fix(ci-coach): fallback to issue when PR touches protected files

[Copilot]

The CI Optimization Coach was hard-blocked when it generated a PR touching .github/workflows/ci.yml, a protected path, with no recovery path.

Changes

• ci-coach.md: Added protected-files: fallback-to-issue to create-pull-request safe-outputs — when the proposed patch touches protected files, the workflow creates a review issue instead of failing outright

safe-outputs:
  create-pull-request:
    expires: 2d
    title-prefix: "[ci-coach] "
    protected-files: fallback-to-issue   # ← added

• ci-coach.lock.yml: Recompiled — protected_files_policy: fallback-to-issue now present in the safe-outputs handler config

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw C7xplU3lnCWr (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Updates the CI Optimization Coach workflow to gracefully handle cases where the generated patch touches protected paths (e.g., .github/workflows/ci.yml) by falling back to creating a review issue instead of failing.

Changes:

• Added protected-files: fallback-to-issue to the create-pull-request safe-output configuration in ci-coach.md.
• Recompiled the workflow lockfile so the generated safe-outputs handler config includes protected_files_policy: "fallback-to-issue".

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/ci-coach.md	Configures create-pull-request safe-output to fall back to an issue when protected files are touched.
.github/workflows/ci-coach.lock.yml	Regenerates compiled workflow so the runtime handler config reflects the protected-files fallback policy.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.