fix: don't exclude COPILOT_GITHUB_TOKEN from AWF container when copilot-requests feature is enabled

[Copilot]

Copilot CLI v1.0.20+ validates COPILOT_GITHUB_TOKEN at startup before making any API calls. With features: copilot-requests: true, this token is ${{ github.token }} — not a secret — but was unconditionally added to AWF's --exclude-env list, causing the binary to silently exit with code 1 (~1.75s after spawn, no output).

Changes

• copilot_engine_execution.go: Move useCopilotRequests computation before the BuildAWFCommand call. Only include COPILOT_GITHUB_TOKEN in coreExcludeVarNames when the token is a PAT (${{ secrets.COPILOT_GITHUB_TOKEN }}); omit it when the copilot-requests feature is active.

• gh_cli_mount_test.go: Add test asserting COPILOT_GITHUB_TOKEN is not excluded when features: copilot-requests: true; update existing test comment to reflect the conditional nature.

• Lock files: Recompiled all 187 workflows. Workflows with copilot-requests: true (e.g. draft-pr-cleanup) now drop --exclude-env COPILOT_GITHUB_TOKEN from the AWF command. Workflows using a PAT are unchanged.

Security rationale

${{ github.token }} in copilot-requests mode carries only the scoped permissions declared in the workflow (e.g. contents: read, pull-requests: read, copilot-requests: write) — equivalent to what the agent already accesses via GitHub MCP tools. Long-lived PATs remain excluded as before.

# Before (all copilot workflows)
--exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN ...

# After (copilot-requests: true workflows)
--exclude-env GITHUB_MCP_SERVER_TOKEN ...   # COPILOT_GITHUB_TOKEN passed through

