From d57d30904381cb89f054c132a02e310d249b4dd4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 07:23:16 +0000
Subject: [PATCH 1/5] Initial plan


From da672d6e17dc94185c3f247f61afbd528803ff17 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 07:29:01 +0000
Subject: [PATCH 2/5] Initial plan: Replace index.js file copying with bash
 script

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/ai-moderator.lock.yml       |  14 +-
 .github/workflows/archie.lock.yml             |  14 +-
 .github/workflows/artifacts-summary.lock.yml  |   7 +-
 .github/workflows/audit-workflows.lock.yml    |   7 +-
 .github/workflows/blog-auditor.lock.yml       |   7 +-
 .github/workflows/brave.lock.yml              |  14 +-
 .../breaking-change-checker.lock.yml          |  14 +-
 .github/workflows/campaign-generator.lock.yml | 137 +++---------------
 .github/workflows/changeset.lock.yml          |  14 +-
 .github/workflows/ci-coach.lock.yml           |   7 +-
 .github/workflows/ci-doctor.lock.yml          |  14 +-
 .../cli-consistency-checker.lock.yml          |   7 +-
 .../workflows/cli-version-checker.lock.yml    |   7 +-
 .github/workflows/cloclo.lock.yml             |  14 +-
 .../workflows/close-old-discussions.lock.yml  |   7 +-
 .../commit-changes-analyzer.lock.yml          |   7 +-
 .../workflows/copilot-agent-analysis.lock.yml |   7 +-
 .../copilot-pr-merged-report.lock.yml         |   7 +-
 .../copilot-pr-nlp-analysis.lock.yml          |   7 +-
 .../copilot-pr-prompt-analysis.lock.yml       |   7 +-
 .../copilot-session-insights.lock.yml         |   7 +-
 .github/workflows/craft.lock.yml              |  14 +-
 .../daily-assign-issue-to-user.lock.yml       |   7 +-
 .github/workflows/daily-code-metrics.lock.yml |   7 +-
 .../daily-copilot-token-report.lock.yml       |   7 +-
 .github/workflows/daily-doc-updater.lock.yml  |   7 +-
 .github/workflows/daily-fact.lock.yml         |   7 +-
 .github/workflows/daily-file-diet.lock.yml    |  14 +-
 .../workflows/daily-firewall-report.lock.yml  |   7 +-
 .../workflows/daily-issues-report.lock.yml    |   7 +-
 .../daily-malicious-code-scan.lock.yml        |   7 +-
 .../daily-multi-device-docs-tester.lock.yml   |   7 +-
 .github/workflows/daily-news.lock.yml         |   7 +-
 .../daily-performance-summary.lock.yml        |   7 +-
 .../workflows/daily-repo-chronicle.lock.yml   |   7 +-
 .github/workflows/daily-team-status.lock.yml  |   4 +-
 .../workflows/daily-workflow-updater.lock.yml |   7 +-
 .github/workflows/deep-report.lock.yml        |   7 +-
 .../workflows/dependabot-go-checker.lock.yml  |   7 +-
 .github/workflows/dev-hawk.lock.yml           |  14 +-
 .github/workflows/dev.lock.yml                |   7 +-
 .../developer-docs-consolidator.lock.yml      |   7 +-
 .github/workflows/dictation-prompt.lock.yml   |   7 +-
 .github/workflows/docs-noob-tester.lock.yml   |   7 +-
 .../duplicate-code-detector.lock.yml          |   7 +-
 .../example-permissions-warning.lock.yml      |   7 +-
 .../example-workflow-analyzer.lock.yml        |   7 +-
 .github/workflows/firewall-escape.lock.yml    |  14 +-
 .github/workflows/firewall.lock.yml           |   7 +-
 .../github-mcp-structural-analysis.lock.yml   |   7 +-
 .../github-mcp-tools-report.lock.yml          |   7 +-
 .../workflows/glossary-maintainer.lock.yml    |   7 +-
 .github/workflows/go-fan.lock.yml             |   7 +-
 ...ze-reduction-project64.campaign.g.lock.yml |   7 +-
 ...go-file-size-reduction.campaign.g.lock.yml |   7 +-
 .github/workflows/go-logger.lock.yml          |   7 +-
 .../workflows/go-pattern-detector.lock.yml    |   7 +-
 .github/workflows/grumpy-reviewer.lock.yml    |  14 +-
 .github/workflows/hourly-ci-cleaner.lock.yml  |   7 +-
 .../workflows/human-ai-collaboration.lock.yml |   7 +-
 .github/workflows/incident-response.lock.yml  |   7 +-
 .../workflows/instructions-janitor.lock.yml   |   7 +-
 .github/workflows/intelligence.lock.yml       |   7 +-
 .github/workflows/issue-arborist.lock.yml     |   7 +-
 .github/workflows/issue-classifier.lock.yml   |  14 +-
 .github/workflows/issue-monster.lock.yml      |  14 +-
 .github/workflows/issue-triage-agent.lock.yml |   7 +-
 .github/workflows/jsweep.lock.yml             |   7 +-
 .../workflows/layout-spec-maintainer.lock.yml |   7 +-
 .github/workflows/lockfile-stats.lock.yml     |   7 +-
 .github/workflows/mcp-inspector.lock.yml      |   7 +-
 .github/workflows/mergefest.lock.yml          |  14 +-
 .../workflows/notion-issue-summary.lock.yml   |   7 +-
 .github/workflows/org-health-report.lock.yml  |   7 +-
 .github/workflows/org-wide-rollout.lock.yml   |   7 +-
 .github/workflows/pdf-summary.lock.yml        |  14 +-
 .github/workflows/plan.lock.yml               |  14 +-
 .github/workflows/poem-bot.lock.yml           |  14 +-
 .github/workflows/portfolio-analyst.lock.yml  |   7 +-
 .../workflows/pr-nitpick-reviewer.lock.yml    |  14 +-
 .../prompt-clustering-analysis.lock.yml       |   7 +-
 .github/workflows/python-data-charts.lock.yml |   7 +-
 .github/workflows/q.lock.yml                  |  14 +-
 .github/workflows/release.lock.yml            |  14 +-
 .github/workflows/repo-tree-map.lock.yml      |   7 +-
 .../repository-quality-improver.lock.yml      |   7 +-
 .github/workflows/research.lock.yml           |   7 +-
 .github/workflows/safe-output-health.lock.yml |   7 +-
 .../schema-consistency-checker.lock.yml       |   7 +-
 .github/workflows/scout.lock.yml              |  14 +-
 .../workflows/security-compliance.lock.yml    |   7 +-
 .github/workflows/security-fix-pr.lock.yml    |  14 +-
 .../semantic-function-refactor.lock.yml       |   7 +-
 .../workflows/slide-deck-maintainer.lock.yml  |  14 +-
 .github/workflows/smoke-claude.lock.yml       |  14 +-
 .github/workflows/smoke-codex.lock.yml        |  14 +-
 .../smoke-copilot-no-firewall.lock.yml        |  14 +-
 .../smoke-copilot-playwright.lock.yml         |  14 +-
 .../smoke-copilot-safe-inputs.lock.yml        |  14 +-
 .github/workflows/smoke-copilot.lock.yml      |  14 +-
 .github/workflows/smoke-detector.lock.yml     |  14 +-
 .../smoke-srt-custom-config.lock.yml          |   7 +-
 .github/workflows/smoke-srt.lock.yml          |  14 +-
 .github/workflows/spec-kit-execute.lock.yml   |   7 +-
 .github/workflows/spec-kit-executor.lock.yml  |   7 +-
 .github/workflows/speckit-dispatcher.lock.yml |  14 +-
 .../workflows/stale-repo-identifier.lock.yml  |   7 +-
 .../workflows/static-analysis-report.lock.yml |   7 +-
 .github/workflows/sub-issue-closer.lock.yml   |   7 +-
 .github/workflows/super-linter.lock.yml       |   7 +-
 .../workflows/technical-doc-writer.lock.yml   |   7 +-
 .github/workflows/tidy.lock.yml               |  14 +-
 .github/workflows/typist.lock.yml             |   7 +-
 .github/workflows/unbloat-docs.lock.yml       |  14 +-
 .github/workflows/video-analyzer.lock.yml     |   7 +-
 .../workflows/weekly-issue-summary.lock.yml   |   7 +-
 116 files changed, 171 insertions(+), 1013 deletions(-)

diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml
index 0aec8506926..f77211017b6 100644
--- a/.github/workflows/ai-moderator.lock.yml
+++ b/.github/workflows/ai-moderator.lock.yml
@@ -60,13 +60,8 @@ jobs:
       comment_repo: ""
       issue_locked: ${{ steps.lock-issue.outputs.locked }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6417,13 +6412,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml
index 25bfd40ce7c..8d68e9baac2 100644
--- a/.github/workflows/archie.lock.yml
+++ b/.github/workflows/archie.lock.yml
@@ -66,13 +66,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6698,13 +6693,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml
index 7335e70da2f..b2c947aa2bf 100644
--- a/.github/workflows/artifacts-summary.lock.yml
+++ b/.github/workflows/artifacts-summary.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
index b74951d8da1..59a19299bd4 100644
--- a/.github/workflows/audit-workflows.lock.yml
+++ b/.github/workflows/audit-workflows.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml
index c0dc27cc4ee..cc733751611 100644
--- a/.github/workflows/blog-auditor.lock.yml
+++ b/.github/workflows/blog-auditor.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml
index 6807cfda6b0..8ab9294e2e7 100644
--- a/.github/workflows/brave.lock.yml
+++ b/.github/workflows/brave.lock.yml
@@ -58,13 +58,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6577,13 +6572,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml
index 00913959121..f7dce4f4a7f 100644
--- a/.github/workflows/breaking-change-checker.lock.yml
+++ b/.github/workflows/breaking-change-checker.lock.yml
@@ -46,13 +46,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6622,13 +6617,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml
index d2f3a37f40e..3b93852bb56 100644
--- a/.github/workflows/campaign-generator.lock.yml
+++ b/.github/workflows/campaign-generator.lock.yml
@@ -49,135 +49,34 @@ jobs:
       comment_repo: ""
       issue_locked: ${{ steps.lock-issue.outputs.locked }}
     steps:
+      - name: Setup Activation Scripts
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        with:
+          destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           GH_AW_WORKFLOW_FILE: "campaign-generator.lock.yml"
         with:
           script: |
-            async function main() {
-              const workflowFile = process.env.GH_AW_WORKFLOW_FILE;
-              if (!workflowFile) {
-                core.setFailed("Configuration error: GH_AW_WORKFLOW_FILE not available.");
-                return;
-              }
-              const workflowBasename = workflowFile.replace(".lock.yml", "");
-              const workflowMdPath = `.github/workflows/${workflowBasename}.md`;
-              const lockFilePath = `.github/workflows/${workflowFile}`;
-              core.info(`Checking workflow timestamps using GitHub API:`);
-              core.info(`  Source: ${workflowMdPath}`);
-              core.info(`  Lock file: ${lockFilePath}`);
-              const { owner, repo } = context.repo;
-              const ref = context.sha;
-              async function getLastCommitForFile(path) {
-                try {
-                  const response = await github.rest.repos.listCommits({
-                    owner,
-                    repo,
-                    path,
-                    per_page: 1,
-                    sha: ref,
-                  });
-                  if (response.data && response.data.length > 0) {
-                    const commit = response.data[0];
-                    return {
-                      sha: commit.sha,
-                      date: commit.commit.committer.date,
-                      message: commit.commit.message,
-                    };
-                  }
-                  return null;
-                } catch (error) {
-                  core.info(`Could not fetch commit for ${path}: ${error.message}`);
-                  return null;
-                }
-              }
-              const workflowCommit = await getLastCommitForFile(workflowMdPath);
-              const lockCommit = await getLastCommitForFile(lockFilePath);
-              if (!workflowCommit) {
-                core.info(`Source file does not exist: ${workflowMdPath}`);
-              }
-              if (!lockCommit) {
-                core.info(`Lock file does not exist: ${lockFilePath}`);
-              }
-              if (!workflowCommit || !lockCommit) {
-                core.info("Skipping timestamp check - one or both files not found");
-                return;
-              }
-              const workflowDate = new Date(workflowCommit.date);
-              const lockDate = new Date(lockCommit.date);
-              core.info(`  Source last commit: ${workflowDate.toISOString()} (${workflowCommit.sha.substring(0, 7)})`);
-              core.info(`  Lock last commit: ${lockDate.toISOString()} (${lockCommit.sha.substring(0, 7)})`);
-              if (workflowDate > lockDate) {
-                const warningMessage = `WARNING: Lock file '${lockFilePath}' is outdated! The workflow file '${workflowMdPath}' has been modified more recently. Run 'gh aw compile' to regenerate the lock file.`;
-                core.error(warningMessage);
-                const workflowTimestamp = workflowDate.toISOString();
-                const lockTimestamp = lockDate.toISOString();
-                let summary = core.summary
-                  .addRaw("### ⚠️ Workflow Lock File Warning\n\n")
-                  .addRaw("**WARNING**: Lock file is outdated and needs to be regenerated.\n\n")
-                  .addRaw("**Files:**\n")
-                  .addRaw(`- Source: \`${workflowMdPath}\`\n`)
-                  .addRaw(`  - Last commit: ${workflowTimestamp}\n`)
-                  .addRaw(`  - Commit SHA: [\`${workflowCommit.sha.substring(0, 7)}\`](https://github.com/${owner}/${repo}/commit/${workflowCommit.sha})\n`)
-                  .addRaw(`- Lock: \`${lockFilePath}\`\n`)
-                  .addRaw(`  - Last commit: ${lockTimestamp}\n`)
-                  .addRaw(`  - Commit SHA: [\`${lockCommit.sha.substring(0, 7)}\`](https://github.com/${owner}/${repo}/commit/${lockCommit.sha})\n\n`)
-                  .addRaw("**Action Required:** Run `gh aw compile` to regenerate the lock file.\n\n");
-                await summary.write();
-              } else if (workflowCommit.sha === lockCommit.sha) {
-                core.info("✅ Lock file is up to date (same commit)");
-              } else {
-                core.info("✅ Lock file is up to date");
-              }
-            }
-            main().catch(error => {
-              core.setFailed(error instanceof Error ? error.message : String(error));
-            });
+            global.core = core;
+            global.github = github;
+            global.context = context;
+            global.exec = exec;
+            global.io = io;
+            require('/tmp/gh-aw/actions/activation/check_workflow_timestamp_api.cjs');
       - name: Lock issue for agent workflow
         id: lock-issue
         if: (github.event_name == 'issues') || (github.event_name == 'issue_comment')
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
-            async function main() {
-              core.info(`Lock-issue debug: actor=${context.actor}, eventName=${context.eventName}`);
-              const issueNumber = context.issue.number;
-              if (!issueNumber) {
-                core.setFailed("Issue number not found in context");
-                return;
-              }
-              const owner = context.repo.owner;
-              const repo = context.repo.repo;
-              core.info(`Lock-issue debug: owner=${owner}, repo=${repo}, issueNumber=${issueNumber}`);
-              try {
-                core.info(`Checking if issue #${issueNumber} is already locked`);
-                const { data: issue } = await github.rest.issues.get({
-                  owner,
-                  repo,
-                  issue_number: issueNumber,
-                });
-                if (issue.locked) {
-                  core.info(`ℹ️ Issue #${issueNumber} is already locked, skipping lock operation`);
-                  core.setOutput("locked", "false");
-                  return;
-                }
-                core.info(`Locking issue #${issueNumber} for agent workflow execution`);
-                await github.rest.issues.lock({
-                  owner,
-                  repo,
-                  issue_number: issueNumber,
-                });
-                core.info(`✅ Successfully locked issue #${issueNumber}`);
-                core.setOutput("locked", "true");
-              } catch (error) {
-                const errorMessage = error instanceof Error ? error.message : String(error);
-                core.error(`Failed to lock issue: ${errorMessage}`);
-                core.setFailed(`Failed to lock issue #${issueNumber}: ${errorMessage}`);
-                core.setOutput("locked", "false");
-              }
-            }
-            await main();
+            global.core = core;
+            global.github = github;
+            global.context = context;
+            global.exec = exec;
+            global.io = io;
+            require('/tmp/gh-aw/actions/activation/lock-issue.cjs');
 
   agent:
     needs: activation
@@ -6650,6 +6549,10 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Setup Activation Scripts
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        with:
+          destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
         id: check_membership
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml
index da8cfec614e..466e2256ad4 100644
--- a/.github/workflows/changeset.lock.yml
+++ b/.github/workflows/changeset.lock.yml
@@ -66,13 +66,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6318,13 +6313,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml
index 8bc605e24d3..30d3aef108d 100644
--- a/.github/workflows/ci-coach.lock.yml
+++ b/.github/workflows/ci-coach.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index f091b76be23..285b5e540f0 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -59,13 +59,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6711,13 +6706,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_stop_time.outputs.stop_time_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml
index b922e14eda3..7d75070d211 100644
--- a/.github/workflows/cli-consistency-checker.lock.yml
+++ b/.github/workflows/cli-consistency-checker.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml
index 41d3864502c..5dec627bd5f 100644
--- a/.github/workflows/cli-version-checker.lock.yml
+++ b/.github/workflows/cli-version-checker.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml
index 99102662f61..1949ef7249c 100644
--- a/.github/workflows/cloclo.lock.yml
+++ b/.github/workflows/cloclo.lock.yml
@@ -92,13 +92,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6599,13 +6594,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/close-old-discussions.lock.yml b/.github/workflows/close-old-discussions.lock.yml
index cf587c6f35f..c7f9471b75b 100644
--- a/.github/workflows/close-old-discussions.lock.yml
+++ b/.github/workflows/close-old-discussions.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml
index 492cb760ebd..c1bc741ee91 100644
--- a/.github/workflows/commit-changes-analyzer.lock.yml
+++ b/.github/workflows/commit-changes-analyzer.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index 65d7fa24fad..d1dce734b03 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index 39221488f89..c5c62772ea8 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
index 5a0f4b7c174..dbb27f56eb7 100644
--- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
index 482a0826338..d0fcc4016bd 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
index 4543444ad88..8cf6b11af73 100644
--- a/.github/workflows/copilot-session-insights.lock.yml
+++ b/.github/workflows/copilot-session-insights.lock.yml
@@ -52,13 +52,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml
index 5b9b8daea0a..07d9c0ce728 100644
--- a/.github/workflows/craft.lock.yml
+++ b/.github/workflows/craft.lock.yml
@@ -54,13 +54,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6764,13 +6759,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml
index 1a7f1dc9f6e..52452fafabc 100644
--- a/.github/workflows/daily-assign-issue-to-user.lock.yml
+++ b/.github/workflows/daily-assign-issue-to-user.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
index c90f4ed4f82..9099b75763c 100644
--- a/.github/workflows/daily-code-metrics.lock.yml
+++ b/.github/workflows/daily-code-metrics.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml
index da41aea54a2..317ce497707 100644
--- a/.github/workflows/daily-copilot-token-report.lock.yml
+++ b/.github/workflows/daily-copilot-token-report.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index 500f4c6847a..08faa836d35 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml
index c7998f5b8e1..ec931a84a62 100644
--- a/.github/workflows/daily-fact.lock.yml
+++ b/.github/workflows/daily-fact.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml
index 0f823858824..8be3a098bd0 100644
--- a/.github/workflows/daily-file-diet.lock.yml
+++ b/.github/workflows/daily-file-diet.lock.yml
@@ -53,13 +53,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7492,13 +7487,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml
index bcb6443981c..fd49b02eee1 100644
--- a/.github/workflows/daily-firewall-report.lock.yml
+++ b/.github/workflows/daily-firewall-report.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml
index 684110dc439..44492a64603 100644
--- a/.github/workflows/daily-issues-report.lock.yml
+++ b/.github/workflows/daily-issues-report.lock.yml
@@ -52,13 +52,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
index 373a9b23b59..7d04826c2e3 100644
--- a/.github/workflows/daily-malicious-code-scan.lock.yml
+++ b/.github/workflows/daily-malicious-code-scan.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml
index 9d47f1cdf57..9ea34f83804 100644
--- a/.github/workflows/daily-multi-device-docs-tester.lock.yml
+++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
index a2c70c41e5e..b51f5c2d132 100644
--- a/.github/workflows/daily-news.lock.yml
+++ b/.github/workflows/daily-news.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index 810f24e07ee..ba7ae1f94ce 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml
index f37056a81e2..0fc925540c4 100644
--- a/.github/workflows/daily-repo-chronicle.lock.yml
+++ b/.github/workflows/daily-repo-chronicle.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml
index 0266dc0290d..6557d1cd221 100644
--- a/.github/workflows/daily-team-status.lock.yml
+++ b/.github/workflows/daily-team-status.lock.yml
@@ -58,7 +58,7 @@ jobs:
       comment_repo: ""
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@6ccc3d3
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6473,7 +6473,7 @@ jobs:
       activated: ${{ steps.check_stop_time.outputs.stop_time_ok == 'true' }}
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@6ccc3d3
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check stop-time limit
diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml
index 1fe403a0bd7..fc8d5cfb206 100644
--- a/.github/workflows/daily-workflow-updater.lock.yml
+++ b/.github/workflows/daily-workflow-updater.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
index 40f14b7a1aa..3b5051dea8f 100644
--- a/.github/workflows/deep-report.lock.yml
+++ b/.github/workflows/deep-report.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml
index 51db8a9412e..96c0ef7a52e 100644
--- a/.github/workflows/dependabot-go-checker.lock.yml
+++ b/.github/workflows/dependabot-go-checker.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml
index 95d9420a41f..0c0dd4f87e7 100644
--- a/.github/workflows/dev-hawk.lock.yml
+++ b/.github/workflows/dev-hawk.lock.yml
@@ -58,13 +58,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6557,13 +6552,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index 85f8046f467..9efc2a4f437 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -45,13 +45,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
index eb61928d889..455c1b3c67c 100644
--- a/.github/workflows/developer-docs-consolidator.lock.yml
+++ b/.github/workflows/developer-docs-consolidator.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml
