LockedThread · LockedThread · Jun 19, 2026 · Jan 28, 2026 · Jan 28, 2026 · Feb 7, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -42,11 +42,11 @@ updates:
       interval: "weekly"
     open-pull-requests-limit: 5
     groups:
-      github-actions:
+      github_actions:
         patterns:
           - "*"
     commit-message:
       prefix: "ci"
     labels:
       - "dependencies"
-      - "github-actions"
+      - "github_actions"
diff --git a/.github/workflows/automatic-release.yaml b/.github/workflows/automatic-release.yaml
@@ -27,7 +27,7 @@ jobs:
     outputs:
       labels: ${{ steps.match-label.outputs.match }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - id: match-label
         shell: bash
         run: |

diff --git a/.github/workflows/build-and-validate.yaml b/.github/workflows/build-and-validate.yaml
@@ -89,7 +89,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4

diff --git a/.github/workflows/build-full-matrix.yaml b/.github/workflows/build-full-matrix.yaml
@@ -86,7 +86,7 @@ jobs:
           - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4

diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml
@@ -74,7 +74,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4

diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml
@@ -14,8 +14,10 @@ jobs:
   contains-labels:
     if: ${{!startsWith(github.head_ref, 'release/')}}
     runs-on: ubuntu-latest
+    # The action approves the PR (creates a review) when labels are valid,
+    # which requires write access, not just read.
     permissions:
-      pull-requests: read
+      pull-requests: write
     steps:
       - uses: jesusvasquez333/verify-pr-label-action@v1.4.0
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -35,7 +35,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: marvinpinto/action-automatic-releases@latest
         with:
@@ -53,7 +53,7 @@ jobs:
     outputs:
       main_pr: ${{ steps.create_main_pr.outputs.pull_request_number }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Create release branch
         run: git checkout -b release/${{ inputs.version }}
@@ -116,7 +116,7 @@ jobs:
       packages: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Install grype
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -17,7 +17,7 @@ ARG PYTHON_RUNTIME_TRIXIE_IMAGE=python-runtime:py3.14-glibc-trixie
 ARG PYTHON_RUNTIME_SLIM_IMAGE=python-runtime:py3.14-glibc-trixie-slim
 ARG PYTHON_RUNTIME_ALPINE_IMAGE=python-runtime:py3.14-musl-alpine
 
-FROM alpine/git:2.52.0@sha256:4a0e72d49596a1f5d3701aeedafdadc5c0da4062be4657c7bdc4017387f591cc AS gtsam-source
+FROM alpine/git:v2.54.0@sha256:113d99116e236f93f0b1f53cd46dbda662cf1136d20dc9ae2834962226654d9f AS gtsam-source
 ARG GTSAM_VERSION
 WORKDIR /usr/src
 RUN git clone --quiet --depth 1 --branch "${GTSAM_VERSION}" https://github.com/borglab/gtsam.git