# After (PAT-based workflows — unchanged)
--exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN ...

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw n_sha_checker.go-c n_sha_checker_in"prettier" --write 'scripts/**/*.js' --ignore-path .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.json x_amd64/vet n_sh�� ation_checkout_test.go ation_github_token_test.go x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -j DROP x_amd64/vet /pre�� --noprofile (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build1256939239/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti-c /opt/hostedtoolc"prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git 4042448337 J9_2Hh5RJ x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git plorer.md GO111MODULE x_amd64/compile git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha GOMODCACHE l /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json GO111MODULE x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 2737897/b120/_pkg_.a om/segmentio/asm@v1.1.3/cpu/arm/arm.go .cfg GOINSECURE b/gh-aw/pkg/typeremote GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env 2737897/b150/_pkg_.a GO111MODULE .cfg GOINSECURE ntio/asm/cpu/armrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuInitial commit /usr/bin/git 5255-35348/test-git rg/x/text@v0.35.rev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git st-3695087276/.ggit 7Ps3/Xuna8G_bMUXrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git kflow.test go ortcfg.link git rev-�� --show-toplevel P584weFL_aUqKKf7n0/rYvsQmBU8AWnUG31uMjI/OA0jOnjALTkTlcoYBL72 /usr/bin/git --get remote.origin.urrev-parse 2a0990e49e75c926--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE 64/pkg/tool/linuconfig /usr/bin/git g_.a @v1.1.3/cpu/arm6rev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git md GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/archie.md 64/pkg/tool/linux_amd64/asm /usr/bin/docker itcustom_branch3git itcustom_branch3rev-parse 64/pkg/tool/linu--show-toplevel docker pull�� test/race-image:v1.0.0 64/pkg/tool/linux_amd64/compile /usr/bin/git ithout_min-integgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git bility_SameInputgit /home/REDACTED/worrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git GOMODCACHE go /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3432737897/b253/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 01 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE g/sig_other.s env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu-dwarf=false /usr/bin/git g_.a @v1.1.3/keyset/krev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git g_.a lNGu_38wk 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel x_amd64/link /usr/bin/git g_.a elect.go 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git y_with_repos=pubgit YGaDW_VvF 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -stringintconv -tests 1/x64/bin/node --check scripts/**/*.js 64/bin/go 1/x64/bin/node -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo3575809976/001 remote /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility se 0380716/b012/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet get --local bash ache/go/1.25.8/xconfig (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/asm /usr/bin/git -json @v1.19.2/ast/astrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linux_amd64/compile /usr/bin/git 1288998850/.githgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --all-progress-implied (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 8lZyhh2wtWZYtHTU0SfI/8lZyhh2wtWZYtHTU0SfI -goversion 1/x64/bin/node -c=4 -nolocalimports -importcfg 1/x64/bin/node rev-�� --show-toplevel -pack /usr/bin/git -json context/xcontextrev-parse 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 5.0/internal/doc.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2546211875 QuPWq4ACQ ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE ole abis 64/pkg/tool/linux_amd64/vet env 3591139470/.github/workflows ortcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env mpiledOutput3955539759/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name 0/internal/language/compact/compact.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a sYAOo28ie 64/pkg/tool/linux_amd64/link GOINSECURE util GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE 5519/field 64/src/internal/bytealg/indexbyte_wasm.s 64/pkg/tool/linux_amd64/compile env g_.a EmzJIsP8T eutil.test GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE tions/setup/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE essage GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a ke8fejfLv 64/pkg/tool/linux_amd64/compile GOINSECURE age/compact GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE iat 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env g_.a gNtEbmW0N ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE t GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE tions/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env ut897651664/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE tants GOMODCACHE 64/pkg/tool/linuTest User env 2546211875 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 S1XHWmzm6 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env IIAr-WTp5 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/file-tracker-test4011430848/test2.lock.yml (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name CY7t-lTSd 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 2546211875 deRMpwyMD ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE er abis 64/pkg/tool/linux_amd64/vet env PefC8rlji .cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env 227/001/stability-test.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name 5.0/deviceauth.g-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD abis 64/pkg/tool/linu/tmp/go-build1256939239/b444/_testmain.go env 2546211875 Bzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/oauthex GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 7JGiP3oGe ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 911381078/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE n-dir/sh GOINSECURE GOMOD GOMODCACHE go env mpiledOutput3955539759/001 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7D8RXanEmFBss env g_.a tVIFB3NxN x_amd64/vet GOINSECURE go-sdk/auth GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 NgK5Xenpy ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ortcfg vohS5K4mu k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 86_64/sh GOINSECURE GOMOD GOMODCACHE go env mpiledOutput3955539759/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path /tmp/go-build126-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote2 env l.go l_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE /norm GOMODCACHE ache/go/1.25.8/xtest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 2737897/b246/_pkgit _cnJ/4Be12s2Y-Oerev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a =main /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha til.go o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env g_.a Y9sJvruy0 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE til GOMODCACHE ache/go/1.25.8/x--json (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json oken.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json l/format/format.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json arm.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 3599�� -json GO111MODULE x_amd64/compile Action pins syngit GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha _.a (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha g_.a QyquJZDcH /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ortcfg Ffa_H-Eee x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE go-sdk/internal/rev-parse 64/src/runtime/r--show-toplevel 64/pkg/tool/linux_amd64/vet env tPQEqnyUP GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go tion�� ithub/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1256939239/b397/cli.test /tmp/go-build1256939239/b397/cli.test -test.testlogfile=/tmp/go-build1256939239/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3432737897/b217/importcfg -pack -o /tmp/go-build126-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
  • Triggering command: /tmp/go-build3498995876/b397/cli.test /tmp/go-build3498995876/b397/cli.test -test.testlogfile=/tmp/go-build3498995876/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name /tmp/go-build126-I -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti-c /home/REDACTED/.lo"prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot Merge main and recompile

[Copilot]

Pull request overview

Fixes Copilot CLI startup failures in AWF-sandboxed workflows when features: copilot-requests: true by ensuring COPILOT_GITHUB_TOKEN (set to ${{ github.token }} in that mode) is not excluded from the container environment.

Changes:

• Compute useCopilotRequests before building the AWF command and conditionally omit COPILOT_GITHUB_TOKEN from --exclude-env when using ${{ github.token }}.
• Add/adjust unit tests to assert COPILOT_GITHUB_TOKEN exclusion behavior differs between PAT vs copilot-requests mode.
• Regenerate compiled workflow lock files so AWF command lines reflect the conditional exclusion.