index 885d4d48f6e..123ec4e529f 100644
--- a/.github/workflows/dictation-prompt.lock.yml
+++ b/.github/workflows/dictation-prompt.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml
index 411499f414a..f2b6845cefa 100644
--- a/.github/workflows/docs-noob-tester.lock.yml
+++ b/.github/workflows/docs-noob-tester.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml
index ac66a49678a..f50e690ced1 100644
--- a/.github/workflows/duplicate-code-detector.lock.yml
+++ b/.github/workflows/duplicate-code-detector.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml
index 22810ffd537..80e45bdcfb6 100644
--- a/.github/workflows/example-permissions-warning.lock.yml
+++ b/.github/workflows/example-permissions-warning.lock.yml
@@ -41,13 +41,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml
index ba128b7496d..e13352f32ea 100644
--- a/.github/workflows/example-workflow-analyzer.lock.yml
+++ b/.github/workflows/example-workflow-analyzer.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
index 4599d812d67..9819dab22da 100644
--- a/.github/workflows/firewall-escape.lock.yml
+++ b/.github/workflows/firewall-escape.lock.yml
@@ -54,13 +54,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -2942,13 +2937,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml
index 573c3946968..8890bdd0c1b 100644
--- a/.github/workflows/firewall.lock.yml
+++ b/.github/workflows/firewall.lock.yml
@@ -41,13 +41,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml
index 6cafecc7105..900f0e9dc01 100644
--- a/.github/workflows/github-mcp-structural-analysis.lock.yml
+++ b/.github/workflows/github-mcp-structural-analysis.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml
index 0d029f2933e..9b0255ea488 100644
--- a/.github/workflows/github-mcp-tools-report.lock.yml
+++ b/.github/workflows/github-mcp-tools-report.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
index a4736bf299a..e234080ebca 100644
--- a/.github/workflows/glossary-maintainer.lock.yml
+++ b/.github/workflows/glossary-maintainer.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml
index c50b1574a61..5d117dcd90a 100644
--- a/.github/workflows/go-fan.lock.yml
+++ b/.github/workflows/go-fan.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
index 3f7672fbcbe..d41de07fc0b 100644
--- a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
+++ b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
index 69f8ab5abf5..402e5a86c50 100644
--- a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
+++ b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml
index d4aedd2ca06..b66f940852e 100644
--- a/.github/workflows/go-logger.lock.yml
+++ b/.github/workflows/go-logger.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml
index 90d88ec1957..88651416f05 100644
--- a/.github/workflows/go-pattern-detector.lock.yml
+++ b/.github/workflows/go-pattern-detector.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml
index f18cb0458e0..48eb274c883 100644
--- a/.github/workflows/grumpy-reviewer.lock.yml
+++ b/.github/workflows/grumpy-reviewer.lock.yml
@@ -59,13 +59,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6696,13 +6691,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml
index f666f9da355..606debe479a 100644
--- a/.github/workflows/hourly-ci-cleaner.lock.yml
+++ b/.github/workflows/hourly-ci-cleaner.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/human-ai-collaboration.lock.yml b/.github/workflows/human-ai-collaboration.lock.yml
index 1867aed0807..26abf913361 100644
--- a/.github/workflows/human-ai-collaboration.lock.yml
+++ b/.github/workflows/human-ai-collaboration.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml
index b8aee8b3940..3780adcdded 100644
--- a/.github/workflows/incident-response.lock.yml
+++ b/.github/workflows/incident-response.lock.yml
@@ -59,13 +59,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml
index 4e6ebd9a314..f71e7269fea 100644
--- a/.github/workflows/instructions-janitor.lock.yml
+++ b/.github/workflows/instructions-janitor.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/intelligence.lock.yml b/.github/workflows/intelligence.lock.yml
index 530a60e2ae0..89b473bc767 100644
--- a/.github/workflows/intelligence.lock.yml
+++ b/.github/workflows/intelligence.lock.yml
@@ -59,13 +59,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml
index 50e1f9dc551..0523acc0e8a 100644
--- a/.github/workflows/issue-arborist.lock.yml
+++ b/.github/workflows/issue-arborist.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml
index c67f6397547..daa78d38a86 100644
--- a/.github/workflows/issue-classifier.lock.yml
+++ b/.github/workflows/issue-classifier.lock.yml
@@ -55,13 +55,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -4459,13 +4454,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index cdbc18d6f19..8988e39203d 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6620,13 +6615,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
index 98bccd8dc9c..4e25903a87f 100644
--- a/.github/workflows/issue-triage-agent.lock.yml
+++ b/.github/workflows/issue-triage-agent.lock.yml
@@ -42,13 +42,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml
index 854fc10a5be..b6c192610dd 100644
--- a/.github/workflows/jsweep.lock.yml
+++ b/.github/workflows/jsweep.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml
index d4f1c9efe79..290825efee3 100644
--- a/.github/workflows/layout-spec-maintainer.lock.yml
+++ b/.github/workflows/layout-spec-maintainer.lock.yml
@@ -45,13 +45,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml
index 7e4a180bc3e..55e5235f1e7 100644
--- a/.github/workflows/lockfile-stats.lock.yml
+++ b/.github/workflows/lockfile-stats.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml
index 2ec12885329..b4cfd040dac 100644
--- a/.github/workflows/mcp-inspector.lock.yml
+++ b/.github/workflows/mcp-inspector.lock.yml
@@ -63,13 +63,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml
index e83d5a0af0a..93672c18f41 100644
--- a/.github/workflows/mergefest.lock.yml
+++ b/.github/workflows/mergefest.lock.yml
@@ -53,13 +53,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6797,13 +6792,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml
index f0a969649d8..84e318056ef 100644
--- a/.github/workflows/notion-issue-summary.lock.yml
+++ b/.github/workflows/notion-issue-summary.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml
index 84a74f39be8..f91ad5c8fdf 100644
--- a/.github/workflows/org-health-report.lock.yml
+++ b/.github/workflows/org-health-report.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml
index e63ad301560..cc730e9d726 100644
--- a/.github/workflows/org-wide-rollout.lock.yml
+++ b/.github/workflows/org-wide-rollout.lock.yml
@@ -66,13 +66,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml
index 9e5b1f50af5..e2ea96e4ea0 100644
--- a/.github/workflows/pdf-summary.lock.yml
+++ b/.github/workflows/pdf-summary.lock.yml
@@ -76,13 +76,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6688,13 +6683,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
index fbc1ae1436a..0e6bbd1f0ee 100644
--- a/.github/workflows/plan.lock.yml
+++ b/.github/workflows/plan.lock.yml
@@ -58,13 +58,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6720,13 +6715,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml
index 469b43a4c3a..ecb7ed28f79 100644
--- a/.github/workflows/poem-bot.lock.yml
+++ b/.github/workflows/poem-bot.lock.yml
@@ -61,13 +61,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7133,13 +7128,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml
index a07412344d3..d93aa5e6d54 100644
--- a/.github/workflows/portfolio-analyst.lock.yml
+++ b/.github/workflows/portfolio-analyst.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml
index ab1bada4d46..c275bd7c403 100644
--- a/.github/workflows/pr-nitpick-reviewer.lock.yml
+++ b/.github/workflows/pr-nitpick-reviewer.lock.yml
@@ -85,13 +85,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7081,13 +7076,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml
index ee0d7120755..3b1a6810105 100644
--- a/.github/workflows/prompt-clustering-analysis.lock.yml
+++ b/.github/workflows/prompt-clustering-analysis.lock.yml
@@ -54,13 +54,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml
index eade9aa65e5..438bd58faff 100644
--- a/.github/workflows/python-data-charts.lock.yml
+++ b/.github/workflows/python-data-charts.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml
index 25026fbf32a..94df74cf2fa 100644
--- a/.github/workflows/q.lock.yml
+++ b/.github/workflows/q.lock.yml
@@ -87,13 +87,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7055,13 +7050,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index 49accca3ad4..dc2d334c0c4 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -45,13 +45,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6596,13 +6591,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml
index a7cd71775cd..44f558b5627 100644
--- a/.github/workflows/repo-tree-map.lock.yml
+++ b/.github/workflows/repo-tree-map.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml
index 61f238d178c..7477b700064 100644
--- a/.github/workflows/repository-quality-improver.lock.yml
+++ b/.github/workflows/repository-quality-improver.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml
index dfbaee71aa3..feb923fa47b 100644
--- a/.github/workflows/research.lock.yml
+++ b/.github/workflows/research.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml
index 82af361442c..3428117597c 100644
--- a/.github/workflows/safe-output-health.lock.yml
+++ b/.github/workflows/safe-output-health.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml
index ebe55b2f03f..b4874063026 100644
--- a/.github/workflows/schema-consistency-checker.lock.yml
+++ b/.github/workflows/schema-consistency-checker.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml
index ca9a02eb588..be2046c387d 100644
--- a/.github/workflows/scout.lock.yml
+++ b/.github/workflows/scout.lock.yml
@@ -102,13 +102,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6565,13 +6560,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
index c21b38c6393..3cd60d741c2 100644
--- a/.github/workflows/security-compliance.lock.yml
+++ b/.github/workflows/security-compliance.lock.yml
@@ -53,13 +53,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml
index d5e69c115b1..10f266816e6 100644
--- a/.github/workflows/security-fix-pr.lock.yml
+++ b/.github/workflows/security-fix-pr.lock.yml
@@ -52,13 +52,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6216,13 +6211,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml
index c5ef3f6f5df..a61f26d5ed1 100644
--- a/.github/workflows/semantic-function-refactor.lock.yml
+++ b/.github/workflows/semantic-function-refactor.lock.yml
@@ -48,13 +48,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml
index da0725986a9..773b140b90a 100644
--- a/.github/workflows/slide-deck-maintainer.lock.yml
+++ b/.github/workflows/slide-deck-maintainer.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6768,13 +6763,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index aa48eaa6648..b092b77bc5d 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -62,13 +62,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6388,13 +6383,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index 28eff4ee886..a8d76ef0cf8 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -58,13 +58,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6285,13 +6280,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index e61a75f61fe..6b8b1a99020 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -62,13 +62,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7791,13 +7786,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index b73bbb8605f..73d34ae6282 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -62,13 +62,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -8086,13 +8081,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
index 4d6253abb32..2f6480c5dfb 100644
--- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml
+++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
@@ -62,13 +62,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7790,13 +7785,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index 2c1dee828d7..d66db2ac8b9 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -58,13 +58,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6608,13 +6603,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml
index ac5acfacba5..6d3fda1303e 100644
--- a/.github/workflows/smoke-detector.lock.yml
+++ b/.github/workflows/smoke-detector.lock.yml
@@ -78,13 +78,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6501,13 +6496,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-srt-custom-config.lock.yml b/.github/workflows/smoke-srt-custom-config.lock.yml
index 350a66e3070..1ade1c51b50 100644
--- a/.github/workflows/smoke-srt-custom-config.lock.yml
+++ b/.github/workflows/smoke-srt-custom-config.lock.yml
@@ -41,13 +41,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml
index 6e969d1feff..befeb30ce7c 100644
--- a/.github/workflows/smoke-srt.lock.yml
+++ b/.github/workflows/smoke-srt.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6380,13 +6375,8 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml
index 073a2fbe657..546dd6d1b48 100644
--- a/.github/workflows/spec-kit-execute.lock.yml
+++ b/.github/workflows/spec-kit-execute.lock.yml
@@ -43,13 +43,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml
index a57d3f8d834..d8113a8fae0 100644
--- a/.github/workflows/spec-kit-executor.lock.yml
+++ b/.github/workflows/spec-kit-executor.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/speckit-dispatcher.lock.yml b/.github/workflows/speckit-dispatcher.lock.yml
index f401f310af0..556ce7f4163 100644
--- a/.github/workflows/speckit-dispatcher.lock.yml
+++ b/.github/workflows/speckit-dispatcher.lock.yml
@@ -81,13 +81,8 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6967,13 +6962,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml
index 54063034168..cd6ecc0ea2d 100644
--- a/.github/workflows/stale-repo-identifier.lock.yml
+++ b/.github/workflows/stale-repo-identifier.lock.yml
@@ -59,13 +59,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml
index eda3e040cac..c8f00cf99db 100644
--- a/.github/workflows/static-analysis-report.lock.yml
+++ b/.github/workflows/static-analysis-report.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml
index 7c1c5bb7947..ab4114f659c 100644
--- a/.github/workflows/sub-issue-closer.lock.yml
+++ b/.github/workflows/sub-issue-closer.lock.yml
@@ -44,13 +44,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
index be6e8971621..c7e0b5e9a3a 100644
--- a/.github/workflows/super-linter.lock.yml
+++ b/.github/workflows/super-linter.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
index b9edaa0c384..9ed11c01069 100644
--- a/.github/workflows/technical-doc-writer.lock.yml
+++ b/.github/workflows/technical-doc-writer.lock.yml
@@ -51,13 +51,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index 5181d46f9d2..8cb68a974aa 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -63,13 +63,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6603,13 +6598,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml
index 3c862a0ddbf..b318c263319 100644
--- a/.github/workflows/typist.lock.yml
+++ b/.github/workflows/typist.lock.yml
@@ -47,13 +47,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml
index 5315608e9cf..9f05032dc68 100644
--- a/.github/workflows/unbloat-docs.lock.yml
+++ b/.github/workflows/unbloat-docs.lock.yml
@@ -61,13 +61,8 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6599,13 +6594,8 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml
index e35980372a1..6aca9226873 100644
--- a/.github/workflows/video-analyzer.lock.yml
+++ b/.github/workflows/video-analyzer.lock.yml
@@ -50,13 +50,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml
index 5dbabacf19f..965ce452804 100644
--- a/.github/workflows/weekly-issue-summary.lock.yml
+++ b/.github/workflows/weekly-issue-summary.lock.yml
@@ -49,13 +49,8 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
-      - name: Checkout actions folder
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-        with:
-          sparse-checkout: |
-            actions
       - name: Setup Activation Scripts
-        uses: ./actions/setup-activation
+        uses: githubnext/gh-aw/actions/setup-activation@d57d309
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps

From bacf416cc6dadfb8130f8aec23a81341b483f6b3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 07:38:14 +0000
Subject: [PATCH 3/5] Replace index.js file copying with bash script in
 setup-safe-outputs action

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/ai-moderator.lock.yml       |  14 +-
 .github/workflows/archie.lock.yml             |  14 +-
 .github/workflows/artifacts-summary.lock.yml  |   7 +-
 .github/workflows/audit-workflows.lock.yml    |   7 +-
 .github/workflows/blog-auditor.lock.yml       |   7 +-
 .github/workflows/brave.lock.yml              |  14 +-
 .../breaking-change-checker.lock.yml          |  14 +-
 .github/workflows/campaign-generator.lock.yml | 137 +++-
 .github/workflows/changeset.lock.yml          |  14 +-
 .github/workflows/ci-coach.lock.yml           |   7 +-
 .github/workflows/ci-doctor.lock.yml          |  14 +-
 .../cli-consistency-checker.lock.yml          |   7 +-
 .../workflows/cli-version-checker.lock.yml    |   7 +-
 .github/workflows/cloclo.lock.yml             |  14 +-
 .../workflows/close-old-discussions.lock.yml  |   7 +-
 .../commit-changes-analyzer.lock.yml          |   7 +-
 .../workflows/copilot-agent-analysis.lock.yml |   7 +-
 .../copilot-pr-merged-report.lock.yml         |   7 +-
 .../copilot-pr-nlp-analysis.lock.yml          |   7 +-
 .../copilot-pr-prompt-analysis.lock.yml       |   7 +-
 .../copilot-session-insights.lock.yml         |   7 +-
 .github/workflows/craft.lock.yml              |  14 +-
 .../daily-assign-issue-to-user.lock.yml       |   7 +-
 .github/workflows/daily-code-metrics.lock.yml |   7 +-
 .../daily-copilot-token-report.lock.yml       |   7 +-
 .github/workflows/daily-doc-updater.lock.yml  |   7 +-
 .github/workflows/daily-fact.lock.yml         |   7 +-
 .github/workflows/daily-file-diet.lock.yml    |  14 +-
 .../workflows/daily-firewall-report.lock.yml  |   7 +-
 .../workflows/daily-issues-report.lock.yml    |   7 +-
 .../daily-malicious-code-scan.lock.yml        |   7 +-
 .../daily-multi-device-docs-tester.lock.yml   |   7 +-
 .github/workflows/daily-news.lock.yml         |   7 +-
 .../daily-performance-summary.lock.yml        |   7 +-
 .../workflows/daily-repo-chronicle.lock.yml   |   7 +-
 .../workflows/daily-workflow-updater.lock.yml |   7 +-
 .github/workflows/deep-report.lock.yml        |   7 +-
 .../workflows/dependabot-go-checker.lock.yml  |   7 +-
 .github/workflows/dev-hawk.lock.yml           |  14 +-
 .github/workflows/dev.lock.yml                |   7 +-
 .../developer-docs-consolidator.lock.yml      |   7 +-
 .github/workflows/dictation-prompt.lock.yml   |   7 +-
 .github/workflows/docs-noob-tester.lock.yml   |   7 +-
 .../duplicate-code-detector.lock.yml          |   7 +-
 .../example-permissions-warning.lock.yml      |   7 +-
 .../example-workflow-analyzer.lock.yml        |   7 +-
 .github/workflows/firewall-escape.lock.yml    |  14 +-
 .github/workflows/firewall.lock.yml           |   7 +-
 .../github-mcp-structural-analysis.lock.yml   |   7 +-
 .../github-mcp-tools-report.lock.yml          |   7 +-
 .../workflows/glossary-maintainer.lock.yml    |   7 +-
 .github/workflows/go-fan.lock.yml             |   7 +-
 ...ze-reduction-project64.campaign.g.lock.yml |   7 +-
 ...go-file-size-reduction.campaign.g.lock.yml |   7 +-
 .github/workflows/go-logger.lock.yml          |   7 +-
 .../workflows/go-pattern-detector.lock.yml    |   7 +-
 .github/workflows/grumpy-reviewer.lock.yml    |  14 +-
 .github/workflows/hourly-ci-cleaner.lock.yml  |   7 +-
 .../workflows/human-ai-collaboration.lock.yml |   7 +-
 .github/workflows/incident-response.lock.yml  |   7 +-
 .../workflows/instructions-janitor.lock.yml   |   7 +-
 .github/workflows/intelligence.lock.yml       |   7 +-
 .github/workflows/issue-arborist.lock.yml     |   7 +-
 .github/workflows/issue-classifier.lock.yml   |  14 +-
 .github/workflows/issue-monster.lock.yml      |  14 +-
 .github/workflows/issue-triage-agent.lock.yml |   7 +-
 .github/workflows/jsweep.lock.yml             |   7 +-
 .../workflows/layout-spec-maintainer.lock.yml |   7 +-
 .github/workflows/lockfile-stats.lock.yml     |   2 +-
 .github/workflows/mcp-inspector.lock.yml      |   7 +-
 .github/workflows/mergefest.lock.yml          |  14 +-
 .../workflows/notion-issue-summary.lock.yml   |   7 +-
 .github/workflows/org-health-report.lock.yml  |   7 +-
 .github/workflows/org-wide-rollout.lock.yml   |   7 +-
 .github/workflows/pdf-summary.lock.yml        |  14 +-
 .github/workflows/plan.lock.yml               |  14 +-
 .github/workflows/poem-bot.lock.yml           |  14 +-
 .github/workflows/portfolio-analyst.lock.yml  |   7 +-
 .../workflows/pr-nitpick-reviewer.lock.yml    |  14 +-
 .../prompt-clustering-analysis.lock.yml       |   7 +-
 .github/workflows/python-data-charts.lock.yml |   7 +-
 .github/workflows/q.lock.yml                  |  14 +-
 .github/workflows/release.lock.yml            |  14 +-
 .github/workflows/repo-tree-map.lock.yml      |   7 +-
 .../repository-quality-improver.lock.yml      |   7 +-
 .github/workflows/research.lock.yml           |   7 +-
 .github/workflows/safe-output-health.lock.yml |   7 +-
 .../schema-consistency-checker.lock.yml       |   7 +-
 .github/workflows/scout.lock.yml              |  14 +-
 .../workflows/security-compliance.lock.yml    |   7 +-
 .github/workflows/security-fix-pr.lock.yml    |  14 +-
 .../semantic-function-refactor.lock.yml       |   7 +-
 .../workflows/slide-deck-maintainer.lock.yml  |  14 +-
 .github/workflows/smoke-claude.lock.yml       |  14 +-
 .github/workflows/smoke-codex.lock.yml        |  14 +-
 .../smoke-copilot-no-firewall.lock.yml        |  14 +-
 .../smoke-copilot-playwright.lock.yml         |  14 +-
 .../smoke-copilot-safe-inputs.lock.yml        |  14 +-
 .github/workflows/smoke-copilot.lock.yml      |   4 +-
 .github/workflows/smoke-detector.lock.yml     |  14 +-
 .../smoke-srt-custom-config.lock.yml          |   7 +-
 .github/workflows/smoke-srt.lock.yml          |  14 +-
 .github/workflows/spec-kit-execute.lock.yml   |   7 +-
 .github/workflows/spec-kit-executor.lock.yml  |   7 +-
 .github/workflows/speckit-dispatcher.lock.yml |  14 +-
 .../workflows/stale-repo-identifier.lock.yml  |   7 +-
 .../workflows/static-analysis-report.lock.yml |   7 +-
 .github/workflows/sub-issue-closer.lock.yml   |   7 +-
 .github/workflows/super-linter.lock.yml       |   7 +-
 .../workflows/technical-doc-writer.lock.yml   |   7 +-
 .github/workflows/tidy.lock.yml               |  14 +-
 .github/workflows/typist.lock.yml             |   7 +-
 .github/workflows/unbloat-docs.lock.yml       |  14 +-
 .github/workflows/video-analyzer.lock.yml     |   7 +-
 .../workflows/weekly-issue-summary.lock.yml   |   7 +-
 .gitignore                                    |   2 +-
 actions/setup-safe-outputs/README.md          |   4 +-
 actions/setup-safe-outputs/action.yml         |   9 +-
 actions/setup-safe-outputs/copy-files.sh      |  48 ++
 actions/setup-safe-outputs/index.js           |  51 --
