fix: update actions toolkit to resolve undici CVEs

[dannyneira]

Summary

• Updated the Actions toolkit dependencies so all @actions/http-client consumers resolve to the patched undici@6.26.0 line.
• Removed unused @actions/github, which was also pulling vulnerable undici@5.x into the runtime bundle.
• Rebuilt dist/index.js and dist/index.js.map with the updated dependency graph.

Dependabot alerts resolved

• https://github.com/warpdotdev/oz-agent-action/security/dependabot/1 — CVE-2026-22036 / GHSA-g9mf-h72j-4rw9
• https://github.com/warpdotdev/oz-agent-action/security/dependabot/12 — CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm
• https://github.com/warpdotdev/oz-agent-action/security/dependabot/13 — CVE-2026-1527 / GHSA-4992-7rv2-5pvq
• https://github.com/warpdotdev/oz-agent-action/security/dependabot/14 — CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8
• https://github.com/warpdotdev/oz-agent-action/security/dependabot/15 — CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

Dependency details

• undici is a transitive runtime dependency in package-lock.json.
• The lockfile now contains only node_modules/@actions/http-client/node_modules/undici@6.26.0, satisfying the patched >=6.24.0 target for this alert batch.
• No resolutions/overrides workaround was needed.

Verification

• npm audit --json filtered for undici and the selected CVEs returns [].
• npm run build
• npm run lint
• npm test

Conversation: https://staging.warp.dev/conversation/77b0d27d-e6df-41c2-9142-8ec405621b43
Run: https://oz.staging.warp.dev/runs/019e799d-2d61-71d3-861b-d5d1be56704e
This PR was generated with Oz.