Show a summary per file

File	Description
pkg/workflow/copilot_engine_execution.go	Conditionally excludes COPILOT_GITHUB_TOKEN from AWF only when it represents a PAT secret.
pkg/workflow/gh_cli_mount_test.go	Adds coverage asserting COPILOT_GITHUB_TOKEN is not excluded with copilot-requests enabled.
.github/workflows/test-quality-sentinel.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/refactoring-cadence.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/firewall-escape.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/draft-pr-cleanup.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/docs-noob-tester.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/discussion-task-miner.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/dictation-prompt.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/dev.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/dev-hawk.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/delight.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/dead-code-remover.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-workflow-updater.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-safe-output-integrator.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-repo-chronicle.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-news.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-file-diet.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-compiler-quality.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-cli-performance.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/daily-architecture-diagram.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/craft.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-token-audit.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/copilot-cli-deep-research.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/ci-coach.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/breaking-change-checker.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/brave.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/auto-triage-issues.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/artifacts-summary.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/architecture-guardian.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/archie.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated AWF invocation to drop --exclude-env COPILOT_GITHUB_TOKEN for copilot-requests workflows.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 46/46 changed files
• Comments generated: 0

[Copilot]

@copilot Merge main and recompile

Done in 7558a94. Merged main (firewall v0.25.17, cli-proxy additions) and recompiled all 187 workflows. The fix is intact — draft-pr-cleanup and other copilot-requests: true workflows no longer have --exclude-env COPILOT_GITHUB_TOKEN in the AWF command.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build581883919/b063/embedcfg -pack (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw Q4CkKQS/nGzaKNklrev-parse (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in 8b258a2. Merged main (safe-outputs fix, playwright MCP logs chmod, report header normalization) and recompiled all 187 workflows. Fix still intact.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .github/workflows/copilot-token-audit.lock.yml .github/workflows/copilot-token-optimizer.lock.yml .github/workflows/craft.lock.yml (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build501718641/b063/embedcfg -pack (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility ml (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in e70f84f. Merged main (docs unbloat, failing test fix for quoted paths) and recompiled all 187 workflows. Fix still intact.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .github/workflows/copilot-token-audit.lock.yml .github/workflows/copilot-token-optimizer.lock.yml .github/workflows/craft.lock.yml (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ,short (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility ml (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main, fix conflicts, recompile

[Copilot]

@copilot merge main, fix conflicts, recompile

Branch was already up to date with main (e70f84f had already merged the latest commits). Recompile confirmed all 187 workflows are clean and the fix is intact.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .yml yml ml k.ym�� (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Hey @Copilot 👋 — thanks for tackling the COPILOT_GITHUB_TOKEN exclusion bug! The security rationale and before/after YAML in the description are really clear and helpful. A few things worth addressing before this lands:

• PR scope exceeds the stated description — the body describes three changes (fix in copilot_engine_execution.go, test in gh_cli_mount_test.go, and recompiled lock files), but the diff includes significant unreferenced work:

  • pkg/workflow/compiler_difc_proxy.go — 98 new lines implementing what looks like a difc-proxy feature
  • pkg/workflow/awf_helpers.go — 43-line change with no description
  • pkg/workflow/safe_outputs_import_test.go — 305 new lines of tests, also undocumented
  • pkg/workflow/imports.go, compiler_orchestrator_workflow.go, compiler_yaml_main_job.go, etc.
  • The .changeset/minor-add-cli-proxy-feature-flag.md rename/edit further implies a second feature is riding along

  These changes deserve their own PR or at minimum a full description in the body of what they do and why they're bundled here.

• Lock file noise — 187 recompiled .lock.yml files bumping GH_AW_INFO_AWF_VERSION from v0.25.16 → v0.25.17 make the diff very wide and obscure the actual logic changes. Consider whether the version bump can be a follow-up or a clearly labelled second commit.

If you'd like a hand, you can assign this prompt to your coding agent:

Review PR #25399 in github/gh-aw. The PR title and body describe only the COPILOT_GITHUB_TOKEN
exclusion fix, but the diff also includes:
  - pkg/workflow/compiler_difc_proxy.go (98 new lines — appears to be a new difc-proxy feature)
  - pkg/workflow/awf_helpers.go (significant changes)
  - pkg/workflow/safe_outputs_import_test.go (305 new lines)
  - pkg/workflow/imports.go, compiler_orchestrator_workflow.go, compiler_yaml_main_job.go
  - .changeset/minor-add-cli-proxy-feature-flag.md (rename/edit)

Please do one of the following:
1. Split the PR: extract the difc-proxy / safe_outputs changes into a separate PR that has
   its own title, description, and changeset entry.
   OR
2. If all changes are intentionally coupled, update the PR body (## Changes section) to document
   every modified file with a bullet point explaining what changed and why.

In either case, ensure the PR body accurately reflects the full scope of the diff so reviewers
can assess the changes confidently.

Generated by Contribution Check · ● 2.2M · ◷