 actions/setup-safe-outputs/js/mcp_logger.cjs  |  53 ++
 .../setup-safe-outputs/js/mcp_server_core.cjs | 747 ++++++++++++++++++
 actions/setup-safe-outputs/js/messages.cjs    |  58 ++
 .../js/safe_outputs_bootstrap.cjs             |  74 ++
 .../js/safe_outputs_config.cjs                |  59 ++
 .../js/safe_outputs_handlers.cjs              | 322 ++++++++
 .../js/safe_outputs_mcp_server.cjs            |  80 ++
 .../js/safe_outputs_tools.json                | 591 ++++++++++++++
 .../js/safe_outputs_tools_loader.cjs          | 165 ++++
 actions/setup-safe-outputs/src/index.js       |  43 -
 pkg/cli/actions_build_command.go              |  83 +-
 131 files changed, 3275 insertions(+), 279 deletions(-)
 create mode 100755 actions/setup-safe-outputs/copy-files.sh
 delete mode 100644 actions/setup-safe-outputs/index.js
 create mode 100644 actions/setup-safe-outputs/js/mcp_logger.cjs
 create mode 100644 actions/setup-safe-outputs/js/mcp_server_core.cjs
 create mode 100644 actions/setup-safe-outputs/js/messages.cjs
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_config.cjs
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_tools.json
 create mode 100644 actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs
 delete mode 100644 actions/setup-safe-outputs/src/index.js

diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml
index f77211017b6..0aec8506926 100644
--- a/.github/workflows/ai-moderator.lock.yml
+++ b/.github/workflows/ai-moderator.lock.yml
@@ -60,8 +60,13 @@ jobs:
       comment_repo: ""
       issue_locked: ${{ steps.lock-issue.outputs.locked }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6412,8 +6417,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml
index 8d68e9baac2..25bfd40ce7c 100644
--- a/.github/workflows/archie.lock.yml
+++ b/.github/workflows/archie.lock.yml
@@ -66,8 +66,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6693,8 +6698,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml
index b2c947aa2bf..7335e70da2f 100644
--- a/.github/workflows/artifacts-summary.lock.yml
+++ b/.github/workflows/artifacts-summary.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
index 59a19299bd4..b74951d8da1 100644
--- a/.github/workflows/audit-workflows.lock.yml
+++ b/.github/workflows/audit-workflows.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml
index cc733751611..c0dc27cc4ee 100644
--- a/.github/workflows/blog-auditor.lock.yml
+++ b/.github/workflows/blog-auditor.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml
index 8ab9294e2e7..6807cfda6b0 100644
--- a/.github/workflows/brave.lock.yml
+++ b/.github/workflows/brave.lock.yml
@@ -58,8 +58,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6572,8 +6577,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml
index f7dce4f4a7f..00913959121 100644
--- a/.github/workflows/breaking-change-checker.lock.yml
+++ b/.github/workflows/breaking-change-checker.lock.yml
@@ -46,8 +46,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6617,8 +6622,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml
index 3b93852bb56..d2f3a37f40e 100644
--- a/.github/workflows/campaign-generator.lock.yml
+++ b/.github/workflows/campaign-generator.lock.yml
@@ -49,34 +49,135 @@ jobs:
       comment_repo: ""
       issue_locked: ${{ steps.lock-issue.outputs.locked }}
     steps:
-      - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
-        with:
-          destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           GH_AW_WORKFLOW_FILE: "campaign-generator.lock.yml"
         with:
           script: |
-            global.core = core;
-            global.github = github;
-            global.context = context;
-            global.exec = exec;
-            global.io = io;
-            require('/tmp/gh-aw/actions/activation/check_workflow_timestamp_api.cjs');
+            async function main() {
+              const workflowFile = process.env.GH_AW_WORKFLOW_FILE;
+              if (!workflowFile) {
+                core.setFailed("Configuration error: GH_AW_WORKFLOW_FILE not available.");
+                return;
+              }
+              const workflowBasename = workflowFile.replace(".lock.yml", "");
+              const workflowMdPath = `.github/workflows/${workflowBasename}.md`;
+              const lockFilePath = `.github/workflows/${workflowFile}`;
+              core.info(`Checking workflow timestamps using GitHub API:`);
+              core.info(`  Source: ${workflowMdPath}`);
+              core.info(`  Lock file: ${lockFilePath}`);
+              const { owner, repo } = context.repo;
+              const ref = context.sha;
+              async function getLastCommitForFile(path) {
+                try {
+                  const response = await github.rest.repos.listCommits({
+                    owner,
+                    repo,
+                    path,
+                    per_page: 1,
+                    sha: ref,
+                  });
+                  if (response.data && response.data.length > 0) {
+                    const commit = response.data[0];
+                    return {
+                      sha: commit.sha,
+                      date: commit.commit.committer.date,
+                      message: commit.commit.message,
+                    };
+                  }
+                  return null;
+                } catch (error) {
+                  core.info(`Could not fetch commit for ${path}: ${error.message}`);
+                  return null;
+                }
+              }
+              const workflowCommit = await getLastCommitForFile(workflowMdPath);
+              const lockCommit = await getLastCommitForFile(lockFilePath);
+              if (!workflowCommit) {
+                core.info(`Source file does not exist: ${workflowMdPath}`);
+              }
+              if (!lockCommit) {
+                core.info(`Lock file does not exist: ${lockFilePath}`);
+              }
+              if (!workflowCommit || !lockCommit) {
+                core.info("Skipping timestamp check - one or both files not found");
+                return;
+              }
+              const workflowDate = new Date(workflowCommit.date);
+              const lockDate = new Date(lockCommit.date);
+              core.info(`  Source last commit: ${workflowDate.toISOString()} (${workflowCommit.sha.substring(0, 7)})`);
+              core.info(`  Lock last commit: ${lockDate.toISOString()} (${lockCommit.sha.substring(0, 7)})`);
+              if (workflowDate > lockDate) {
+                const warningMessage = `WARNING: Lock file '${lockFilePath}' is outdated! The workflow file '${workflowMdPath}' has been modified more recently. Run 'gh aw compile' to regenerate the lock file.`;
+                core.error(warningMessage);
+                const workflowTimestamp = workflowDate.toISOString();
+                const lockTimestamp = lockDate.toISOString();
+                let summary = core.summary
+                  .addRaw("### ⚠️ Workflow Lock File Warning\n\n")
+                  .addRaw("**WARNING**: Lock file is outdated and needs to be regenerated.\n\n")
+                  .addRaw("**Files:**\n")
+                  .addRaw(`- Source: \`${workflowMdPath}\`\n`)
+                  .addRaw(`  - Last commit: ${workflowTimestamp}\n`)
+                  .addRaw(`  - Commit SHA: [\`${workflowCommit.sha.substring(0, 7)}\`](https://github.com/${owner}/${repo}/commit/${workflowCommit.sha})\n`)
+                  .addRaw(`- Lock: \`${lockFilePath}\`\n`)
+                  .addRaw(`  - Last commit: ${lockTimestamp}\n`)
+                  .addRaw(`  - Commit SHA: [\`${lockCommit.sha.substring(0, 7)}\`](https://github.com/${owner}/${repo}/commit/${lockCommit.sha})\n\n`)
+                  .addRaw("**Action Required:** Run `gh aw compile` to regenerate the lock file.\n\n");
+                await summary.write();
+              } else if (workflowCommit.sha === lockCommit.sha) {
+                core.info("✅ Lock file is up to date (same commit)");
+              } else {
+                core.info("✅ Lock file is up to date");
+              }
+            }
+            main().catch(error => {
+              core.setFailed(error instanceof Error ? error.message : String(error));
+            });
       - name: Lock issue for agent workflow
         id: lock-issue
         if: (github.event_name == 'issues') || (github.event_name == 'issue_comment')
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
-            global.core = core;
-            global.github = github;
-            global.context = context;
-            global.exec = exec;
-            global.io = io;
-            require('/tmp/gh-aw/actions/activation/lock-issue.cjs');
+            async function main() {
+              core.info(`Lock-issue debug: actor=${context.actor}, eventName=${context.eventName}`);
+              const issueNumber = context.issue.number;
+              if (!issueNumber) {
+                core.setFailed("Issue number not found in context");
+                return;
+              }
+              const owner = context.repo.owner;
+              const repo = context.repo.repo;
+              core.info(`Lock-issue debug: owner=${owner}, repo=${repo}, issueNumber=${issueNumber}`);
+              try {
+                core.info(`Checking if issue #${issueNumber} is already locked`);
+                const { data: issue } = await github.rest.issues.get({
+                  owner,
+                  repo,
+                  issue_number: issueNumber,
+                });
+                if (issue.locked) {
+                  core.info(`ℹ️ Issue #${issueNumber} is already locked, skipping lock operation`);
+                  core.setOutput("locked", "false");
+                  return;
+                }
+                core.info(`Locking issue #${issueNumber} for agent workflow execution`);
+                await github.rest.issues.lock({
+                  owner,
+                  repo,
+                  issue_number: issueNumber,
+                });
+                core.info(`✅ Successfully locked issue #${issueNumber}`);
+                core.setOutput("locked", "true");
+              } catch (error) {
+                const errorMessage = error instanceof Error ? error.message : String(error);
+                core.error(`Failed to lock issue: ${errorMessage}`);
+                core.setFailed(`Failed to lock issue #${issueNumber}: ${errorMessage}`);
+                core.setOutput("locked", "false");
+              }
+            }
+            await main();
 
   agent:
     needs: activation
@@ -6549,10 +6650,6 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
-      - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
-        with:
-          destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
         id: check_membership
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml
index 466e2256ad4..da8cfec614e 100644
--- a/.github/workflows/changeset.lock.yml
+++ b/.github/workflows/changeset.lock.yml
@@ -66,8 +66,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6313,8 +6318,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml
index 30d3aef108d..8bc605e24d3 100644
--- a/.github/workflows/ci-coach.lock.yml
+++ b/.github/workflows/ci-coach.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index 285b5e540f0..f091b76be23 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -59,8 +59,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6706,8 +6711,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_stop_time.outputs.stop_time_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml
index 7d75070d211..b922e14eda3 100644
--- a/.github/workflows/cli-consistency-checker.lock.yml
+++ b/.github/workflows/cli-consistency-checker.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml
index 5dec627bd5f..41d3864502c 100644
--- a/.github/workflows/cli-version-checker.lock.yml
+++ b/.github/workflows/cli-version-checker.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml
index 1949ef7249c..99102662f61 100644
--- a/.github/workflows/cloclo.lock.yml
+++ b/.github/workflows/cloclo.lock.yml
@@ -92,8 +92,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6594,8 +6599,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/close-old-discussions.lock.yml b/.github/workflows/close-old-discussions.lock.yml
index c7f9471b75b..cf587c6f35f 100644
--- a/.github/workflows/close-old-discussions.lock.yml
+++ b/.github/workflows/close-old-discussions.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml
index c1bc741ee91..492cb760ebd 100644
--- a/.github/workflows/commit-changes-analyzer.lock.yml
+++ b/.github/workflows/commit-changes-analyzer.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index d1dce734b03..65d7fa24fad 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index c5c62772ea8..39221488f89 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
index dbb27f56eb7..5a0f4b7c174 100644
--- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
index d0fcc4016bd..482a0826338 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
index 8cf6b11af73..4543444ad88 100644
--- a/.github/workflows/copilot-session-insights.lock.yml
+++ b/.github/workflows/copilot-session-insights.lock.yml
@@ -52,8 +52,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml
index 07d9c0ce728..5b9b8daea0a 100644
--- a/.github/workflows/craft.lock.yml
+++ b/.github/workflows/craft.lock.yml
@@ -54,8 +54,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6759,8 +6764,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml
index 52452fafabc..1a7f1dc9f6e 100644
--- a/.github/workflows/daily-assign-issue-to-user.lock.yml
+++ b/.github/workflows/daily-assign-issue-to-user.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
index 9099b75763c..c90f4ed4f82 100644
--- a/.github/workflows/daily-code-metrics.lock.yml
+++ b/.github/workflows/daily-code-metrics.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml
index 317ce497707..da41aea54a2 100644
--- a/.github/workflows/daily-copilot-token-report.lock.yml
+++ b/.github/workflows/daily-copilot-token-report.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index 08faa836d35..500f4c6847a 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml
index ec931a84a62..c7998f5b8e1 100644
--- a/.github/workflows/daily-fact.lock.yml
+++ b/.github/workflows/daily-fact.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml
index 8be3a098bd0..0f823858824 100644
--- a/.github/workflows/daily-file-diet.lock.yml
+++ b/.github/workflows/daily-file-diet.lock.yml
@@ -53,8 +53,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7487,8 +7492,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml
index fd49b02eee1..bcb6443981c 100644
--- a/.github/workflows/daily-firewall-report.lock.yml
+++ b/.github/workflows/daily-firewall-report.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml
index 44492a64603..684110dc439 100644
--- a/.github/workflows/daily-issues-report.lock.yml
+++ b/.github/workflows/daily-issues-report.lock.yml
@@ -52,8 +52,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
index 7d04826c2e3..373a9b23b59 100644
--- a/.github/workflows/daily-malicious-code-scan.lock.yml
+++ b/.github/workflows/daily-malicious-code-scan.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml
index 9ea34f83804..9d47f1cdf57 100644
--- a/.github/workflows/daily-multi-device-docs-tester.lock.yml
+++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
index b51f5c2d132..a2c70c41e5e 100644
--- a/.github/workflows/daily-news.lock.yml
+++ b/.github/workflows/daily-news.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index ba7ae1f94ce..810f24e07ee 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml
index 0fc925540c4..f37056a81e2 100644
--- a/.github/workflows/daily-repo-chronicle.lock.yml
+++ b/.github/workflows/daily-repo-chronicle.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml
index fc8d5cfb206..1fe403a0bd7 100644
--- a/.github/workflows/daily-workflow-updater.lock.yml
+++ b/.github/workflows/daily-workflow-updater.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
index 3b5051dea8f..40f14b7a1aa 100644
--- a/.github/workflows/deep-report.lock.yml
+++ b/.github/workflows/deep-report.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml
index 96c0ef7a52e..51db8a9412e 100644
--- a/.github/workflows/dependabot-go-checker.lock.yml
+++ b/.github/workflows/dependabot-go-checker.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml
index 0c0dd4f87e7..95d9420a41f 100644
--- a/.github/workflows/dev-hawk.lock.yml
+++ b/.github/workflows/dev-hawk.lock.yml
@@ -58,8 +58,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6552,8 +6557,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index 9efc2a4f437..85f8046f467 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -45,8 +45,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
index 455c1b3c67c..eb61928d889 100644
--- a/.github/workflows/developer-docs-consolidator.lock.yml
+++ b/.github/workflows/developer-docs-consolidator.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml
index 123ec4e529f..885d4d48f6e 100644
--- a/.github/workflows/dictation-prompt.lock.yml
+++ b/.github/workflows/dictation-prompt.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml
index f2b6845cefa..411499f414a 100644
--- a/.github/workflows/docs-noob-tester.lock.yml
+++ b/.github/workflows/docs-noob-tester.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml
index f50e690ced1..ac66a49678a 100644
--- a/.github/workflows/duplicate-code-detector.lock.yml
+++ b/.github/workflows/duplicate-code-detector.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml
index 80e45bdcfb6..22810ffd537 100644
--- a/.github/workflows/example-permissions-warning.lock.yml
+++ b/.github/workflows/example-permissions-warning.lock.yml
@@ -41,8 +41,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml
index e13352f32ea..ba128b7496d 100644
--- a/.github/workflows/example-workflow-analyzer.lock.yml
+++ b/.github/workflows/example-workflow-analyzer.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
index 9819dab22da..4599d812d67 100644
--- a/.github/workflows/firewall-escape.lock.yml
+++ b/.github/workflows/firewall-escape.lock.yml
@@ -54,8 +54,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -2937,8 +2942,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml
index 8890bdd0c1b..573c3946968 100644
--- a/.github/workflows/firewall.lock.yml
+++ b/.github/workflows/firewall.lock.yml
@@ -41,8 +41,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml
index 900f0e9dc01..6cafecc7105 100644
--- a/.github/workflows/github-mcp-structural-analysis.lock.yml
+++ b/.github/workflows/github-mcp-structural-analysis.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml
index 9b0255ea488..0d029f2933e 100644
--- a/.github/workflows/github-mcp-tools-report.lock.yml
+++ b/.github/workflows/github-mcp-tools-report.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
index e234080ebca..a4736bf299a 100644
--- a/.github/workflows/glossary-maintainer.lock.yml
+++ b/.github/workflows/glossary-maintainer.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml
index 5d117dcd90a..c50b1574a61 100644
--- a/.github/workflows/go-fan.lock.yml
+++ b/.github/workflows/go-fan.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
index d41de07fc0b..3f7672fbcbe 100644
--- a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
+++ b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
index 402e5a86c50..69f8ab5abf5 100644
--- a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
+++ b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml
index b66f940852e..d4aedd2ca06 100644
--- a/.github/workflows/go-logger.lock.yml
+++ b/.github/workflows/go-logger.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml
index 88651416f05..90d88ec1957 100644
--- a/.github/workflows/go-pattern-detector.lock.yml
+++ b/.github/workflows/go-pattern-detector.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml
index 48eb274c883..f18cb0458e0 100644
--- a/.github/workflows/grumpy-reviewer.lock.yml
+++ b/.github/workflows/grumpy-reviewer.lock.yml
@@ -59,8 +59,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6691,8 +6696,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml
index 606debe479a..f666f9da355 100644
--- a/.github/workflows/hourly-ci-cleaner.lock.yml
+++ b/.github/workflows/hourly-ci-cleaner.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/human-ai-collaboration.lock.yml b/.github/workflows/human-ai-collaboration.lock.yml
index 26abf913361..1867aed0807 100644
--- a/.github/workflows/human-ai-collaboration.lock.yml
+++ b/.github/workflows/human-ai-collaboration.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml
index 3780adcdded..b8aee8b3940 100644
--- a/.github/workflows/incident-response.lock.yml
+++ b/.github/workflows/incident-response.lock.yml
@@ -59,8 +59,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml
index f71e7269fea..4e6ebd9a314 100644
--- a/.github/workflows/instructions-janitor.lock.yml
+++ b/.github/workflows/instructions-janitor.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/intelligence.lock.yml b/.github/workflows/intelligence.lock.yml
index 89b473bc767..530a60e2ae0 100644
--- a/.github/workflows/intelligence.lock.yml
+++ b/.github/workflows/intelligence.lock.yml
@@ -59,8 +59,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml
index 0523acc0e8a..50e1f9dc551 100644
--- a/.github/workflows/issue-arborist.lock.yml
+++ b/.github/workflows/issue-arborist.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml
index daa78d38a86..c67f6397547 100644
--- a/.github/workflows/issue-classifier.lock.yml
+++ b/.github/workflows/issue-classifier.lock.yml
@@ -55,8 +55,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -4454,8 +4459,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index 8988e39203d..cdbc18d6f19 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6615,8 +6620,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
index 4e25903a87f..98bccd8dc9c 100644
--- a/.github/workflows/issue-triage-agent.lock.yml
+++ b/.github/workflows/issue-triage-agent.lock.yml
@@ -42,8 +42,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml
index b6c192610dd..854fc10a5be 100644
--- a/.github/workflows/jsweep.lock.yml
+++ b/.github/workflows/jsweep.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml
index 290825efee3..d4f1c9efe79 100644
--- a/.github/workflows/layout-spec-maintainer.lock.yml
+++ b/.github/workflows/layout-spec-maintainer.lock.yml
@@ -45,8 +45,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml
index 55e5235f1e7..c554ae67e68 100644
--- a/.github/workflows/lockfile-stats.lock.yml
+++ b/.github/workflows/lockfile-stats.lock.yml
@@ -49,7 +49,7 @@ jobs:
       comment_repo: ""
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml
index b4cfd040dac..2ec12885329 100644
--- a/.github/workflows/mcp-inspector.lock.yml
+++ b/.github/workflows/mcp-inspector.lock.yml
@@ -63,8 +63,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml
index 93672c18f41..e83d5a0af0a 100644
--- a/.github/workflows/mergefest.lock.yml
+++ b/.github/workflows/mergefest.lock.yml
@@ -53,8 +53,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6792,8 +6797,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml
index 84e318056ef..f0a969649d8 100644
--- a/.github/workflows/notion-issue-summary.lock.yml
