diff --git a/actions/setup/js/update_project.cjs b/actions/setup/js/update_project.cjs
index 65496f51e3..21939dd7ab 100644
--- a/actions/setup/js/update_project.cjs
+++ b/actions/setup/js/update_project.cjs
@@ -128,7 +128,7 @@ async function updateProject(output) {
     campaignId = output.campaign_id;
   try {
     let repoResult;
-    (core.info(`Looking up project #${projectNumberFromUrl} from URL: ${output.project}`), core.info("[1/5] Fetching repository information..."));
+    (core.info(`Looking up project #${projectNumberFromUrl} from URL: ${output.project}`), core.info("[1/4] Fetching repository information..."));
     try {
       repoResult = await github.graphql(
         "query($owner: String!, $repo: String!) {\n          repository(owner: $owner, name: $repo) {\n            id\n            owner {\n              id\n              __typename\n            }\n          }\n        }",
@@ -147,7 +147,7 @@ async function updateProject(output) {
       core.warning(`Could not resolve token identity (viewer.login): ${viewerError.message}`);
     }
     let projectId;
-    core.info(`[2/5] Resolving project from URL (scope=${projectInfo.scope}, login=${projectInfo.ownerLogin}, number=${projectNumberFromUrl})...`);
+    core.info(`[2/4] Resolving project from URL (scope=${projectInfo.scope}, login=${projectInfo.ownerLogin}, number=${projectNumberFromUrl})...`);
     let resolvedProjectNumber = projectNumberFromUrl;
     try {
       const projectNumberInt = parseInt(projectNumberFromUrl, 10);
@@ -157,16 +157,7 @@ async function updateProject(output) {
     } catch (error) {
       throw (logGraphQLError(error, "Resolving project from URL"), error);
     }
-    core.info("[3/5] Linking project to repository...");
-    try {
-      await github.graphql(
-        "mutation($projectId: ID!, $repositoryId: ID!) {\n          linkProjectV2ToRepository(input: {\n            projectId: $projectId,\n            repositoryId: $repositoryId\n          }) {\n            repository {\n              id\n            }\n          }\n        }",
-        { projectId, repositoryId }
-      );
-    } catch (linkError) {
-      (linkError.message && linkError.message.includes("already linked")) || (logGraphQLError(linkError, "Linking project to repository"), core.warning(`Could not link project: ${linkError.message}`));
-    }
-    (core.info("✓ Project linked to repository"), core.info("[4/5] Processing content (issue/PR/draft) if specified..."));
+    core.info("[3/4] Processing content (issue/PR/draft) if specified...");
     const hasContentNumber = void 0 !== output.content_number && null !== output.content_number,
       hasIssue = void 0 !== output.issue && null !== output.issue,
       hasPullRequest = void 0 !== output.pull_request && null !== output.pull_request,
diff --git a/pkg/cli/templates/github-agentic-workflows.md b/pkg/cli/templates/github-agentic-workflows.md
index f04794f4a9..30ddce78ae 100644
--- a/pkg/cli/templates/github-agentic-workflows.md
+++ b/pkg/cli/templates/github-agentic-workflows.md
@@ -454,6 +454,19 @@ The YAML frontmatter supports these fields:
         if-no-changes: "warn"           # Optional: "warn" (default), "error", or "ignore"
     ```
     Not supported for cross-repository operations.
+  - `update-discussion:` - Update discussion title, body, or labels
+    ```yaml
+    safe-outputs:
+      update-discussion:
+        title: true                     # Optional: enable title updates
+        body: true                      # Optional: enable body updates
+        labels: true                    # Optional: enable label updates
+        allowed-labels: [status, type]  # Optional: restrict to specific labels
+        max: 1                          # Optional: max updates (default: 1)
+        target: "*"                     # Optional: "triggering" (default), "*", or number
+        target-repo: "owner/repo"       # Optional: cross-repository
+    ```
+    When using `safe-outputs.update-discussion`, the main job does **not** need `discussions: write` permission since updates are handled by a separate job with appropriate permissions.
