fix(workflows): recompile aw-dependabot-pr-review lock file

[bindsi]

The AW Dependabot PR Review agentic workflow has been failing every Dependabot PR with a Lock File Out of Sync error since the Python 3.11 → 3.12 migration in #541. The compiled aw-dependabot-pr-review.lock.yml still hashed to the pre-3.12 frontmatter, so gh-aw refused to dispatch the agent against a stale configuration. This PR recompiles the lock file so the workflow's hash matches its source markdown again.

Description

Ran gh aw compile aw-dependabot-pr-review against the unchanged .github/workflows/aw-dependabot-pr-review.md source. The regenerated aw-dependabot-pr-review.lock.yml updates the frontmatter_hash from b241aa43... to 68ef551c..., flips the embedded python-version from '3.11' to '3.12' to match the imported .github/agents/dependabot-pr-reviewer.agent.md, and refreshes the per-compile heredoc and config sentinel tokens. Net diff is 12 insertions / 12 deletions in a single generated file. No source markdown, agent file, or workflow logic changed.

Closes #570.

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Validation specific to this PR:

• gh aw compile aw-dependabot-pr-review — clean compile, 0 errors / 0 warnings
• Re-running gh aw compile produces no further diff (idempotent)
• End-to-end verification deferred to the next Dependabot PR; the Check workflow lock file step on that run is the authoritative signal that [aw] AW Dependabot PR Review failed #570 is resolved

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

• Linked to issue being fixed
• Regression test included, OR
• Justification for no regression test:

aw-dependabot-pr-review.lock.yml is fully generated by gh aw compile. The compiler itself owns hash correctness; a hand-written regression test would either reimplement the gh-aw hash algorithm or pin the current hash literal, both of which would break on every legitimate compiler upgrade. The right preventive control is a CI step that runs gh aw compile and fails on a dirty working tree, which is tracked separately from this hotfix.

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

Related Issues

Closes #570

Follow-up Tasks

• Add a CI guard that runs gh aw compile and fails when .github/workflows/aw-.lock.yml* files drift from their .md sources, so the next Python version bump (or any agent-file edit) cannot silently re-break Dependabot PR review.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 395c172.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.56%. Comparing base (8c3686a) to head (395c172).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #576      +/-   ##
==========================================
+ Coverage   63.91%   66.56%   +2.65%     
==========================================
  Files         250      262      +12     
  Lines       15409    16639    +1230     
  Branches     2122     2260     +138     
==========================================
+ Hits         9848    11076    +1228     
  Misses       5274     5274              
- Partials      287      289       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 8c3686a
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 8c3686a
pytest-dataviewer	65.12% <ø> (ø)		Carriedforward from 8c3686a
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 8c3686a
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.97% <ø> (ø)		Carriedforward from 8c3686a
pytest-inference	0.00% <ø> (ø)		Carriedforward from 8c3686a
pytest-training	82.14% <ø> (ø)		Carriedforward from 8c3686a
vitest	51.08% <ø> (ø)		Carriedforward from 8c3686a

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[katriendg]

Thanks for catching and fixing @bindsi 🙏