+++ b/.github/workflows/notion-issue-summary.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml
index f91ad5c8fdf..84a74f39be8 100644
--- a/.github/workflows/org-health-report.lock.yml
+++ b/.github/workflows/org-health-report.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml
index cc730e9d726..e63ad301560 100644
--- a/.github/workflows/org-wide-rollout.lock.yml
+++ b/.github/workflows/org-wide-rollout.lock.yml
@@ -66,8 +66,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml
index e2ea96e4ea0..9e5b1f50af5 100644
--- a/.github/workflows/pdf-summary.lock.yml
+++ b/.github/workflows/pdf-summary.lock.yml
@@ -76,8 +76,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6683,8 +6688,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
index 0e6bbd1f0ee..fbc1ae1436a 100644
--- a/.github/workflows/plan.lock.yml
+++ b/.github/workflows/plan.lock.yml
@@ -58,8 +58,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6715,8 +6720,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml
index ecb7ed28f79..469b43a4c3a 100644
--- a/.github/workflows/poem-bot.lock.yml
+++ b/.github/workflows/poem-bot.lock.yml
@@ -61,8 +61,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7128,8 +7133,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml
index d93aa5e6d54..a07412344d3 100644
--- a/.github/workflows/portfolio-analyst.lock.yml
+++ b/.github/workflows/portfolio-analyst.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml
index c275bd7c403..ab1bada4d46 100644
--- a/.github/workflows/pr-nitpick-reviewer.lock.yml
+++ b/.github/workflows/pr-nitpick-reviewer.lock.yml
@@ -85,8 +85,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7076,8 +7081,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml
index 3b1a6810105..ee0d7120755 100644
--- a/.github/workflows/prompt-clustering-analysis.lock.yml
+++ b/.github/workflows/prompt-clustering-analysis.lock.yml
@@ -54,8 +54,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml
index 438bd58faff..eade9aa65e5 100644
--- a/.github/workflows/python-data-charts.lock.yml
+++ b/.github/workflows/python-data-charts.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml
index 94df74cf2fa..25026fbf32a 100644
--- a/.github/workflows/q.lock.yml
+++ b/.github/workflows/q.lock.yml
@@ -87,8 +87,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7050,8 +7055,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index dc2d334c0c4..49accca3ad4 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -45,8 +45,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6591,8 +6596,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml
index 44f558b5627..a7cd71775cd 100644
--- a/.github/workflows/repo-tree-map.lock.yml
+++ b/.github/workflows/repo-tree-map.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml
index 7477b700064..61f238d178c 100644
--- a/.github/workflows/repository-quality-improver.lock.yml
+++ b/.github/workflows/repository-quality-improver.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml
index feb923fa47b..dfbaee71aa3 100644
--- a/.github/workflows/research.lock.yml
+++ b/.github/workflows/research.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml
index 3428117597c..82af361442c 100644
--- a/.github/workflows/safe-output-health.lock.yml
+++ b/.github/workflows/safe-output-health.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml
index b4874063026..ebe55b2f03f 100644
--- a/.github/workflows/schema-consistency-checker.lock.yml
+++ b/.github/workflows/schema-consistency-checker.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml
index be2046c387d..ca9a02eb588 100644
--- a/.github/workflows/scout.lock.yml
+++ b/.github/workflows/scout.lock.yml
@@ -102,8 +102,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6560,8 +6565,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
index 3cd60d741c2..c21b38c6393 100644
--- a/.github/workflows/security-compliance.lock.yml
+++ b/.github/workflows/security-compliance.lock.yml
@@ -53,8 +53,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml
index 10f266816e6..d5e69c115b1 100644
--- a/.github/workflows/security-fix-pr.lock.yml
+++ b/.github/workflows/security-fix-pr.lock.yml
@@ -52,8 +52,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6211,8 +6216,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml
index a61f26d5ed1..c5ef3f6f5df 100644
--- a/.github/workflows/semantic-function-refactor.lock.yml
+++ b/.github/workflows/semantic-function-refactor.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml
index 773b140b90a..da0725986a9 100644
--- a/.github/workflows/slide-deck-maintainer.lock.yml
+++ b/.github/workflows/slide-deck-maintainer.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6763,8 +6768,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index b092b77bc5d..aa48eaa6648 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -62,8 +62,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6383,8 +6388,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index a8d76ef0cf8..28eff4ee886 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -58,8 +58,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6280,8 +6285,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index 6b8b1a99020..e61a75f61fe 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -62,8 +62,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7786,8 +7791,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index 73d34ae6282..b73bbb8605f 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -62,8 +62,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -8081,8 +8086,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
index 2f6480c5dfb..4d6253abb32 100644
--- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml
+++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
@@ -62,8 +62,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -7785,8 +7790,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index d66db2ac8b9..395d4585ede 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -59,7 +59,7 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6604,7 +6604,7 @@ jobs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml
index 6d3fda1303e..ac5acfacba5 100644
--- a/.github/workflows/smoke-detector.lock.yml
+++ b/.github/workflows/smoke-detector.lock.yml
@@ -78,8 +78,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6496,8 +6501,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/smoke-srt-custom-config.lock.yml b/.github/workflows/smoke-srt-custom-config.lock.yml
index 1ade1c51b50..350a66e3070 100644
--- a/.github/workflows/smoke-srt-custom-config.lock.yml
+++ b/.github/workflows/smoke-srt-custom-config.lock.yml
@@ -41,8 +41,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml
index befeb30ce7c..6e969d1feff 100644
--- a/.github/workflows/smoke-srt.lock.yml
+++ b/.github/workflows/smoke-srt.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6375,8 +6380,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml
index 546dd6d1b48..073a2fbe657 100644
--- a/.github/workflows/spec-kit-execute.lock.yml
+++ b/.github/workflows/spec-kit-execute.lock.yml
@@ -43,8 +43,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml
index d8113a8fae0..a57d3f8d834 100644
--- a/.github/workflows/spec-kit-executor.lock.yml
+++ b/.github/workflows/spec-kit-executor.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/speckit-dispatcher.lock.yml b/.github/workflows/speckit-dispatcher.lock.yml
index 556ce7f4163..f401f310af0 100644
--- a/.github/workflows/speckit-dispatcher.lock.yml
+++ b/.github/workflows/speckit-dispatcher.lock.yml
@@ -81,8 +81,13 @@ jobs:
       reaction_id: ${{ steps.react.outputs.reaction-id }}
       text: ${{ steps.compute-text.outputs.text }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6962,8 +6967,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml
index cd6ecc0ea2d..54063034168 100644
--- a/.github/workflows/stale-repo-identifier.lock.yml
+++ b/.github/workflows/stale-repo-identifier.lock.yml
@@ -59,8 +59,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml
index c8f00cf99db..eda3e040cac 100644
--- a/.github/workflows/static-analysis-report.lock.yml
+++ b/.github/workflows/static-analysis-report.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml
index ab4114f659c..7c1c5bb7947 100644
--- a/.github/workflows/sub-issue-closer.lock.yml
+++ b/.github/workflows/sub-issue-closer.lock.yml
@@ -44,8 +44,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
index c7e0b5e9a3a..be6e8971621 100644
--- a/.github/workflows/super-linter.lock.yml
+++ b/.github/workflows/super-linter.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
index 9ed11c01069..b9edaa0c384 100644
--- a/.github/workflows/technical-doc-writer.lock.yml
+++ b/.github/workflows/technical-doc-writer.lock.yml
@@ -51,8 +51,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index 8cb68a974aa..5181d46f9d2 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -63,8 +63,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6598,8 +6603,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml
index b318c263319..3c862a0ddbf 100644
--- a/.github/workflows/typist.lock.yml
+++ b/.github/workflows/typist.lock.yml
@@ -47,8 +47,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml
index 9f05032dc68..5315608e9cf 100644
--- a/.github/workflows/unbloat-docs.lock.yml
+++ b/.github/workflows/unbloat-docs.lock.yml
@@ -61,8 +61,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6594,8 +6599,13 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for command workflow
diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml
index 6aca9226873..e35980372a1 100644
--- a/.github/workflows/video-analyzer.lock.yml
+++ b/.github/workflows/video-analyzer.lock.yml
@@ -50,8 +50,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml
index 965ce452804..5dbabacf19f 100644
--- a/.github/workflows/weekly-issue-summary.lock.yml
+++ b/.github/workflows/weekly-issue-summary.lock.yml
@@ -49,8 +49,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.gitignore b/.gitignore
index d6c4bd452e3..b59f4e408d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -118,4 +118,4 @@ test-runs/
 gosec-report.json
 gosec-results.sarif
 govulncheck-results.sarif
-trivy-results.sarif
\ No newline at end of file
+trivy-results.sarifactions/setup-safe-outputs/js/
diff --git a/actions/setup-safe-outputs/README.md b/actions/setup-safe-outputs/README.md
index d751077a268..c17527289eb 100644
--- a/actions/setup-safe-outputs/README.md
+++ b/actions/setup-safe-outputs/README.md
@@ -47,10 +47,10 @@ steps:
 
 ## Development
 
-This action is built from source files in `src/` using the build tooling:
+This action uses a bash script to copy JavaScript files from the `js/` directory. The files are generated during the build process:
 
 ```bash
 make actions-build
 ```
 
-The build process embeds all required JavaScript files into the bundled `index.js`.
+The build process copies all required JavaScript files from `pkg/workflow/js/` to `actions/setup-safe-outputs/js/`, and the bash script (`copy-files.sh`) copies them to the destination at runtime.
diff --git a/actions/setup-safe-outputs/action.yml b/actions/setup-safe-outputs/action.yml
index da2e38429fb..bcf1ad8f614 100644
--- a/actions/setup-safe-outputs/action.yml
+++ b/actions/setup-safe-outputs/action.yml
@@ -13,8 +13,13 @@ outputs:
     description: 'Number of files copied'
   
 runs:
-  using: 'node20'
-  main: 'index.js'
+  using: 'composite'
+  steps:
+    - name: Copy safe-outputs files
+      shell: bash
+      run: ${{ github.action_path }}/copy-files.sh
+      env:
+        INPUT_DESTINATION: ${{ inputs.destination }}
 
 branding:
   icon: 'copy'
diff --git a/actions/setup-safe-outputs/copy-files.sh b/actions/setup-safe-outputs/copy-files.sh
new file mode 100755
index 00000000000..39fd9e6e07c
--- /dev/null
+++ b/actions/setup-safe-outputs/copy-files.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Safe Outputs Copy Action
+# Copies safe-outputs MCP server files to the agent environment
+
+set -e
+
+# Get destination from input or use default
+DESTINATION="${INPUT_DESTINATION:-/tmp/gh-aw/safeoutputs}"
+
+echo "Copying safe-outputs files to ${DESTINATION}"
+
+# Create destination directory if it doesn't exist
+mkdir -p "${DESTINATION}"
+echo "Created directory: ${DESTINATION}"
+
+# Define the list of files to copy
+FILES=(
+  "safe_outputs_mcp_server.cjs"
+  "safe_outputs_bootstrap.cjs"
+  "safe_outputs_tools_loader.cjs"
+  "safe_outputs_config.cjs"
+  "safe_outputs_handlers.cjs"
+  "safe_outputs_tools.json"
+  "mcp_server_core.cjs"
+  "mcp_logger.cjs"
+  "messages.cjs"
+)
+
+# Source directory for the JavaScript files
+# When running in GitHub Actions, these files are in the workflow/js directory
+SOURCE_DIR="${GITHUB_ACTION_PATH}/js"
+
+FILE_COUNT=0
+
+# Copy each file
+for file in "${FILES[@]}"; do
+  if [ -f "${SOURCE_DIR}/${file}" ]; then
+    cp "${SOURCE_DIR}/${file}" "${DESTINATION}/${file}"
+    echo "Copied: ${file}"
+    FILE_COUNT=$((FILE_COUNT + 1))
+  else
+    echo "Warning: File not found: ${SOURCE_DIR}/${file}"
+  fi
+done
+
+# Set output
+echo "files-copied=${FILE_COUNT}" >> "${GITHUB_OUTPUT}"
+echo "✓ Successfully copied ${FILE_COUNT} files"
diff --git a/actions/setup-safe-outputs/index.js b/actions/setup-safe-outputs/index.js
deleted file mode 100644
index 0ee26ddc569..00000000000
--- a/actions/setup-safe-outputs/index.js
+++ /dev/null
@@ -1,51 +0,0 @@
-// Safe Outputs Copy Action
-// Copies safe-outputs MCP server files to the agent environment
-
-const core = require('@actions/core');
-const fs = require('fs');
-const path = require('path');
-
-// Embedded safe-outputs files will be inserted here during build
-const FILES = {
-    "mcp_logger.cjs": "// @ts-check\n/// \u003creference types=\"@actions/github-script\" /\u003e\n\n/**\n * MCP Logger Utility\n *\n * This module provides logger creation utilities for MCP servers.\n * It creates logger objects with debug and debugError methods that write\n * timestamped messages to stderr.\n *\n * Usage:\n *   const { createLogger } = require(\"./mcp_logger.cjs\");\n *   const logger = createLogger(\"my-server\");\n *   logger.debug(\"Server started\");\n *   logger.debugError(\"Error: \", new Error(\"Something went wrong\"));\n */\n\n/**\n * Create a logger object with debug and debugError methods\n * @param {string} serverName - Name to include in log messages\n * @returns {Object} Logger object with debug and debugError methods\n */\nfunction createLogger(serverName) {\n  const logger = {\n    /**\n     * Log a debug message to stderr with timestamp\n     * @param {string} msg - Message to log\n     */\n    debug: msg =\u003e {\n      const timestamp = new Date().toISOString();\n      process.stderr.write(`[] [] \\n`);\n    },\n\n    /**\n     * Log an error with optional stack trace\n     * @param {string} prefix - Prefix for the error message\n     * @param {Error|string|any} error - Error object or message\n     */\n    debugError: (prefix, error) =\u003e {\n      const errorMessage = error instanceof Error ? error.message : String(error);\n      logger.debug(``);\n      if (error instanceof Error \u0026\u0026 error.stack) {\n        logger.debug(`Stack trace: ${error.stack}`);\n      }\n    },\n  };\n\n  return logger;\n}\n\nmodule.exports = {\n  createLogger,\n};\n",
-    "mcp_server_core.cjs": "// @ts-check\n/// \u003creference types=\"@actions/github-script\" /\u003e\n\n/**\n * MCP Server Core Module\n *\n * This module provides a reusable API for creating MCP (Model Context Protocol) servers.\n * It handles JSON-RPC 2.0 message parsing, tool registration, and server lifecycle.\n *\n * Usage:\n *   const { createServer, registerTool, start } = require(\"./mcp_server_core.cjs\");\n *\n *   const server = createServer({ name: \"my-server\", version: \"1.0.0\" });\n *   registerTool(server, {\n *     name: \"my_tool\",\n *     description: \"A tool\",\n *     inputSchema: { type: \"object\", properties: {} },\n *     handler: (args) =\u003e ({ content: [{ type: \"text\", text: \"result\" }] })\n *   });\n *   start(server);\n */\n\nconst fs = require(\"fs\");\nconst path = require(\"path\");\n\nconst { ReadBuffer } = require(\"./read_buffer.cjs\");\nconst { validateRequiredFields } = require(\"./safe_inputs_validation.cjs\");\n\nconst encoder = new TextEncoder();\n\n/**\n * @typedef {Object} ServerInfo\n * @property {string} name - Server name\n * @property {string} version - Server version\n */\n\n/**\n * @typedef {Object} Tool\n * @property {string} name - Tool name\n * @property {string} description - Tool description\n * @property {Object} inputSchema - JSON Schema for tool inputs\n * @property {Function} [handler] - Tool handler function\n * @property {string} [handlerPath] - Optional file path to handler module (original path from config)\n * @property {number} [timeout] - Timeout in seconds for tool execution (default: 60)\n */\n\n/**\n * @typedef {Object} MCPServer\n * @property {ServerInfo} serverInfo - Server information\n * @property {Object\u003cstring, Tool\u003e} tools - Registered tools\n * @property {Function} debug - Debug logging function\n * @property {Function} debugError - Debug logging function for errors (extracts message from Error objects)\n * @property {Function} writeMessage - Write message to stdout\n * @property {Function} replyResult - Send a result response\n * @property {Function} replyError - Send an error response\n * @property {ReadBuffer} readBuffer - Message buffer\n * @property {string} [logDir] - Optional log directory\n * @property {string} [logFilePath] - Optional log file path\n * @property {boolean} logFileInitialized - Whether log file has been initialized\n */\n\n/**\n * Initialize log file for the server\n * @param {MCPServer} server - The MCP server instance\n */\nfunction initLogFile(server) {\n  if (server.logFileInitialized || !server.logDir || !server.logFilePath) return;\n  try {\n    if (!fs.existsSync(server.logDir)) {\n      fs.mkdirSync(server.logDir, { recursive: true });\n    }\n    // Initialize/truncate log file with header\n    const timestamp = new Date().toISOString();\n    fs.writeFileSync(server.logFilePath, `# ${server.serverInfo.name} MCP Server Log\\n# Started: \\n# Version: ${server.serverInfo.version}\\n\\n`);\n    server.logFileInitialized = true;\n  } catch {\n    // Silently ignore errors - logging to stderr will still work\n  }\n}\n\n/**\n * Create a debug function for the server\n * @param {MCPServer} server - The MCP server instance\n * @returns {Function} Debug function\n */\nfunction createDebugFunction(server) {\n  return msg =\u003e {\n    const timestamp = new Date().toISOString();\n    const formattedMsg = `[] [${server.serverInfo.name}] \\n`;\n\n    // Always write to stderr\n    process.stderr.write(formattedMsg);\n\n    // Also write to log file if log directory is set (initialize on first use)\n    if (server.logDir \u0026\u0026 server.logFilePath) {\n      if (!server.logFileInitialized) {\n        initLogFile(server);\n      }\n      if (server.logFileInitialized) {\n        try {\n          fs.appendFileSync(server.logFilePath, formattedMsg);\n        } catch {\n          // Silently ignore file write errors - stderr logging still works\n        }\n      }\n    }\n  };\n}\n\n/**\n * Create a debugError function for the server that handles error casting\n * @param {MCPServer} server - The MCP server instance\n * @returns {Function} Debug error function that extracts message from Error objects\n */\nfunction createDebugErrorFunction(server) {\n  return (prefix, error) =\u003e {\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    server.debug(``);\n    if (error instanceof Error \u0026\u0026 error.stack) {\n      server.debug(`Stack trace: ${error.stack}`);\n    }\n  };\n}\n\n/**\n * Create a writeMessage function for the server\n * @param {MCPServer} server - The MCP server instance\n * @returns {Function} Write message function\n */\nfunction createWriteMessageFunction(server) {\n  return obj =\u003e {\n    const json = JSON.stringify(obj);\n    server.debug(`send: `);\n    const message = json + \"\\n\";\n    const bytes = encoder.encode(message);\n    fs.writeSync(1, bytes);\n  };\n}\n\n/**\n * Create a replyResult function for the server\n * @param {MCPServer} server - The MCP server instance\n * @returns {Function} Reply result function\n */\nfunction createReplyResultFunction(server) {\n  return (id, result) =\u003e {\n    if (id === undefined || id === null) return; // notification\n    const res = { jsonrpc: \"2.0\", id, result };\n    server.writeMessage(res);\n  };\n}\n\n/**\n * Create a replyError function for the server\n * @param {MCPServer} server - The MCP server instance\n * @returns {Function} Reply error function\n */\nfunction createReplyErrorFunction(server) {\n  return (id, code, message) =\u003e {\n    // Don't send error responses for notifications (id is null/undefined)\n    if (id === undefined || id === null) {\n      server.debug(`Error for notification: `);\n      return;\n    }\n\n    const error = { code, message };\n    const res = {\n      jsonrpc: \"2.0\",\n      id,\n      error,\n    };\n    server.writeMessage(res);\n  };\n}\n\n/**\n * Create a new MCP server instance\n * @param {ServerInfo} serverInfo - Server information (name and version)\n * @param {Object} [options] - Optional server configuration\n * @param {string} [options.logDir] - Directory for log file (optional)\n * @returns {MCPServer} The MCP server instance\n */\nfunction createServer(serverInfo, options = {}) {\n  const logDir = options.logDir || undefined;\n  const logFilePath = logDir ? path.join(logDir, \"server.log\") : undefined;\n\n  /** @type {MCPServer} */\n  const server = {\n    serverInfo,\n    tools: {},\n    debug: () =\u003e {}, // placeholder\n    debugError: () =\u003e {}, // placeholder\n    writeMessage: () =\u003e {}, // placeholder\n    replyResult: () =\u003e {}, // placeholder\n    replyError: () =\u003e {}, // placeholder\n    readBuffer: new ReadBuffer(),\n    logDir,\n    logFilePath,\n    logFileInitialized: false,\n  };\n\n  // Initialize functions with references to server\n  server.debug = createDebugFunction(server);\n  server.debugError = createDebugErrorFunction(server);\n  server.writeMessage = createWriteMessageFunction(server);\n  server.replyResult = createReplyResultFunction(server);\n  server.replyError = createReplyErrorFunction(server);\n\n  return server;\n}\n\n/**\n * Create a wrapped handler function that normalizes results to MCP format.\n * Extracted to avoid creating closures with excessive scope in loadToolHandlers.\n *\n * @param {MCPServer} server - The MCP server instance for logging\n * @param {string} toolName - Name of the tool for logging purposes\n * @param {Function} handlerFn - The original handler function to wrap\n * @returns {Function} Wrapped async handler function\n */\nfunction createWrappedHandler(server, toolName, handlerFn) {\n  return async args =\u003e {\n    server.debug(`  [] Invoking handler with args: ${JSON.stringify(args)}`);\n\n    try {\n      // Call the handler (may be sync or async)\n      const result = await Promise.resolve(handlerFn(args));\n      server.debug(`  [] Handler returned result type: ${typeof result}`);\n\n      // If the result is already in MCP format (has content array), return as-is\n      if (result \u0026\u0026 typeof result === \"object\" \u0026\u0026 Array.isArray(result.content)) {\n        server.debug(`  [] Result is already in MCP format`);\n        return result;\n      }\n\n      // Otherwise, serialize the result to text\n      // Use try-catch for serialization to handle circular references and non-serializable values\n      let serializedResult;\n      try {\n        serializedResult = JSON.stringify(result);\n      } catch (serializationError) {\n        server.debugError(`  [] Serialization error: `, serializationError);\n        // Fall back to String() for non-serializable values\n        serializedResult = String(result);\n      }\n      server.debug(`  [] Serialized result: ${serializedResult.substring(0, 200)}${serializedResult.length \u003e 200 ? \"...