   - `update-release:` - Update GitHub release descriptions
     ```yaml
     safe-outputs:
@@ -463,6 +476,17 @@ The YAML frontmatter supports these fields:
         github-token: ${{ secrets.CUSTOM_TOKEN }}  # Optional: custom token
     ```
     Operation types: `replace`, `append`, `prepend`.
+  - `upload-asset:` - Publish files to orphaned git branch
+    ```yaml
+    safe-outputs:
+      upload-asset:
+        branch: "assets/${{ github.workflow }}"  # Optional: branch name
+        max-size: 10240                 # Optional: max file size in KB (default: 10MB)
+        allowed-exts: [.png, .jpg, .pdf] # Optional: allowed file extensions
+        max: 10                         # Optional: max assets (default: 10)
+        target-repo: "owner/repo"       # Optional: cross-repository
+    ```
+    Publishes workflow artifacts to an orphaned git branch for persistent storage. Default allowed extensions include common non-executable types. Maximum file size is 50MB (51200 KB).
   - `create-code-scanning-alert:` - Generate SARIF security advisories
     ```yaml
     safe-outputs:
@@ -486,6 +510,28 @@ The YAML frontmatter supports these fields:
         target-repo: "owner/repo"       # Optional: cross-repository
     ```
     Requires PAT with elevated permissions as `GH_AW_AGENT_TOKEN`.
+  - `assign-to-user:` - Assign users to issues or pull requests
+    ```yaml
+    safe-outputs:
+      assign-to-user:
+        assignees: [user1, user2]       # Optional: restrict to specific users
+        max: 3                          # Optional: max assignments (default: 3)
+        target: "*"                     # Optional: "triggering" (default), "*", or number
+        target-repo: "owner/repo"       # Optional: cross-repository
+    ```
+    When using `safe-outputs.assign-to-user`, the main job does **not** need `issues: write` or `pull-requests: write` permission since user assignment is handled by a separate job with appropriate permissions.
+  - `hide-comment:` - Hide comments on issues, PRs, or discussions
+    ```yaml
+    safe-outputs:
+      hide-comment:
+        max: 5                          # Optional: max comments to hide (default: 5)
+        allowed-reasons:                 # Optional: restrict hide reasons
+          - spam
+          - outdated
+          - resolved
+        target-repo: "owner/repo"       # Optional: cross-repository
+    ```
+    Allowed reasons: `spam`, `abuse`, `off_topic`, `outdated`, `resolved`. When using `safe-outputs.hide-comment`, the main job does **not** need write permissions since comment hiding is handled by a separate job.
   - `noop:` - Log completion message for transparency (auto-enabled)
     ```yaml
     safe-outputs:
diff --git a/pkg/workflow/compiler_activation_jobs.go b/pkg/workflow/compiler_activation_jobs.go
index e25db2cdba..3c85a01ef2 100644
--- a/pkg/workflow/compiler_activation_jobs.go
+++ b/pkg/workflow/compiler_activation_jobs.go
@@ -498,8 +498,16 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
 			steps = append(steps, "            const { main } = require('"+SetupActionDestination+"/lock-issue.cjs');\n")
 			steps = append(steps, "            await main();\n")
 		} else {
-			// Add the lock-issue script
-			formattedScript := FormatJavaScriptForYAML(lockIssueScript)
+			// Inline the lock-issue script
+			// Bundle it to remove module.exports and inline dependencies
+			sources := GetJavaScriptSources()
+			bundled, err := BundleJavaScriptWithMode(lockIssueScript, sources, "", RuntimeModeGitHubScript)
+			if err != nil {
+				return nil, fmt.Errorf("failed to bundle lock-issue script: %w", err)
+			}
+			// Add await main() to execute the bundled script
+			bundled = bundled + "\nawait main();"
+			formattedScript := FormatJavaScriptForYAML(bundled)
 			steps = append(steps, formattedScript...)
 		}