-dive.lock.yml b/.github/workflows/agent-deep-dive.lock.yml
diff --git a/.github/workflows/agent-efficiency.lock.yml b/.github/workflows/agent-efficiency.lock.yml
diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
@@ -48,6 +48,12 @@ on:
           - 'enable'
           - 'update'
           - 'upgrade'
+          - 'safe_outputs'
+      run_url:
+        description: 'Run URL or run ID to replay safe outputs from (e.g. https://github.com/owner/repo/actions/runs/12345 or 12345). Required when operation is safe_outputs.'
+        required: false
+        type: string
+        default: ''
 
 permissions: {}
 
@@ -61,7 +67,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4
+        uses: github/gh-aw/actions/setup@bca8c30ea611a15fbbb4ac488c377c913c8f7e79 # v0.65.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -93,7 +99,7 @@ jobs:
             await main();
 
   run_operation:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation != '' && !github.event.repository.fork }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation != '' && github.event.inputs.operation != 'safe_outputs' && !github.event.repository.fork }}
     runs-on: ubuntu-slim
     permissions:
       actions: write
@@ -106,7 +112,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4
+        uses: github/gh-aw/actions/setup@bca8c30ea611a15fbbb4ac488c377c913c8f7e79 # v0.65.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -121,9 +127,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw/actions/setup-cli@v0.62.4
+        uses: github/gh-aw/actions/setup-cli@bca8c30ea611a15fbbb4ac488c377c913c8f7e79 # v0.65.1
         with:
-          version: v0.62.4
+          version: v0.65.1
 
       - name: Run operation
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -138,3 +144,48 @@ jobs:
             setupGlobals(core, github, context, exec, io);
             const { main } = require('${{ runner.temp }}/gh-aw/actions/run_operation_update_upgrade.cjs');
             await main();
+
+  apply_safe_outputs:
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }}
+    runs-on: ubuntu-slim
+    permissions:
+      actions: read
+      contents: write
+      discussions: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout: |
+            actions
+          persist-credentials: false
+
+      - name: Setup Scripts
+        uses: github/gh-aw/actions/setup@bca8c30ea611a15fbbb4ac488c377c913c8f7e79 # v0.65.1
+        with:
+          destination: ${{ runner.temp }}/gh-aw/actions
+
+      - name: Check admin/maintainer permissions
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
+            await main();
+
+      - name: Apply Safe Outputs
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_AW_RUN_URL: ${{ github.event.inputs.run_url }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/apply_safe_outputs_replay.cjs');
+            await main();