\" : \"\"}`);\n\n      return {\n        content: [\n          {\n            type: \"text\",\n            text: serializedResult,\n          },\n        ],\n      };\n    } catch (error) {\n      server.debugError(`  [] Handler threw error: `, error);\n      throw error;\n    }\n  };\n}\n\n/**\n * Load handler functions from file paths specified in tools configuration.\n * This function iterates through tools and loads handler modules based on file extension:\n *\n * For JavaScript handlers (.js, .cjs, .mjs):\n *   - Uses require() to load the module\n *   - Handler must export a function as default export\n *   - Handler signature: async function handler(args: Record\u003cstring, unknown\u003e): Promise\u003cunknown\u003e\n *\n * For Shell script handlers (.sh):\n *   - Uses GitHub Actions convention for passing inputs/outputs\n *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)\n *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)\n *   - Returns: { stdout, stderr, outputs }\n *\n * For Python script handlers (.py):\n *   - Uses GitHub Actions convention for passing inputs/outputs\n *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)\n *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)\n *   - Executed using python3 command\n *   - Returns: { stdout, stderr, outputs }\n *\n * SECURITY NOTE: Handler paths are loaded from tools.json configuration file,\n * which should be controlled by the server administrator. When basePath is provided,\n * relative paths are resolved within it, preventing directory traversal outside\n * the intended directory. Absolute paths bypass this validation but are still\n * logged for auditing purposes.\n *\n * @param {MCPServer} server - The MCP server instance for logging\n * @param {Array\u003cObject\u003e} tools - Array of tool configurations from tools.json\n * @param {string} [basePath] - Optional base path for resolving relative handler paths.\n *                              When provided, relative paths are validated to be within this directory.\n * @returns {Array\u003cObject\u003e} The tools array with loaded handlers attached\n */\nfunction loadToolHandlers(server, tools, basePath) {\n  server.debug(`Loading tool handlers...`);\n  server.debug(`  Total tools to process: ${tools.length}`);\n  server.debug(`  Base path: ${basePath || \"(not specified)\"}`);\n\n  let loadedCount = 0;\n  let skippedCount = 0;\n  let errorCount = 0;\n\n  for (const tool of tools) {\n    const toolName = tool.name || \"(unnamed)\";\n\n    // Check if tool has a handler path specified\n    if (!tool.handler) {\n      server.debug(`  [] No handler path specified, skipping handler load`);\n      skippedCount++;\n      continue;\n    }\n\n    const handlerPath = tool.handler;\n    server.debug(`  [] Handler path specified: `);\n\n    // Resolve the handler path\n    let resolvedPath = handlerPath;\n    if (basePath \u0026\u0026 !path.isAbsolute(handlerPath)) {\n      resolvedPath = path.resolve(basePath, handlerPath);\n      server.debug(`  [] Resolved relative path to: `);\n\n      // Security validation: Ensure resolved path is within basePath to prevent directory traversal\n      const normalizedBase = path.resolve(basePath);\n      const normalizedResolved = path.resolve(resolvedPath);\n      if (!normalizedResolved.startsWith(normalizedBase + path.sep) \u0026\u0026 normalizedResolved !== normalizedBase) {\n        server.debug(`  [] ERROR: Handler path escapes base directory:  is not within `);\n        errorCount++;\n        continue;\n      }\n    } else if (path.isAbsolute(handlerPath)) {\n      server.debug(`  [] Using absolute path (bypasses basePath validation): `);\n    }\n\n    // Store the original handler path for reference\n    tool.handlerPath = handlerPath;\n\n    try {\n      server.debug(`  [] Loading handler from: `);\n\n      // Check if file exists before loading\n      if (!fs.existsSync(resolvedPath)) {\n        server.debug(`  [] ERROR: Handler file does not exist: `);\n        errorCount++;\n        continue;\n      }\n\n      // Detect handler type by file extension\n      const ext = path.extname(resolvedPath).toLowerCase();\n      server.debug(`  [] Handler file extension: `);\n\n      if (ext === \".sh\") {\n        // Shell script handler - use GitHub Actions convention\n        server.debug(`  [] Detected shell script handler`);\n\n        // Make sure the script is executable (on Unix-like systems)\n        try {\n          fs.accessSync(resolvedPath, fs.constants.X_OK);\n          server.debug(`  [] Shell script is executable`);\n        } catch {\n          // Try to make it executable\n          try {\n            fs.chmodSync(resolvedPath, 0o755);\n            server.debug(`  [] Made shell script executable`);\n          } catch (chmodError) {\n            server.debugError(`  [] Warning: Could not make shell script executable: `, chmodError);\n            // Continue anyway - it might work depending on the shell\n          }\n        }\n\n        // Lazy-load shell handler module\n        const { createShellHandler } = require(\"./mcp_handler_shell.cjs\");\n        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified\n        tool.handler = createShellHandler(server, toolName, resolvedPath, timeout);\n\n        loadedCount++;\n        server.debug(`  [] Shell handler created successfully with timeout: s`);\n      } else if (ext === \".py\") {\n        // Python script handler - use GitHub Actions convention\n        server.debug(`  [] Detected Python script handler`);\n\n        // Make sure the script is executable (on Unix-like systems)\n        try {\n          fs.accessSync(resolvedPath, fs.constants.X_OK);\n          server.debug(`  [] Python script is executable`);\n        } catch {\n          // Try to make it executable\n          try {\n            fs.chmodSync(resolvedPath, 0o755);\n            server.debug(`  [] Made Python script executable`);\n          } catch (chmodError) {\n            server.debugError(`  [] Warning: Could not make Python script executable: `, chmodError);\n            // Continue anyway - python3 will be called explicitly\n          }\n        }\n\n        // Lazy-load Python handler module\n        const { createPythonHandler } = require(\"./mcp_handler_python.cjs\");\n        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified\n        tool.handler = createPythonHandler(server, toolName, resolvedPath, timeout);\n\n        loadedCount++;\n        server.debug(`  [] Python handler created successfully with timeout: s`);\n      } else {\n        // JavaScript/CommonJS handler - use require()\n        server.debug(`  [] Loading JavaScript handler module`);\n\n        // Load the handler module\n        const handlerModule = require(resolvedPath);\n        server.debug(`  [] Handler module loaded successfully`);\n        server.debug(`  [] Module type: ${typeof handlerModule}`);\n\n        // Get the handler function (support default export patterns)\n        let handlerFn = handlerModule;\n\n        // Handle ES module default export pattern (module.default)\n        if (handlerModule \u0026\u0026 typeof handlerModule === \"object\" \u0026\u0026 typeof handlerModule.default === \"function\") {\n          handlerFn = handlerModule.default;\n          server.debug(`  [] Using module.default export`);\n        }\n\n        // Validate that the handler is a function\n        if (typeof handlerFn !== \"function\") {\n          server.debug(`  [] ERROR: Handler is not a function, got: ${typeof handlerFn}`);\n          server.debug(`  [] Module keys: ${Object.keys(handlerModule || {}).join(\", \") || \"(none)\"}`);\n          errorCount++;\n          continue;\n        }\n\n        server.debug(`  [] Handler function validated successfully`);\n        server.debug(`  [] Handler function name: ${handlerFn.name || \"(anonymous)\"}`);\n\n        // Wrap the handler using the separate function to avoid bloating the closure\n        tool.handler = createWrappedHandler(server, toolName, handlerFn);\n\n        loadedCount++;\n        server.debug(`  [] JavaScript handler loaded and wrapped successfully`);\n      }\n    } catch (error) {\n      server.debugError(`  [] ERROR loading handler: `, error);\n      errorCount++;\n    }\n  }\n\n  server.debug(`Handler loading complete:`);\n  server.debug(`  Loaded: `);\n  server.debug(`  Skipped (no handler path): `);\n  server.debug(`  Errors: `);\n\n  return tools;\n}\n\n/**\n * Register a tool with the server\n * @param {MCPServer} server - The MCP server instance\n * @param {Tool} tool - The tool to register\n */\nfunction registerTool(server, tool) {\n  const normalizedName = normalizeTool(tool.name);\n  server.tools[normalizedName] = {\n    ...tool,\n    name: normalizedName,\n  };\n  server.debug(`Registered tool: `);\n}\n\n/**\n * Normalize a tool name (convert dashes to underscores, lowercase)\n * @param {string} name - The tool name to normalize\n * @returns {string} Normalized tool name\n */\nfunction normalizeTool(name) {\n  return name.replace(/-/g, \"_\").toLowerCase();\n}\n\n/**\n * Handle an incoming JSON-RPC request and return a response (for HTTP transport)\n * This function is compatible with the MCPServer class's handleRequest method.\n * @param {MCPServer} server - The MCP server instance\n * @param {Object} request - The incoming JSON-RPC request\n * @param {Function} [defaultHandler] - Default handler for tools without a handler\n * @returns {Promise\u003cObject|null\u003e} JSON-RPC response object, or null for notifications\n */\nasync function handleRequest(server, request, defaultHandler) {\n  const { id, method, params } = request;\n\n  try {\n    // Handle notifications per JSON-RPC 2.0 spec:\n    // Requests without id field are notifications (no response)\n    // Note: id can be null for valid requests, so we check for field presence with \"in\" operator\n    if (!(\"id\" in request)) {\n      // No id field - this is a notification (no response)\n      return null;\n    }\n\n    let result;\n\n    if (method === \"initialize\") {\n      const protocolVersion = params?.protocolVersion || \"2024-11-05\";\n      result = {\n        protocolVersion,\n        serverInfo: server.serverInfo,\n        capabilities: {\n          tools: {},\n        },\n      };\n    } else if (method === \"ping\") {\n      result = {};\n    } else if (method === \"tools/list\") {\n      const list = [];\n      Object.values(server.tools).forEach(tool =\u003e {\n        const toolDef = {\n          name: tool.name,\n          description: tool.description,\n          inputSchema: tool.inputSchema,\n        };\n        list.push(toolDef);\n      });\n      result = { tools: list };\n    } else if (method === \"tools/call\") {\n      const name = params?.name;\n      const args = params?.arguments ?? {};\n      if (!name || typeof name !== \"string\") {\n        throw {\n          code: -32602,\n          message: \"Invalid params: 'name' must be a string\",\n        };\n      }\n      const tool = server.tools[normalizeTool(name)];\n      if (!tool) {\n        throw {\n          code: -32602,\n          message: `Tool '' not found`,\n        };\n      }\n\n      // Use tool handler, or default handler, or error\n      let handler = tool.handler;\n      if (!handler \u0026\u0026 defaultHandler) {\n        handler = defaultHandler(tool.name);\n      }\n      if (!handler) {\n        throw {\n          code: -32603,\n          message: `No handler for tool: `,\n        };\n      }\n\n      const missing = validateRequiredFields(args, tool.inputSchema);\n      if (missing.length) {\n        throw {\n          code: -32602,\n          message: `Invalid arguments: missing or empty ${missing.map(m =\u003e `''`).join(\", \")}`,\n        };\n      }\n\n      // Call handler and await the result (supports both sync and async handlers)\n      const handlerResult = await Promise.resolve(handler(args));\n      const content = handlerResult \u0026\u0026 handlerResult.content ? handlerResult.content : [];\n      result = { content, isError: false };\n    } else if (/^notifications\\//.test(method)) {\n      // Notifications don't need a response\n      return null;\n    } else {\n      throw {\n        code: -32601,\n        message: `Method not found: `,\n      };\n    }\n\n    return {\n      jsonrpc: \"2.0\",\n      id,\n      result,\n    };\n  } catch (error) {\n    /** @type {any} */\n    const err = error;\n    return {\n      jsonrpc: \"2.0\",\n      id,\n      error: {\n        code: err.code || -32603,\n        message: err.message || \"Internal error\",\n      },\n    };\n  }\n}\n\n/**\n * Handle an incoming JSON-RPC message (for stdio transport)\n * @param {MCPServer} server - The MCP server instance\n * @param {Object} req - The incoming request\n * @param {Function} [defaultHandler] - Default handler for tools without a handler\n * @returns {Promise\u003cvoid\u003e}\n */\nasync function handleMessage(server, req, defaultHandler) {\n  // Validate basic JSON-RPC structure\n  if (!req || typeof req !== \"object\") {\n    server.debug(`Invalid message: not an object`);\n    return;\n  }\n\n  if (req.jsonrpc !== \"2.0\") {\n    server.debug(`Invalid message: missing or invalid jsonrpc field`);\n    return;\n  }\n\n  const { id, method, params } = req;\n\n  // Validate method field\n  if (!method || typeof method !== \"string\") {\n    server.replyError(id, -32600, \"Invalid Request: method must be a string\");\n    return;\n  }\n\n  try {\n    if (method === \"initialize\") {\n      const clientInfo = params?.clientInfo ?? {};\n      server.debug(`client info: ${JSON.stringify(clientInfo)}`);\n      const protocolVersion = params?.protocolVersion ?? undefined;\n      const result = {\n        serverInfo: server.serverInfo,\n        ...(protocolVersion ? { protocolVersion } : {}),\n        capabilities: {\n          tools: {},\n        },\n      };\n      server.replyResult(id, result);\n    } else if (method === \"tools/list\") {\n      const list = [];\n      Object.values(server.tools).forEach(tool =\u003e {\n        const toolDef = {\n          name: tool.name,\n          description: tool.description,\n          inputSchema: tool.inputSchema,\n        };\n        list.push(toolDef);\n      });\n      server.replyResult(id, { tools: list });\n    } else if (method === \"tools/call\") {\n      const name = params?.name;\n      const args = params?.arguments ?? {};\n      if (!name || typeof name !== \"string\") {\n        server.replyError(id, -32602, \"Invalid params: 'name' must be a string\");\n        return;\n      }\n      const tool = server.tools[normalizeTool(name)];\n      if (!tool) {\n        server.replyError(id, -32601, `Tool not found:  (${normalizeTool(name)})`);\n        return;\n      }\n\n      // Use tool handler, or default handler, or error\n      let handler = tool.handler;\n      if (!handler \u0026\u0026 defaultHandler) {\n        handler = defaultHandler(tool.name);\n      }\n      if (!handler) {\n        server.replyError(id, -32603, `No handler for tool: `);\n        return;\n      }\n\n      const missing = validateRequiredFields(args, tool.inputSchema);\n      if (missing.length) {\n        server.replyError(id, -32602, `Invalid arguments: missing or empty ${missing.map(m =\u003e `''`).join(\", \")}`);\n        return;\n      }\n\n      // Call handler and await the result (supports both sync and async handlers)\n      server.debug(`Calling handler for tool: `);\n      const result = await Promise.resolve(handler(args));\n      server.debug(`Handler returned for tool: `);\n      const content = result \u0026\u0026 result.content ? result.content : [];\n      server.replyResult(id, { content, isError: false });\n    } else if (/^notifications\\//.test(method)) {\n      server.debug(`ignore `);\n    } else {\n      server.replyError(id, -32601, `Method not found: `);\n    }\n  } catch (e) {\n    server.replyError(id, -32603, e instanceof Error ? e.message : String(e));\n  }\n}\n\n/**\n * Process the read buffer and handle messages\n * @param {MCPServer} server - The MCP server instance\n * @param {Function} [defaultHandler] - Default handler for tools without a handler\n * @returns {Promise\u003cvoid\u003e}\n */\nasync function processReadBuffer(server, defaultHandler) {\n  while (true) {\n    try {\n      const message = server.readBuffer.readMessage();\n      if (!message) {\n        break;\n      }\n      server.debug(`recv: ${JSON.stringify(message)}`);\n      await handleMessage(server, message, defaultHandler);\n    } catch (error) {\n      // For parse errors, we can't know the request id, so we shouldn't send a response\n      // according to JSON-RPC spec. Just log the error.\n      server.debug(`Parse error: ${error instanceof Error ? error.message : String(error)}`);\n    }\n  }\n}\n\n/**\n * Start the MCP server on stdio\n * @param {MCPServer} server - The MCP server instance\n * @param {Object} [options] - Start options\n * @param {Function} [options.defaultHandler] - Default handler for tools without a handler\n */\nfunction start(server, options = {}) {\n  const { defaultHandler } = options;\n\n  server.debug(`v${server.serverInfo.version} ready on stdio`);\n  server.debug(`  tools: ${Object.keys(server.tools).join(\", \")}`);\n\n  if (!Object.keys(server.tools).length) {\n    throw new Error(\"No tools registered\");\n  }\n\n  const onData = async chunk =\u003e {\n    server.readBuffer.append(chunk);\n    await processReadBuffer(server, defaultHandler);\n  };\n\n  process.stdin.on(\"data\", onData);\n  process.stdin.on(\"error\", err =\u003e server.debug(`stdin error: `));\n  process.stdin.resume();\n  server.debug(`listening...`);\n}\n\nmodule.exports = {\n  createServer,\n  registerTool,\n  normalizeTool,\n  handleRequest,\n  handleMessage,\n  processReadBuffer,\n  start,\n  loadToolHandlers,\n};\n",
-    "messages.cjs": "// @ts-check\n/// \u003creference types=\"@actions/github-script\" /\u003e\n\n/**\n * Safe Output Messages Module (Barrel File)\n *\n * This module re-exports all message functions from the modular message files.\n * It provides backward compatibility for existing code that imports from messages.cjs.\n *\n * For new code, prefer importing directly from the specific modules:\n * - ./messages_core.cjs - Core utilities (getMessages, renderTemplate, toSnakeCase)\n * - ./messages_footer.cjs - Footer messages (getFooterMessage, getFooterInstallMessage, generateFooterWithMessages)\n * - ./messages_staged.cjs - Staged mode messages (getStagedTitle, getStagedDescription)\n * - ./messages_run_status.cjs - Run status messages (getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage)\n * - ./messages_close_discussion.cjs - Close discussion messages (getCloseOlderDiscussionMessage)\n *\n * Supported placeholders:\n * - {workflow_name} - Name of the workflow\n * - {run_url} - URL to the workflow run\n * - {workflow_source} - Source specification (owner/repo/path@ref)\n * - {workflow_source_url} - GitHub URL for the workflow source\n * - {triggering_number} - Issue/PR/Discussion number that triggered this workflow\n * - {operation} - Operation name (for staged mode titles/descriptions)\n * - {event_type} - Event type description (for run-started messages)\n * - {status} - Workflow status text (for run-failure messages)\n *\n * Both camelCase and snake_case placeholder formats are supported.\n */\n\n// Re-export core utilities\nconst { getMessages, renderTemplate } = require(\"./messages_core.cjs\");\n\n// Re-export footer messages\nconst { getFooterMessage, getFooterInstallMessage, generateFooterWithMessages, generateXMLMarker } = require(\"./messages_footer.cjs\");\n\n// Re-export staged mode messages\nconst { getStagedTitle, getStagedDescription } = require(\"./messages_staged.cjs\");\n\n// Re-export run status messages\nconst { getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage } = require(\"./messages_run_status.cjs\");\n\n// Re-export close discussion messages\nconst { getCloseOlderDiscussionMessage } = require(\"./messages_close_discussion.cjs\");\n\nmodule.exports = {\n  getMessages,\n  renderTemplate,\n  getFooterMessage,\n  getFooterInstallMessage,\n  generateFooterWithMessages,\n  generateXMLMarker,\n  getStagedTitle,\n  getStagedDescription,\n  getRunStartedMessage,\n  getRunSuccessMessage,\n  getRunFailureMessage,\n  getCloseOlderDiscussionMessage,\n};\n",
-    "safe_outputs_bootstrap.cjs": "// @ts-check\n\n/**\n * Safe Outputs Bootstrap Module\n *\n * This module provides shared bootstrap logic for safe-outputs MCP server.\n * It handles configuration loading, tools loading, and cleanup that is\n * common initialization logic.\n *\n * Usage:\n *   const { bootstrapSafeOutputsServer } = require(\"./safe_outputs_bootstrap.cjs\");\n *   const { config, outputFile, tools } = bootstrapSafeOutputsServer(server);\n */\n\nconst fs = require(\"fs\");\nconst { loadConfig } = require(\"./safe_outputs_config.cjs\");\nconst { loadTools } = require(\"./safe_outputs_tools_loader.cjs\");\n\n/**\n * @typedef {Object} Logger\n * @property {Function} debug - Debug logging function\n * @property {Function} debugError - Error logging function\n */\n\n/**\n * @typedef {Object} BootstrapResult\n * @property {Object} config - Loaded configuration\n * @property {string} outputFile - Path to the output file\n * @property {Array} tools - Loaded tool definitions\n */\n\n/**\n * Bootstrap a safe-outputs server by loading configuration and tools.\n * This function performs the common initialization steps.\n *\n * @param {Logger} logger - Logger instance for debug messages\n * @returns {BootstrapResult} Configuration, output file path, and loaded tools\n */\nfunction bootstrapSafeOutputsServer(logger) {\n  // Load configuration\n  logger.debug(\"Loading safe-outputs configuration\");\n  const { config, outputFile } = loadConfig(logger);\n\n  // Load tools\n  logger.debug(\"Loading safe-outputs tools\");\n  const tools = loadTools(logger);\n\n  return { config, outputFile, tools };\n}\n\n/**\n * Delete the configuration file to ensure no secrets remain on disk.\n * This should be called after the server has been configured and started.\n *\n * @param {Logger} logger - Logger instance for debug messages\n */\nfunction cleanupConfigFile(logger) {\n  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || \"/tmp/gh-aw/safeoutputs/config.json\";\n\n  try {\n    if (fs.existsSync(configPath)) {\n      fs.unlinkSync(configPath);\n      logger.debug(`Deleted configuration file: `);\n    }\n  } catch (error) {\n    logger.debugError(\"Warning: Could not delete configuration file: \", error);\n    // Continue anyway - the server is already running\n  }\n}\n\nmodule.exports = {\n  bootstrapSafeOutputsServer,\n  cleanupConfigFile,\n};\n",
