Make build-wasm a dependency of agent-finish

[Copilot]

Adds build-wasm as a dependency of the agent-finish Makefile target so that WASM compilation is validated as part of the agent's standard finish sequence.

---

---

✨ PR Review Safe Output Test - Run 23437824502

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Good change: adding build-wasm as a dependency of agent-finish ensures WASM compilation is validated as part of the standard finish sequence. This prevents the silent gap where golden files could drift out of sync.

[github-actions]

The microsoft/apm-action SHA update from v1.3.4 → v1.4.0 looks correct. The pin is properly updated to the new commit SHA for security pinning.

[Copilot]

Pull request overview

Adds WASM compilation to the standard agent finish sequence and refreshes related GitHub Actions pins/locks.

Changes:

• Make build-wasm a dependency of the agent-finish Makefile target.
• Update microsoft/apm-action pin to v1.4.0 in the workflow lock and action pins data.
• Adjust action pin lockfiles (action_pins.json / actions-lock.json) as part of the pins refresh.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
Makefile	Runs build-wasm as part of agent-finish to validate WASM build during the finish sequence.
pkg/workflow/data/action_pins.json	Updates action pins (including microsoft/apm-action), but currently diverges from the source lockfile.
.github/workflows/smoke-claude.lock.yml	Updates pinned SHA for microsoft/apm-action to match v1.4.0.
.github/aw/actions-lock.json	Adds/updates action pin entries used as the source for syncing action_pins.json.

Comments suppressed due to low confidence (1)

pkg/workflow/data/action_pins.json:155

• pkg/workflow/data/action_pins.json is meant to stay in sync with .github/aw/actions-lock.json (see Makefile target sync-action-pins, which copies the latter over the former). This PR adds github/gh-aw-actions/setup@v0 to .github/aw/actions-lock.json, but removes it from action_pins.json, so running make build will re-copy the lock file and reintroduce the entry, leaving a dirty working tree. Update action_pins.json to match the lock file (or regenerate it via the sync target) so the committed files stay identical.

    "github/codeql-action/upload-sarif@v4.34.1": {
      "repo": "github/codeql-action/upload-sarif",
      "version": "v4.34.1",
      "sha": "cb06a0a8527b2c6970741b3a0baa15231dc74a4c"
    },
    "github/gh-aw-actions/setup@v0.62.5": {
      "repo": "github/gh-aw-actions/setup",
      "version": "v0.62.5",
      "sha": "dc50be57c94373431b49d3d0927f318ac2bb5c4c"
    },

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Adding build-wasm to agent-finish causes make agent-finish to create gh-aw.wasm in the repo root (build-wasm target outputs -o gh-aw.wasm). Unlike the main gh-aw binary, gh-aw.wasm is not currently ignored in .gitignore, so automation that runs agent-finish (e.g., formatting/commit flows) may end up with an unexpected untracked file or accidentally commit it. Consider either writing the wasm artifact to an ignored output directory (e.g., dist/ or tmp/) or adding /gh-aw.wasm to .gitignore.

Suggested change

	agent-finish: deps-dev fmt lint build build-wasm test-all fix recompile dependabot generate-schema-docs generate-agent-factory security-scan
	agent-finish: deps-dev fmt lint build test-all fix recompile dependabot generate-schema-docs generate-agent-factory security-scan