-    "safe_outputs_config.cjs": "// @ts-check\n\nconst fs = require(\"fs\");\nconst path = require(\"path\");\n\n/**\n * Load and process safe outputs configuration\n * @param {Object} server - The MCP server instance for logging\n * @returns {Object} An object containing the processed config and output file path\n */\nfunction loadConfig(server) {\n  // Read configuration from file\n  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || \"/tmp/gh-aw/safeoutputs/config.json\";\n  let safeOutputsConfigRaw;\n\n  server.debug(`Reading config from file: `);\n\n  try {\n    if (fs.existsSync(configPath)) {\n      server.debug(`Config file exists at: `);\n      const configFileContent = fs.readFileSync(configPath, \"utf8\");\n      server.debug(`Config file content length: ${configFileContent.length} characters`);\n      // Don't log raw content to avoid exposing sensitive configuration data\n      server.debug(`Config file read successfully, attempting to parse JSON`);\n      safeOutputsConfigRaw = JSON.parse(configFileContent);\n      server.debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`);\n    } else {\n      server.debug(`Config file does not exist at: `);\n      server.debug(`Using minimal default configuration`);\n      safeOutputsConfigRaw = {};\n    }\n  } catch (error) {\n    server.debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`);\n    server.debug(`Falling back to empty configuration`);\n    safeOutputsConfigRaw = {};\n  }\n\n  const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) =\u003e [k.replace(/-/g, \"_\"), v]));\n  server.debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`);\n\n  // Handle GH_AW_SAFE_OUTPUTS with default fallback\n  const outputFile = process.env.GH_AW_SAFE_OUTPUTS || \"/tmp/gh-aw/safeoutputs/outputs.jsonl\";\n  if (!process.env.GH_AW_SAFE_OUTPUTS) {\n    server.debug(`GH_AW_SAFE_OUTPUTS not set, using default: `);\n  }\n  // Always ensure the directory exists, regardless of whether env var is set\n  const outputDir = path.dirname(outputFile);\n  if (!fs.existsSync(outputDir)) {\n    server.debug(`Creating output directory: `);\n    fs.mkdirSync(outputDir, { recursive: true });\n  }\n\n  return {\n    config: safeOutputsConfig,\n    outputFile: outputFile,\n  };\n}\n\nmodule.exports = { loadConfig };\n",
-    "safe_outputs_handlers.cjs": "// @ts-check\n\nconst fs = require(\"fs\");\nconst path = require(\"path\");\nconst crypto = require(\"crypto\");\n\nconst { normalizeBranchName } = require(\"./normalize_branch_name.cjs\");\nconst { estimateTokens } = require(\"./estimate_tokens.cjs\");\nconst { writeLargeContentToFile } = require(\"./write_large_content_to_file.cjs\");\nconst { getCurrentBranch } = require(\"./get_current_branch.cjs\");\nconst { getBaseBranch } = require(\"./get_base_branch.cjs\");\nconst { generateGitPatch } = require(\"./generate_git_patch.cjs\");\n\n/**\n * Create handlers for safe output tools\n * @param {Object} server - The MCP server instance for logging\n * @param {Function} appendSafeOutput - Function to append entries to the output file\n * @param {Object} [config] - Optional configuration object with safe output settings\n * @returns {Object} An object containing all handler functions\n */\nfunction createHandlers(server, appendSafeOutput, config = {}) {\n  /**\n   * Default handler for safe output tools\n   * @param {string} type - The tool type\n   * @returns {Function} Handler function\n   */\n  const defaultHandler = type =\u003e args =\u003e {\n    const entry = { ...(args || {}), type };\n\n    // Check if any field in the entry has content exceeding 16000 tokens\n    let largeContent = null;\n    let largeFieldName = null;\n    const TOKEN_THRESHOLD = 16000;\n\n    for (const [key, value] of Object.entries(entry)) {\n      if (typeof value === \"string\") {\n        const tokens = estimateTokens(value);\n        if (tokens \u003e TOKEN_THRESHOLD) {\n          largeContent = value;\n          largeFieldName = key;\n          server.debug(`Field '' has  tokens (exceeds )`);\n          break;\n        }\n      }\n    }\n\n    if (largeContent \u0026\u0026 largeFieldName) {\n      // Write large content to file\n      const fileInfo = writeLargeContentToFile(largeContent);\n\n      // Replace large field with file reference\n      entry[largeFieldName] = `[Content too large, saved to file: ${fileInfo.filename}]`;\n\n      // Append modified entry to safe outputs\n      appendSafeOutput(entry);\n\n      // Return file info to the agent\n      return {\n        content: [\n          {\n            type: \"text\",\n            text: JSON.stringify(fileInfo),\n          },\n        ],\n      };\n    }\n\n    // Normal case - no large content\n    appendSafeOutput(entry);\n    return {\n      content: [\n        {\n          type: \"text\",\n          text: JSON.stringify({ result: \"success\" }),\n        },\n      ],\n    };\n  };\n\n  /**\n   * Handler for upload_asset tool\n   */\n  const uploadAssetHandler = args =\u003e {\n    const branchName = process.env.GH_AW_ASSETS_BRANCH;\n    if (!branchName) throw new Error(\"GH_AW_ASSETS_BRANCH not set\");\n\n    // Normalize the branch name to ensure it's a valid git branch name\n    const normalizedBranchName = normalizeBranchName(branchName);\n\n    const { path: filePath } = args;\n\n    // Validate file path is within allowed directories\n    const absolutePath = path.resolve(filePath);\n    const workspaceDir = process.env.GITHUB_WORKSPACE || process.cwd();\n    const tmpDir = \"/tmp\";\n\n    const isInWorkspace = absolutePath.startsWith(path.resolve(workspaceDir));\n    const isInTmp = absolutePath.startsWith(tmpDir);\n\n    if (!isInWorkspace \u0026\u0026 !isInTmp) {\n      throw new Error(`File path must be within workspace directory () or /tmp directory. ` + `Provided path:  (resolved to: )`);\n    }\n\n    // Validate file exists\n    if (!fs.existsSync(filePath)) {\n      throw new Error(`File not found: `);\n    }\n\n    // Get file stats\n    const stats = fs.statSync(filePath);\n    const sizeBytes = stats.size;\n    const sizeKB = Math.ceil(sizeBytes / 1024);\n\n    // Check file size - read from environment variable if available\n    const maxSizeKB = process.env.GH_AW_ASSETS_MAX_SIZE_KB ? parseInt(process.env.GH_AW_ASSETS_MAX_SIZE_KB, 10) : 10240; // Default 10MB\n    if (sizeKB \u003e maxSizeKB) {\n      throw new Error(`File size  KB exceeds maximum allowed size  KB`);\n    }\n\n    // Check file extension - read from environment variable if available\n    const ext = path.extname(filePath).toLowerCase();\n    const allowedExts = process.env.GH_AW_ASSETS_ALLOWED_EXTS\n      ? process.env.GH_AW_ASSETS_ALLOWED_EXTS.split(\",\").map(ext =\u003e ext.trim())\n      : [\n          // Default set as specified in problem statement\n          \".png\",\n          \".jpg\",\n          \".jpeg\",\n        ];\n\n    if (!allowedExts.includes(ext)) {\n      throw new Error(`File extension '' is not allowed. Allowed extensions: ${allowedExts.join(\", \")}`);\n    }\n\n    // Create assets directory\n    const assetsDir = \"/tmp/gh-aw/safeoutputs/assets\";\n    if (!fs.existsSync(assetsDir)) {\n      fs.mkdirSync(assetsDir, { recursive: true });\n    }\n\n    // Read file and compute hash\n    const fileContent = fs.readFileSync(filePath);\n    const sha = crypto.createHash(\"sha256\").update(fileContent).digest(\"hex\");\n\n    // Extract filename and extension\n    const fileName = path.basename(filePath);\n    const fileExt = path.extname(fileName).toLowerCase();\n\n    // Copy file to assets directory with original name\n    const targetPath = path.join(assetsDir, fileName);\n    fs.copyFileSync(filePath, targetPath);\n\n    // Generate target filename as sha + extension (lowercased)\n    const targetFileName = (sha + fileExt).toLowerCase();\n\n    const githubServer = process.env.GITHUB_SERVER_URL || \"https://github.com\";\n    const repo = process.env.GITHUB_REPOSITORY || \"owner/repo\";\n    const url = `${githubServer.replace(\"github.com\", \"raw.githubusercontent.com\")}///`;\n\n    // Create entry for safe outputs\n    const entry = {\n      type: \"upload_asset\",\n      path: filePath,\n      fileName: fileName,\n      sha: sha,\n      size: sizeBytes,\n      url: url,\n      targetFileName: targetFileName,\n    };\n\n    appendSafeOutput(entry);\n\n    return {\n      content: [\n        {\n          type: \"text\",\n          text: JSON.stringify({ result: url }),\n        },\n      ],\n    };\n  };\n\n  /**\n   * Handler for create_pull_request tool\n   * Resolves the current branch if branch is not provided or is the base branch\n   * Generates git patch for the changes (unless allow-empty is true)\n   */\n  const createPullRequestHandler = args =\u003e {\n    const entry = { ...args, type: \"create_pull_request\" };\n    const baseBranch = getBaseBranch();\n\n    // If branch is not provided, is empty, or equals the base branch, use the current branch from git\n    // This handles cases where the agent incorrectly passes the base branch instead of the working branch\n    if (!entry.branch || entry.branch.trim() === \"\" || entry.branch === baseBranch) {\n      const detectedBranch = getCurrentBranch();\n\n      if (entry.branch === baseBranch) {\n        server.debug(`Branch equals base branch (), detecting actual working branch: `);\n      } else {\n        server.debug(`Using current branch for create_pull_request: `);\n      }\n\n      entry.branch = detectedBranch;\n    }\n\n    // Check if allow-empty is enabled in configuration\n    const allowEmpty = config.create_pull_request?.allow_empty === true;\n\n    if (allowEmpty) {\n      server.debug(`allow-empty is enabled for create_pull_request - skipping patch generation`);\n      // Append the safe output entry without generating a patch\n      appendSafeOutput(entry);\n      return {\n        content: [\n          {\n            type: \"text\",\n            text: JSON.stringify({\n              result: \"success\",\n              message: \"Pull request prepared (allow-empty mode - no patch generated)\",\n              branch: entry.branch,\n            }),\n          },\n        ],\n      };\n    }\n\n    // Generate git patch\n    server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}`);\n    const patchResult = generateGitPatch(entry.branch);\n\n    if (!patchResult.success) {\n      // Patch generation failed or patch is empty\n      const errorMsg = patchResult.error || \"Failed to generate patch\";\n      server.debug(`Patch generation failed: `);\n      throw new Error(errorMsg);\n    }\n\n    // prettier-ignore\n    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);\n\n    appendSafeOutput(entry);\n    return {\n      content: [\n        {\n          type: \"text\",\n          text: JSON.stringify({\n            result: \"success\",\n            patch: {\n              path: patchResult.patchPath,\n              size: patchResult.patchSize,\n              lines: patchResult.patchLines,\n            },\n          }),\n        },\n      ],\n    };\n  };\n\n  /**\n   * Handler for push_to_pull_request_branch tool\n   * Resolves the current branch if branch is not provided or is the base branch\n   * Generates git patch for the changes\n   */\n  const pushToPullRequestBranchHandler = args =\u003e {\n    const entry = { ...args, type: \"push_to_pull_request_branch\" };\n    const baseBranch = getBaseBranch();\n\n    // If branch is not provided, is empty, or equals the base branch, use the current branch from git\n    // This handles cases where the agent incorrectly passes the base branch instead of the working branch\n    if (!entry.branch || entry.branch.trim() === \"\" || entry.branch === baseBranch) {\n      const detectedBranch = getCurrentBranch();\n\n      if (entry.branch === baseBranch) {\n        server.debug(`Branch equals base branch (), detecting actual working branch: `);\n      } else {\n        server.debug(`Using current branch for push_to_pull_request_branch: `);\n      }\n\n      entry.branch = detectedBranch;\n    }\n\n    // Generate git patch\n    server.debug(`Generating patch for push_to_pull_request_branch with branch: ${entry.branch}`);\n    const patchResult = generateGitPatch(entry.branch);\n\n    if (!patchResult.success) {\n      // Patch generation failed or patch is empty\n      const errorMsg = patchResult.error || \"Failed to generate patch\";\n      server.debug(`Patch generation failed: `);\n      throw new Error(errorMsg);\n    }\n\n    // prettier-ignore\n    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);\n\n    appendSafeOutput(entry);\n    return {\n      content: [\n        {\n          type: \"text\",\n          text: JSON.stringify({\n            result: \"success\",\n            patch: {\n              path: patchResult.patchPath,\n              size: patchResult.patchSize,\n              lines: patchResult.patchLines,\n            },\n          }),\n        },\n      ],\n    };\n  };\n\n  return {\n    defaultHandler,\n    uploadAssetHandler,\n    createPullRequestHandler,\n    pushToPullRequestBranchHandler,\n  };\n}\n\nmodule.exports = { createHandlers };\n",
-    "safe_outputs_mcp_server.cjs": "// @ts-check\n\n// Safe Outputs MCP Server Module\n//\n// This module provides a reusable MCP server for safe-outputs configuration.\n// It uses the mcp_server_core module for JSON-RPC handling and tool registration.\n//\n// Usage:\n//   node safe_outputs_mcp_server.cjs\n//\n// Or as a module:\n//   const server = require(\"./safe_outputs_mcp_server.cjs\");\n//   server.startSafeOutputsServer();\n\nconst { createServer, registerTool, normalizeTool, start } = require(\"./mcp_server_core.cjs\");\nconst { createAppendFunction } = require(\"./safe_outputs_append.cjs\");\nconst { createHandlers } = require(\"./safe_outputs_handlers.cjs\");\nconst { attachHandlers, registerPredefinedTools, registerDynamicTools } = require(\"./safe_outputs_tools_loader.cjs\");\nconst { bootstrapSafeOutputsServer, cleanupConfigFile } = require(\"./safe_outputs_bootstrap.cjs\");\n\n/**\n * Start the safe-outputs MCP server\n * @param {Object} [options] - Additional options\n * @param {string} [options.logDir] - Override log directory\n * @param {boolean} [options.skipCleanup] - Skip deletion of config file (useful for testing)\n */\nfunction startSafeOutputsServer(options = {}) {\n  // Server info for safe outputs MCP server\n  const SERVER_INFO = { name: \"safeoutputs\", version: \"1.0.0\" };\n\n  // Create the server instance with optional log directory\n  const MCP_LOG_DIR = options.logDir || process.env.GH_AW_MCP_LOG_DIR;\n  const server = createServer(SERVER_INFO, { logDir: MCP_LOG_DIR });\n\n  // Bootstrap: load configuration and tools using shared logic\n  const { config: safeOutputsConfig, outputFile, tools: ALL_TOOLS } = bootstrapSafeOutputsServer(server);\n\n  // Create append function\n  const appendSafeOutput = createAppendFunction(outputFile);\n\n  // Create handlers with configuration\n  const handlers = createHandlers(server, appendSafeOutput, safeOutputsConfig);\n  const { defaultHandler } = handlers;\n\n  // Attach handlers to tools\n  const toolsWithHandlers = attachHandlers(ALL_TOOLS, handlers);\n\n  server.debug(`  output file: `);\n  server.debug(`  config: ${JSON.stringify(safeOutputsConfig)}`);\n\n  // Register predefined tools that are enabled in configuration\n  registerPredefinedTools(server, toolsWithHandlers, safeOutputsConfig, registerTool, normalizeTool);\n\n  // Add safe-jobs as dynamic tools\n  registerDynamicTools(server, toolsWithHandlers, safeOutputsConfig, outputFile, registerTool, normalizeTool);\n\n  server.debug(`  tools: ${Object.keys(server.tools).join(\", \")}`);\n  if (!Object.keys(server.tools).length) throw new Error(\"No tools enabled in configuration\");\n\n  // Note: We do NOT cleanup the config file here because it's needed by the ingestion\n  // phase (collect_ndjson_output.cjs) that runs after the MCP server completes.\n  // The config file only contains schema information (no secrets), so it's safe to leave.\n\n  // Start the server with the default handler\n  start(server, { defaultHandler });\n}\n\n// If run directly, start the server\nif (require.main === module) {\n  try {\n    startSafeOutputsServer();\n  } catch (error) {\n    console.error(`Error starting safe-outputs server: ${error instanceof Error ? error.message : String(error)}`);\n    process.exit(1);\n  }\n}\n\nmodule.exports = {\n  startSafeOutputsServer,\n};\n",
-    "safe_outputs_tools.json": "[\n  {\n    \"name\": \"create_issue\",\n    \"description\": \"Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"title\", \"body\"],\n      \"properties\": {\n        \"title\": {\n          \"type\": \"string\",\n          \"description\": \"Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.\"\n        },\n        \"labels\": {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\"\n          },\n          \"description\": \"Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.\"\n        },\n        \"parent\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Parent issue number for creating sub-issues. Can be a real issue number (e.g., 42) or a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run.\"\n        },\n        \"temporary_id\": {\n          \"type\": \"string\",\n          \"description\": \"Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"create_agent_task\",\n    \"description\": \"Create a GitHub Copilot agent task to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"body\"],\n      \"properties\": {\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"create_discussion\",\n    \"description\": \"Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"title\", \"body\"],\n      \"properties\": {\n        \"title\": {\n          \"type\": \"string\",\n          \"description\": \"Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions.\"\n        },\n        \"category\": {\n          \"type\": \"string\",\n          \"description\": \"Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"close_discussion\",\n    \"description\": \"Close a GitHub discussion with a resolution comment and optional reason. Use this to mark discussions as resolved, answered, or no longer needed. The closing comment should explain why the discussion is being closed.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"body\"],\n      \"properties\": {\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Closing comment explaining why the discussion is being closed and summarizing any resolution or conclusion.\"\n        },\n        \"reason\": {\n          \"type\": \"string\",\n          \"enum\": [\"RESOLVED\", \"DUPLICATE\", \"OUTDATED\", \"ANSWERED\"],\n          \"description\": \"Resolution reason: RESOLVED (issue addressed), DUPLICATE (discussed elsewhere), OUTDATED (no longer relevant), or ANSWERED (question answered).\"\n        },\n        \"discussion_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Discussion number to close. If omitted, closes the discussion that triggered this workflow (requires a discussion event trigger).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"close_issue\",\n    \"description\": \"Close a GitHub issue with a closing comment. Use this when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"body\"],\n      \"properties\": {\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion.\"\n        },\n        \"issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Issue number to close. If omitted, closes the issue that triggered this workflow (requires an issue event trigger).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"close_pull_request\",\n    \"description\": \"Close a pull request WITHOUT merging, adding a closing comment. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"body\"],\n      \"properties\": {\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Closing comment explaining why the PR is being closed without merging (e.g., superseded by another PR, no longer needed, approach rejected).\"\n        },\n        \"pull_request_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Pull request number to close. If omitted, closes the PR that triggered this workflow (requires a pull_request event trigger).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"add_comment\",\n    \"description\": \"Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"body\", \"item_number\"],\n      \"properties\": {\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Comment content in Markdown. Provide helpful, relevant information that adds value to the conversation.\"\n        },\n        \"item_number\": {\n          \"type\": \"number\",\n          \"description\": \"The issue, pull request, or discussion number to comment on. Must be a valid existing item in the repository.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"create_pull_request\",\n    \"description\": \"Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"title\", \"body\"],\n      \"properties\": {\n        \"title\": {\n          \"type\": \"string\",\n          \"description\": \"Concise PR title describing the changes. Follow repository conventions (e.g., conventional commits). The title appears as the main heading.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Detailed PR description in Markdown. Include what changes were made, why, testing notes, and any breaking changes. Do NOT repeat the title as a heading.\"\n        },\n        \"branch\": {\n          \"type\": \"string\",\n          \"description\": \"Source branch name containing the changes. If omitted, uses the current working branch.\"\n        },\n        \"labels\": {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\"\n          },\n          \"description\": \"Labels to categorize the PR (e.g., 'enhancement', 'bugfix'). Labels must exist in the repository.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"create_pull_request_review_comment\",\n    \"description\": \"Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"path\", \"line\", \"body\"],\n      \"properties\": {\n        \"path\": {\n          \"type\": \"string\",\n          \"description\": \"File path relative to the repository root (e.g., 'src/auth/login.js'). Must be a file that was changed in the PR.\"\n        },\n        \"line\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Line number for the comment. For single-line comments, this is the target line. For multi-line comments, this is the ending line.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Review comment content in Markdown. Provide specific, actionable feedback about the code at this location.\"\n        },\n        \"start_line\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Starting line number for multi-line comments. When set, the comment spans from start_line to line. Omit for single-line comments.\"\n        },\n        \"side\": {\n          \"type\": \"string\",\n          \"enum\": [\"LEFT\", \"RIGHT\"],\n          \"description\": \"Side of the diff to comment on: RIGHT for the new version (additions), LEFT for the old version (deletions). Defaults to RIGHT.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"create_code_scanning_alert\",\n    \"description\": \"Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"file\", \"line\", \"severity\", \"message\"],\n      \"properties\": {\n        \"file\": {\n          \"type\": \"string\",\n          \"description\": \"File path relative to the repository root where the issue was found (e.g., 'src/auth/password.js').\"\n        },\n        \"line\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Line number where the issue was found in the file.\"\n        },\n        \"severity\": {\n          \"type\": \"string\",\n          \"enum\": [\"error\", \"warning\", \"info\", \"note\"],\n          \"description\": \"Alert severity level: 'error' (critical security issues), 'warning' (potential problems), 'info' (informational), or 'note' (minor observations).\"\n        },\n        \"message\": {\n          \"type\": \"string\",\n          \"description\": \"Clear description of the security issue or finding. Include what's wrong and ideally how to fix it.\"\n        },\n        \"column\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Column number for more precise location of the issue within the line.\"\n        },\n        \"ruleIdSuffix\": {\n          \"type\": \"string\",\n          \"description\": \"Suffix to append to the rule ID for categorizing different types of findings (e.g., 'sql-injection', 'xss').\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"add_labels\",\n    \"description\": \"Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"labels\"],\n      \"properties\": {\n        \"labels\": {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\"\n          },\n          \"description\": \"Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository.\"\n        },\n        \"item_number\": {\n          \"type\": \"number\",\n          \"description\": \"Issue or PR number to add labels to. If omitted, adds labels to the item that triggered this workflow.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"add_reviewer\",\n    \"description\": \"Add reviewers to a GitHub pull request. Reviewers receive notifications and can approve or request changes. Use 'copilot' as a reviewer name to request the Copilot PR review bot.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"reviewers\"],\n      \"properties\": {\n        \"reviewers\": {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\"\n          },\n          \"description\": \"GitHub usernames to add as reviewers (e.g., ['octocat', 'copilot']). Users must have access to the repository.\"\n        },\n        \"pull_request_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Pull request number to add reviewers to. If omitted, adds reviewers to the PR that triggered this workflow.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"assign_milestone\",\n    \"description\": \"Assign an issue to a milestone for release planning and progress tracking. Milestones must exist in the repository before assignment.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"issue_number\", \"milestone_number\"],\n      \"properties\": {\n        \"issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Issue number to assign to the milestone.\"\n        },\n        \"milestone_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Milestone number (not title) to assign the issue to. Find milestone numbers in the repository's Milestones page.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"assign_to_agent\",\n    \"description\": \"Assign the GitHub Copilot coding agent to work on an issue. The agent will analyze the issue and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"issue_number\"],\n      \"properties\": {\n        \"issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Issue number to assign the Copilot agent to. The issue should contain clear, actionable requirements.\"\n        },\n        \"agent\": {\n          \"type\": \"string\",\n          \"description\": \"Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"assign_to_user\",\n    \"description\": \"Assign one or more GitHub users to an issue. Use this to delegate work to specific team members. Users must have access to the repository.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"issue_number\"],\n      \"properties\": {\n        \"issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Issue number to assign users to. If omitted, assigns to the issue that triggered this workflow.\"\n        },\n        \"assignees\": {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\"\n          },\n          \"description\": \"GitHub usernames to assign to the issue (e.g., ['octocat', 'mona']). Users must have access to the repository.\"\n        },\n        \"assignee\": {\n          \"type\": \"string\",\n          \"description\": \"Single GitHub username to assign. Use 'assignees' array for multiple users.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"update_issue\",\n    \"description\": \"Update an existing GitHub issue's status, title, or body. Use this to modify issue properties after creation. Only the fields you specify will be updated; other fields remain unchanged.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"status\": {\n          \"type\": \"string\",\n          \"enum\": [\"open\", \"closed\"],\n          \"description\": \"New issue status: 'open' to reopen a closed issue, 'closed' to close an open issue.\"\n        },\n        \"title\": {\n          \"type\": \"string\",\n          \"description\": \"New issue title to replace the existing title.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"New issue body to replace the existing content. Use Markdown formatting.\"\n        },\n        \"issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Issue number to update. Required when the workflow target is '*' (any issue).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"update_pull_request\",\n    \"description\": \"Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"title\": {\n          \"type\": \"string\",\n          \"description\": \"New pull request title to replace the existing title.\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Pull request body content in Markdown. For 'replace', this becomes the entire body. For 'append'/'prepend', this is added with a separator.\"\n        },\n        \"operation\": {\n          \"type\": \"string\",\n          \"enum\": [\"replace\", \"append\", \"prepend\"],\n          \"description\": \"How to update the PR body: 'replace' (default - completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator). Title is always replaced.\"\n        },\n        \"pull_request_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Pull request number to update. Required when the workflow target is '*' (any PR).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"push_to_pull_request_branch\",\n    \"description\": \"Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"message\"],\n      \"properties\": {\n        \"branch\": {\n          \"type\": \"string\",\n          \"description\": \"Branch name to push changes from. If omitted, uses the current working branch. Only specify if you need to push from a different branch.\"\n        },\n        \"message\": {\n          \"type\": \"string\",\n          \"description\": \"Commit message describing the changes. Follow repository commit message conventions (e.g., conventional commits).\"\n        },\n        \"pull_request_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"Pull request number to push changes to. Required when the workflow target is '*' (any PR).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"upload_asset\",\n    \"description\": \"Upload a file as a URL-addressable asset that can be referenced in issues, PRs, or comments. The file is stored on an orphaned git branch and returns a permanent URL. Use this for images, diagrams, or other files that need to be embedded in GitHub content.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"path\"],\n      \"properties\": {\n        \"path\": {\n          \"type\": \"string\",\n          \"description\": \"Absolute file path to upload (e.g., '/tmp/chart.png'). Must be under the workspace or /tmp directory. By default, only image files (.png, .jpg, .jpeg) are allowed; other file types require workflow configuration.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"update_release\",\n    \"description\": \"Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"tag\", \"operation\", \"body\"],\n      \"properties\": {\n        \"tag\": {\n          \"type\": \"string\",\n          \"description\": \"Release tag name (e.g., 'v1.0.0'). REQUIRED - must be provided explicitly as the tag cannot always be inferred from event context.\"\n        },\n        \"operation\": {\n          \"type\": \"string\",\n          \"enum\": [\"replace\", \"append\", \"prepend\"],\n          \"description\": \"How to update the release body: 'replace' (completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator).\"\n        },\n        \"body\": {\n          \"type\": \"string\",\n          \"description\": \"Release body content in Markdown. For 'replace', this becomes the entire release body. For 'append'/'prepend', this is added with a separator.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"missing_tool\",\n    \"description\": \"Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"tool\", \"reason\"],\n      \"properties\": {\n        \"tool\": {\n          \"type\": \"string\",\n          \"description\": \"Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.\"\n        },\n        \"reason\": {\n          \"type\": \"string\",\n          \"description\": \"Explanation of why this tool is needed to complete the task (max 256 characters).\"\n        },\n        \"alternatives\": {\n          \"type\": \"string\",\n          \"description\": \"Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"noop\",\n    \"description\": \"Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"message\"],\n      \"properties\": {\n        \"message\": {\n          \"type\": \"string\",\n          \"description\": \"Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"link_sub_issue\",\n    \"description\": \"Link an issue as a sub-issue of a parent issue. Use this to establish parent-child relationships between issues for better organization and tracking of related work items.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"parent_issue_number\", \"sub_issue_number\"],\n      \"properties\": {\n        \"parent_issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"The parent issue number to link the sub-issue to.\"\n        },\n        \"sub_issue_number\": {\n          \"type\": [\"number\", \"string\"],\n          \"description\": \"The issue number to link as a sub-issue of the parent.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"hide_comment\",\n    \"description\": \"Hide a comment on a GitHub issue, pull request, or discussion. This collapses the comment and marks it as spam, abuse, off-topic, outdated, or resolved. Use this for inappropriate, off-topic, or outdated comments. The comment_id must be a GraphQL node ID (string like 'IC_kwDOABCD123456'), not a numeric REST API comment ID.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"comment_id\"],\n      \"properties\": {\n        \"comment_id\": {\n          \"type\": \"string\",\n          \"description\": \"GraphQL node ID of the comment to hide (e.g., 'IC_kwDOABCD123456'). This is the GraphQL node ID, not the numeric comment ID from REST API. Can be obtained from GraphQL queries or comment API responses.\"\n        },\n        \"reason\": {\n          \"type\": \"string\",\n          \"enum\": [\"SPAM\", \"ABUSE\", \"OFF_TOPIC\", \"OUTDATED\", \"RESOLVED\"],\n          \"description\": \"Optional reason for hiding the comment. Defaults to SPAM if not provided. Valid values: SPAM (spam content), ABUSE (abusive/harassment content), OFF_TOPIC (not relevant to discussion), OUTDATED (no longer applicable), RESOLVED (issue/question has been resolved).\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  },\n  {\n    \"name\": \"update_project\",\n    \"description\": \"Add or update items in GitHub Projects v2 boards. Can add issues/PRs to a project and update custom field values. Requires the project URL, content type (issue or pull_request), and content number. Use campaign_id to group related items.\",\n    \"inputSchema\": {\n      \"type\": \"object\",\n      \"required\": [\"project\", \"content_type\", \"content_number\"],\n      \"properties\": {\n        \"project\": {\n          \"type\": \"string\",\n          \"pattern\": \"^https://github\\\\.com/(orgs|users)/[^/]+/projects/\\\\d+$\",\n          \"description\": \"Full GitHub project URL (e.g., 'https://github.com/orgs/myorg/projects/42' or 'https://github.com/users/username/projects/5'). Project names or numbers alone are NOT accepted.\"\n        },\n        \"content_type\": {\n          \"type\": \"string\",\n          \"enum\": [\"issue\", \"pull_request\"],\n          \"description\": \"Type of content to add to the project. Must be either 'issue' or 'pull_request'.\"\n        },\n        \"content_number\": {\n          \"type\": \"number\",\n          \"description\": \"Issue or pull request number to add to the project (e.g., 123 for issue #123).\"\n        },\n        \"fields\": {\n          \"type\": \"object\",\n          \"description\": \"Custom field values to set on the project item (e.g., {'Status': 'In Progress', 'Priority': 'High'}). Field names must match custom fields defined in the project.\"\n        },\n        \"campaign_id\": {\n          \"type\": \"string\",\n          \"description\": \"Campaign identifier to group related project items. Used to track items created by the same campaign or workflow run.\"\n        },\n        \"create_if_missing\": {\n          \"type\": \"boolean\",\n          \"description\": \"Whether to create the project if it doesn't exist. Defaults to false. Requires projects:write permission when true.\"\n        }\n      },\n      \"additionalProperties\": false\n    }\n  }\n]\n",
-    "safe_outputs_tools_loader.cjs": "// @ts-check\n\nconst fs = require(\"fs\");\n\n/**\n * Load tools from tools.json file\n * @param {Object} server - The MCP server instance for logging\n * @returns {Array} Array of tool definitions\n */\nfunction loadTools(server) {\n  const toolsPath = process.env.GH_AW_SAFE_OUTPUTS_TOOLS_PATH || \"/tmp/gh-aw/safeoutputs/tools.json\";\n  let ALL_TOOLS = [];\n\n  server.debug(`Reading tools from file: `);\n\n  try {\n    if (fs.existsSync(toolsPath)) {\n      server.debug(`Tools file exists at: `);\n      const toolsFileContent = fs.readFileSync(toolsPath, \"utf8\");\n      server.debug(`Tools file content length: ${toolsFileContent.length} characters`);\n      server.debug(`Tools file read successfully, attempting to parse JSON`);\n      ALL_TOOLS = JSON.parse(toolsFileContent);\n      server.debug(`Successfully parsed ${ALL_TOOLS.length} tools from file`);\n    } else {\n      server.debug(`Tools file does not exist at: `);\n      server.debug(`Using empty tools array`);\n      ALL_TOOLS = [];\n    }\n  } catch (error) {\n    server.debug(`Error reading tools file: ${error instanceof Error ? error.message : String(error)}`);\n    server.debug(`Falling back to empty tools array`);\n    ALL_TOOLS = [];\n  }\n\n  return ALL_TOOLS;\n}\n\n/**\n * Attach handlers to tools\n * @param {Array} tools - Array of tool definitions\n * @param {Object} handlers - Object containing handler functions\n * @returns {Array} Tools with handlers attached\n */\nfunction attachHandlers(tools, handlers) {\n  tools.forEach(tool =\u003e {\n    if (tool.name === \"create_pull_request\") {\n      tool.handler = handlers.createPullRequestHandler;\n    } else if (tool.name === \"push_to_pull_request_branch\") {\n      tool.handler = handlers.pushToPullRequestBranchHandler;\n    } else if (tool.name === \"upload_asset\") {\n      tool.handler = handlers.uploadAssetHandler;\n    }\n  });\n  return tools;\n}\n\n/**\n * Register predefined tools based on configuration\n * @param {Object} server - The MCP server instance\n * @param {Array} tools - Array of tool definitions\n * @param {Object} config - Safe outputs configuration\n * @param {Function} registerTool - Function to register a tool\n * @param {Function} normalizeTool - Function to normalize tool names\n */\nfunction registerPredefinedTools(server, tools, config, registerTool, normalizeTool) {\n  tools.forEach(tool =\u003e {\n    if (Object.keys(config).find(configKey =\u003e normalizeTool(configKey) === tool.name)) {\n      registerTool(server, tool);\n    }\n  });\n}\n\n/**\n * Register dynamic safe-job tools based on configuration\n * @param {Object} server - The MCP server instance\n * @param {Array} tools - Array of predefined tool definitions\n * @param {Object} config - Safe outputs configuration\n * @param {string} outputFile - Path to the output file\n * @param {Function} registerTool - Function to register a tool\n * @param {Function} normalizeTool - Function to normalize tool names\n */\nfunction registerDynamicTools(server, tools, config, outputFile, registerTool, normalizeTool) {\n  Object.keys(config).forEach(configKey =\u003e {\n    const normalizedKey = normalizeTool(configKey);\n\n    // Skip if it's already a predefined tool\n    if (server.tools[normalizedKey]) {\n      return;\n    }\n\n    // Check if this is a safe-job (not in ALL_TOOLS)\n    if (!tools.find(t =\u003e t.name === normalizedKey)) {\n      const jobConfig = config[configKey];\n\n      // Create a dynamic tool for this safe-job\n      const dynamicTool = {\n        name: normalizedKey,\n        description: jobConfig \u0026\u0026 jobConfig.description ? jobConfig.description : `Custom safe-job: `,\n        inputSchema: {\n          type: \"object\",\n          properties: {},\n          additionalProperties: true, // Allow any properties for flexibility\n        },\n        handler: args =\u003e {\n          // Create a generic safe-job output entry\n          const entry = {\n            type: normalizedKey,\n            ...args,\n          };\n\n          // Write the entry to the output file in JSONL format\n          // CRITICAL: Use JSON.stringify WITHOUT formatting parameters for JSONL format\n          // Each entry must be on a single line, followed by a newline character\n          const entryJSON = JSON.stringify(entry);\n          fs.appendFileSync(outputFile, entryJSON + \"\\n\");\n\n          // Use output from safe-job config if available\n          const outputText = jobConfig \u0026\u0026 jobConfig.output ? jobConfig.output : `Safe-job '' executed successfully with arguments: ${JSON.stringify(args)}`;\n\n          return {\n            content: [\n              {\n                type: \"text\",\n                text: JSON.stringify({ result: outputText }),\n              },\n            ],\n          };\n        },\n      };\n\n      // Add input schema based on job configuration if available\n      if (jobConfig \u0026\u0026 jobConfig.inputs) {\n        dynamicTool.inputSchema.properties = {};\n        dynamicTool.inputSchema.required = [];\n\n        Object.keys(jobConfig.inputs).forEach(inputName =\u003e {\n          const inputDef = jobConfig.inputs[inputName];\n          const propSchema = {\n            type: inputDef.type || \"string\",\n            description: inputDef.description || `Input parameter: `,\n          };\n\n          if (inputDef.options \u0026\u0026 Array.isArray(inputDef.options)) {\n            propSchema.enum = inputDef.options;\n          }\n\n          dynamicTool.inputSchema.properties[inputName] = propSchema;\n\n          if (inputDef.required) {\n            dynamicTool.inputSchema.required.push(inputName);\n          }\n        });\n      }\n\n      registerTool(server, dynamicTool);\n    }\n  });\n}\n\nmodule.exports = {\n  loadTools,\n  attachHandlers,\n  registerPredefinedTools,\n  registerDynamicTools,\n};\n"
-  };
-
-async function run() {
-  try {
-    const destination = core.getInput('destination') || '/tmp/gh-aw/safeoutputs';
-    
-    core.info(`Copying safe-outputs files to ${destination}`);
-    
-    // Create destination directory if it doesn't exist
-    if (!fs.existsSync(destination)) {
-      fs.mkdirSync(destination, { recursive: true });
-      core.info(`Created directory: ${destination}`);
-    }
-    
-    let fileCount = 0;
-    
-    // Copy each embedded file
-    for (const [filename, content] of Object.entries(FILES)) {
-      const filePath = path.join(destination, filename);
-      fs.writeFileSync(filePath, content, 'utf8');
-      core.info(`Copied: ${filename}`);
-      fileCount++;
-    }
-    
-    core.setOutput('files-copied', fileCount.toString());
-    core.info(`✓ Successfully copied ${fileCount} files`);
-    
-  } catch (error) {
-    core.setFailed(`Action failed: ${error.message}`);
-  }
-}
-
-run();
diff --git a/actions/setup-safe-outputs/js/mcp_logger.cjs b/actions/setup-safe-outputs/js/mcp_logger.cjs
new file mode 100644
index 00000000000..c4e764160ac
--- /dev/null
+++ b/actions/setup-safe-outputs/js/mcp_logger.cjs
@@ -0,0 +1,53 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+/**
+ * MCP Logger Utility
+ *
+ * This module provides logger creation utilities for MCP servers.
+ * It creates logger objects with debug and debugError methods that write
+ * timestamped messages to stderr.
+ *
+ * Usage:
+ *   const { createLogger } = require("./mcp_logger.cjs");
+ *   const logger = createLogger("my-server");
+ *   logger.debug("Server started");
+ *   logger.debugError("Error: ", new Error("Something went wrong"));
+ */
+
+/**
+ * Create a logger object with debug and debugError methods
+ * @param {string} serverName - Name to include in log messages
+ * @returns {Object} Logger object with debug and debugError methods
+ */
+function createLogger(serverName) {
+  const logger = {
+    /**
+     * Log a debug message to stderr with timestamp
+     * @param {string} msg - Message to log
+     */
+    debug: msg => {
+      const timestamp = new Date().toISOString();
+      process.stderr.write(`[${timestamp}] [${serverName}] ${msg}\n`);
+    },
+
+    /**
+     * Log an error with optional stack trace
+     * @param {string} prefix - Prefix for the error message
+     * @param {Error|string|any} error - Error object or message
+     */
+    debugError: (prefix, error) => {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.debug(`${prefix}${errorMessage}`);
+      if (error instanceof Error && error.stack) {
+        logger.debug(`${prefix}Stack trace: ${error.stack}`);
+      }
+    },
+  };
+
+  return logger;
+}
+
+module.exports = {
+  createLogger,
+};
diff --git a/actions/setup-safe-outputs/js/mcp_server_core.cjs b/actions/setup-safe-outputs/js/mcp_server_core.cjs
new file mode 100644
index 00000000000..ab1a60832cf
--- /dev/null
+++ b/actions/setup-safe-outputs/js/mcp_server_core.cjs
@@ -0,0 +1,747 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+/**
+ * MCP Server Core Module
+ *
+ * This module provides a reusable API for creating MCP (Model Context Protocol) servers.
+ * It handles JSON-RPC 2.0 message parsing, tool registration, and server lifecycle.
+ *
+ * Usage:
+ *   const { createServer, registerTool, start } = require("./mcp_server_core.cjs");
+ *
+ *   const server = createServer({ name: "my-server", version: "1.0.0" });
+ *   registerTool(server, {
+ *     name: "my_tool",
+ *     description: "A tool",
+ *     inputSchema: { type: "object", properties: {} },
+ *     handler: (args) => ({ content: [{ type: "text", text: "result" }] })
+ *   });
+ *   start(server);
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const { ReadBuffer } = require("./read_buffer.cjs");
+const { validateRequiredFields } = require("./safe_inputs_validation.cjs");
+
+const encoder = new TextEncoder();
+
+/**
+ * @typedef {Object} ServerInfo
+ * @property {string} name - Server name
+ * @property {string} version - Server version
+ */
+
+/**
+ * @typedef {Object} Tool
+ * @property {string} name - Tool name
+ * @property {string} description - Tool description
+ * @property {Object} inputSchema - JSON Schema for tool inputs
+ * @property {Function} [handler] - Tool handler function
+ * @property {string} [handlerPath] - Optional file path to handler module (original path from config)
+ * @property {number} [timeout] - Timeout in seconds for tool execution (default: 60)
+ */
+
+/**
+ * @typedef {Object} MCPServer
+ * @property {ServerInfo} serverInfo - Server information
+ * @property {Object<string, Tool>} tools - Registered tools
+ * @property {Function} debug - Debug logging function
+ * @property {Function} debugError - Debug logging function for errors (extracts message from Error objects)
+ * @property {Function} writeMessage - Write message to stdout
+ * @property {Function} replyResult - Send a result response
+ * @property {Function} replyError - Send an error response
+ * @property {ReadBuffer} readBuffer - Message buffer
+ * @property {string} [logDir] - Optional log directory
+ * @property {string} [logFilePath] - Optional log file path
+ * @property {boolean} logFileInitialized - Whether log file has been initialized
+ */
+
+/**
+ * Initialize log file for the server
+ * @param {MCPServer} server - The MCP server instance
+ */
+function initLogFile(server) {
+  if (server.logFileInitialized || !server.logDir || !server.logFilePath) return;
+  try {
+    if (!fs.existsSync(server.logDir)) {
+      fs.mkdirSync(server.logDir, { recursive: true });
+    }
+    // Initialize/truncate log file with header
+    const timestamp = new Date().toISOString();
+    fs.writeFileSync(server.logFilePath, `# ${server.serverInfo.name} MCP Server Log\n# Started: ${timestamp}\n# Version: ${server.serverInfo.version}\n\n`);
+    server.logFileInitialized = true;
+  } catch {
+    // Silently ignore errors - logging to stderr will still work
+  }
+}
+
+/**
+ * Create a debug function for the server
+ * @param {MCPServer} server - The MCP server instance
+ * @returns {Function} Debug function
+ */
+function createDebugFunction(server) {
+  return msg => {
+    const timestamp = new Date().toISOString();
+    const formattedMsg = `[${timestamp}] [${server.serverInfo.name}] ${msg}\n`;
+
+    // Always write to stderr
+    process.stderr.write(formattedMsg);
+
+    // Also write to log file if log directory is set (initialize on first use)
+    if (server.logDir && server.logFilePath) {
+      if (!server.logFileInitialized) {
+        initLogFile(server);
+      }
+      if (server.logFileInitialized) {
+        try {
+          fs.appendFileSync(server.logFilePath, formattedMsg);
+        } catch {
+          // Silently ignore file write errors - stderr logging still works
+        }
+      }
+    }
+  };
+}
+
+/**
+ * Create a debugError function for the server that handles error casting
+ * @param {MCPServer} server - The MCP server instance
+ * @returns {Function} Debug error function that extracts message from Error objects
+ */
+function createDebugErrorFunction(server) {
+  return (prefix, error) => {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    server.debug(`${prefix}${errorMessage}`);
+    if (error instanceof Error && error.stack) {
+      server.debug(`${prefix}Stack trace: ${error.stack}`);
+    }
+  };
+}
+
+/**
+ * Create a writeMessage function for the server
+ * @param {MCPServer} server - The MCP server instance
+ * @returns {Function} Write message function
+ */
+function createWriteMessageFunction(server) {
+  return obj => {
+    const json = JSON.stringify(obj);
+    server.debug(`send: ${json}`);
+    const message = json + "\n";
+    const bytes = encoder.encode(message);
+    fs.writeSync(1, bytes);
+  };
+}
+
+/**
+ * Create a replyResult function for the server
+ * @param {MCPServer} server - The MCP server instance
+ * @returns {Function} Reply result function
+ */
+function createReplyResultFunction(server) {
+  return (id, result) => {
+    if (id === undefined || id === null) return; // notification
+    const res = { jsonrpc: "2.0", id, result };
+    server.writeMessage(res);
+  };
+}
+
+/**
+ * Create a replyError function for the server
+ * @param {MCPServer} server - The MCP server instance
+ * @returns {Function} Reply error function
+ */
+function createReplyErrorFunction(server) {
+  return (id, code, message) => {
+    // Don't send error responses for notifications (id is null/undefined)
+    if (id === undefined || id === null) {
+      server.debug(`Error for notification: ${message}`);
+      return;
+    }
+
+    const error = { code, message };
+    const res = {
+      jsonrpc: "2.0",
+      id,
+      error,
+    };
+    server.writeMessage(res);
+  };
+}
+
+/**
+ * Create a new MCP server instance
+ * @param {ServerInfo} serverInfo - Server information (name and version)
+ * @param {Object} [options] - Optional server configuration
+ * @param {string} [options.logDir] - Directory for log file (optional)
+ * @returns {MCPServer} The MCP server instance
+ */
+function createServer(serverInfo, options = {}) {
+  const logDir = options.logDir || undefined;
+  const logFilePath = logDir ? path.join(logDir, "server.log") : undefined;
+
+  /** @type {MCPServer} */
+  const server = {
+    serverInfo,
+    tools: {},
+    debug: () => {}, // placeholder
+    debugError: () => {}, // placeholder
+    writeMessage: () => {}, // placeholder
+    replyResult: () => {}, // placeholder
+    replyError: () => {}, // placeholder
+    readBuffer: new ReadBuffer(),
+    logDir,
+    logFilePath,
+    logFileInitialized: false,
+  };
+
+  // Initialize functions with references to server
+  server.debug = createDebugFunction(server);
+  server.debugError = createDebugErrorFunction(server);
+  server.writeMessage = createWriteMessageFunction(server);
+  server.replyResult = createReplyResultFunction(server);
+  server.replyError = createReplyErrorFunction(server);
+
+  return server;
+}
+
+/**
+ * Create a wrapped handler function that normalizes results to MCP format.
+ * Extracted to avoid creating closures with excessive scope in loadToolHandlers.
+ *
+ * @param {MCPServer} server - The MCP server instance for logging
+ * @param {string} toolName - Name of the tool for logging purposes
+ * @param {Function} handlerFn - The original handler function to wrap
+ * @returns {Function} Wrapped async handler function
+ */
+function createWrappedHandler(server, toolName, handlerFn) {
+  return async args => {
+    server.debug(`  [${toolName}] Invoking handler with args: ${JSON.stringify(args)}`);
+
+    try {
+      // Call the handler (may be sync or async)
+      const result = await Promise.resolve(handlerFn(args));
+      server.debug(`  [${toolName}] Handler returned result type: ${typeof result}`);
+
+      // If the result is already in MCP format (has content array), return as-is
+      if (result && typeof result === "object" && Array.isArray(result.content)) {
+        server.debug(`  [${toolName}] Result is already in MCP format`);
+        return result;
+      }
+
+      // Otherwise, serialize the result to text
+      // Use try-catch for serialization to handle circular references and non-serializable values
+      let serializedResult;
+      try {
+        serializedResult = JSON.stringify(result);
+      } catch (serializationError) {
+        server.debugError(`  [${toolName}] Serialization error: `, serializationError);
+        // Fall back to String() for non-serializable values
+        serializedResult = String(result);
+      }
+      server.debug(`  [${toolName}] Serialized result: ${serializedResult.substring(0, 200)}${serializedResult.length > 200 ? "..." : ""}`);
+
+      return {
+        content: [
+          {
+            type: "text",
+            text: serializedResult,
+          },
+        ],
+      };
+    } catch (error) {
+      server.debugError(`  [${toolName}] Handler threw error: `, error);
+      throw error;
+    }
+  };
+}
+
+/**
+ * Load handler functions from file paths specified in tools configuration.
+ * This function iterates through tools and loads handler modules based on file extension:
+ *
+ * For JavaScript handlers (.js, .cjs, .mjs):
+ *   - Uses require() to load the module
+ *   - Handler must export a function as default export
+ *   - Handler signature: async function handler(args: Record<string, unknown>): Promise<unknown>
+ *
+ * For Shell script handlers (.sh):
+ *   - Uses GitHub Actions convention for passing inputs/outputs
+ *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)
+ *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)
+ *   - Returns: { stdout, stderr, outputs }
+ *
+ * For Python script handlers (.py):
+ *   - Uses GitHub Actions convention for passing inputs/outputs
+ *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)
+ *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)
+ *   - Executed using python3 command
+ *   - Returns: { stdout, stderr, outputs }
+ *
+ * SECURITY NOTE: Handler paths are loaded from tools.json configuration file,
+ * which should be controlled by the server administrator. When basePath is provided,
+ * relative paths are resolved within it, preventing directory traversal outside
+ * the intended directory. Absolute paths bypass this validation but are still
+ * logged for auditing purposes.
+ *
+ * @param {MCPServer} server - The MCP server instance for logging
+ * @param {Array<Object>} tools - Array of tool configurations from tools.json
+ * @param {string} [basePath] - Optional base path for resolving relative handler paths.
+ *                              When provided, relative paths are validated to be within this directory.
+ * @returns {Array<Object>} The tools array with loaded handlers attached
+ */
+function loadToolHandlers(server, tools, basePath) {
+  server.debug(`Loading tool handlers...`);
+  server.debug(`  Total tools to process: ${tools.length}`);
+  server.debug(`  Base path: ${basePath || "(not specified)"}`);
+
+  let loadedCount = 0;
+  let skippedCount = 0;
+  let errorCount = 0;
+
+  for (const tool of tools) {
+    const toolName = tool.name || "(unnamed)";
+
+    // Check if tool has a handler path specified
+    if (!tool.handler) {
+      server.debug(`  [${toolName}] No handler path specified, skipping handler load`);
+      skippedCount++;
+      continue;
+    }
+
+    const handlerPath = tool.handler;
+    server.debug(`  [${toolName}] Handler path specified: ${handlerPath}`);
+
+    // Resolve the handler path
+    let resolvedPath = handlerPath;
+    if (basePath && !path.isAbsolute(handlerPath)) {
+      resolvedPath = path.resolve(basePath, handlerPath);
+      server.debug(`  [${toolName}] Resolved relative path to: ${resolvedPath}`);
+
+      // Security validation: Ensure resolved path is within basePath to prevent directory traversal
+      const normalizedBase = path.resolve(basePath);
+      const normalizedResolved = path.resolve(resolvedPath);
+      if (!normalizedResolved.startsWith(normalizedBase + path.sep) && normalizedResolved !== normalizedBase) {
+        server.debug(`  [${toolName}] ERROR: Handler path escapes base directory: ${resolvedPath} is not within ${basePath}`);
+        errorCount++;
+        continue;
+      }
+    } else if (path.isAbsolute(handlerPath)) {
+      server.debug(`  [${toolName}] Using absolute path (bypasses basePath validation): ${handlerPath}`);
+    }
+
+    // Store the original handler path for reference
+    tool.handlerPath = handlerPath;
+
+    try {
+      server.debug(`  [${toolName}] Loading handler from: ${resolvedPath}`);
+
+      // Check if file exists before loading
+      if (!fs.existsSync(resolvedPath)) {
+        server.debug(`  [${toolName}] ERROR: Handler file does not exist: ${resolvedPath}`);
+        errorCount++;
+        continue;
+      }
+
+      // Detect handler type by file extension
+      const ext = path.extname(resolvedPath).toLowerCase();
+      server.debug(`  [${toolName}] Handler file extension: ${ext}`);
+
+      if (ext === ".sh") {
+        // Shell script handler - use GitHub Actions convention
+        server.debug(`  [${toolName}] Detected shell script handler`);
+
+        // Make sure the script is executable (on Unix-like systems)
+        try {
+          fs.accessSync(resolvedPath, fs.constants.X_OK);
+          server.debug(`  [${toolName}] Shell script is executable`);
+        } catch {
+          // Try to make it executable
+          try {
+            fs.chmodSync(resolvedPath, 0o755);
+            server.debug(`  [${toolName}] Made shell script executable`);
+          } catch (chmodError) {
+            server.debugError(`  [${toolName}] Warning: Could not make shell script executable: `, chmodError);
+            // Continue anyway - it might work depending on the shell
+          }
+        }
+
+        // Lazy-load shell handler module
+        const { createShellHandler } = require("./mcp_handler_shell.cjs");
+        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified
+        tool.handler = createShellHandler(server, toolName, resolvedPath, timeout);
+
+        loadedCount++;
+        server.debug(`  [${toolName}] Shell handler created successfully with timeout: ${timeout}s`);
+      } else if (ext === ".py") {
+        // Python script handler - use GitHub Actions convention
+        server.debug(`  [${toolName}] Detected Python script handler`);
+
+        // Make sure the script is executable (on Unix-like systems)
+        try {
+          fs.accessSync(resolvedPath, fs.constants.X_OK);
+          server.debug(`  [${toolName}] Python script is executable`);
+        } catch {
+          // Try to make it executable
+          try {
+            fs.chmodSync(resolvedPath, 0o755);
+            server.debug(`  [${toolName}] Made Python script executable`);
+          } catch (chmodError) {
+            server.debugError(`  [${toolName}] Warning: Could not make Python script executable: `, chmodError);
+            // Continue anyway - python3 will be called explicitly
+          }
+        }
+
+        // Lazy-load Python handler module
+        const { createPythonHandler } = require("./mcp_handler_python.cjs");
+        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified
+        tool.handler = createPythonHandler(server, toolName, resolvedPath, timeout);
+
+        loadedCount++;
+        server.debug(`  [${toolName}] Python handler created successfully with timeout: ${timeout}s`);
+      } else {
+        // JavaScript/CommonJS handler - use require()
+        server.debug(`  [${toolName}] Loading JavaScript handler module`);
+
+        // Load the handler module
+        const handlerModule = require(resolvedPath);
+        server.debug(`  [${toolName}] Handler module loaded successfully`);
+        server.debug(`  [${toolName}] Module type: ${typeof handlerModule}`);
+
+        // Get the handler function (support default export patterns)
+        let handlerFn = handlerModule;
+
+        // Handle ES module default export pattern (module.default)
+        if (handlerModule && typeof handlerModule === "object" && typeof handlerModule.default === "function") {
+          handlerFn = handlerModule.default;
+          server.debug(`  [${toolName}] Using module.default export`);
+        }
+
+        // Validate that the handler is a function
+        if (typeof handlerFn !== "function") {
+          server.debug(`  [${toolName}] ERROR: Handler is not a function, got: ${typeof handlerFn}`);
+          server.debug(`  [${toolName}] Module keys: ${Object.keys(handlerModule || {}).join(", ") || "(none)"}`);
+          errorCount++;
+          continue;
+        }
+
+        server.debug(`  [${toolName}] Handler function validated successfully`);
+        server.debug(`  [${toolName}] Handler function name: ${handlerFn.name || "(anonymous)"}`);
+
+        // Wrap the handler using the separate function to avoid bloating the closure
+        tool.handler = createWrappedHandler(server, toolName, handlerFn);
+
+        loadedCount++;
+        server.debug(`  [${toolName}] JavaScript handler loaded and wrapped successfully`);
+      }
+    } catch (error) {
+      server.debugError(`  [${toolName}] ERROR loading handler: `, error);
+      errorCount++;
+    }
+  }
+
+  server.debug(`Handler loading complete:`);
+  server.debug(`  Loaded: ${loadedCount}`);
+  server.debug(`  Skipped (no handler path): ${skippedCount}`);
+  server.debug(`  Errors: ${errorCount}`);
+
+  return tools;
+}
+
+/**
+ * Register a tool with the server
+ * @param {MCPServer} server - The MCP server instance
+ * @param {Tool} tool - The tool to register
+ */
+function registerTool(server, tool) {
+  const normalizedName = normalizeTool(tool.name);
+  server.tools[normalizedName] = {
+    ...tool,
+    name: normalizedName,
+  };
+  server.debug(`Registered tool: ${normalizedName}`);
+}
+
+/**
+ * Normalize a tool name (convert dashes to underscores, lowercase)
+ * @param {string} name - The tool name to normalize
+ * @returns {string} Normalized tool name
+ */
+function normalizeTool(name) {
+  return name.replace(/-/g, "_").toLowerCase();
+}
+
+/**
+ * Handle an incoming JSON-RPC request and return a response (for HTTP transport)
+ * This function is compatible with the MCPServer class's handleRequest method.
+ * @param {MCPServer} server - The MCP server instance
+ * @param {Object} request - The incoming JSON-RPC request
+ * @param {Function} [defaultHandler] - Default handler for tools without a handler
+ * @returns {Promise<Object|null>} JSON-RPC response object, or null for notifications
+ */
+async function handleRequest(server, request, defaultHandler) {
+  const { id, method, params } = request;
+
+  try {
+    // Handle notifications per JSON-RPC 2.0 spec:
+    // Requests without id field are notifications (no response)
+    // Note: id can be null for valid requests, so we check for field presence with "in" operator
+    if (!("id" in request)) {
+      // No id field - this is a notification (no response)
+      return null;
+    }
+
+    let result;
+
+    if (method === "initialize") {
+      const protocolVersion = params?.protocolVersion || "2024-11-05";
+      result = {
+        protocolVersion,
+        serverInfo: server.serverInfo,
+        capabilities: {
+          tools: {},
+        },
+      };
+    } else if (method === "ping") {
+      result = {};
+    } else if (method === "tools/list") {
+      const list = [];
+      Object.values(server.tools).forEach(tool => {
+        const toolDef = {
+          name: tool.name,
+          description: tool.description,
+          inputSchema: tool.inputSchema,
+        };
+        list.push(toolDef);
+      });
+      result = { tools: list };
+    } else if (method === "tools/call") {
+      const name = params?.name;
+      const args = params?.arguments ?? {};
+      if (!name || typeof name !== "string") {
+        throw {
+          code: -32602,
+          message: "Invalid params: 'name' must be a string",
+        };
+      }
+      const tool = server.tools[normalizeTool(name)];
+      if (!tool) {
+        throw {
+          code: -32602,
+          message: `Tool '${name}' not found`,
+        };
+      }
+
+      // Use tool handler, or default handler, or error
+      let handler = tool.handler;
+      if (!handler && defaultHandler) {
+        handler = defaultHandler(tool.name);
+      }
+      if (!handler) {
+        throw {
+          code: -32603,
+          message: `No handler for tool: ${name}`,
+        };
+      }
+
+      const missing = validateRequiredFields(args, tool.inputSchema);
+      if (missing.length) {
+        throw {
+          code: -32602,
+          message: `Invalid arguments: missing or empty ${missing.map(m => `'${m}'`).join(", ")}`,
+        };
+      }
+
+      // Call handler and await the result (supports both sync and async handlers)
+      const handlerResult = await Promise.resolve(handler(args));
+      const content = handlerResult && handlerResult.content ? handlerResult.content : [];
+      result = { content, isError: false };
+    } else if (/^notifications\//.test(method)) {
+      // Notifications don't need a response
+      return null;
+    } else {
+      throw {
+        code: -32601,
+        message: `Method not found: ${method}`,
+      };
+    }
+
+    return {
+      jsonrpc: "2.0",
+      id,
+      result,
+    };
+  } catch (error) {
+    /** @type {any} */
+    const err = error;
+    return {
+      jsonrpc: "2.0",
+      id,
+      error: {
+        code: err.code || -32603,
+        message: err.message || "Internal error",
+      },
+    };
+  }
+}
+
+/**
+ * Handle an incoming JSON-RPC message (for stdio transport)
+ * @param {MCPServer} server - The MCP server instance
+ * @param {Object} req - The incoming request
+ * @param {Function} [defaultHandler] - Default handler for tools without a handler
+ * @returns {Promise<void>}
+ */
+async function handleMessage(server, req, defaultHandler) {
+  // Validate basic JSON-RPC structure
+  if (!req || typeof req !== "object") {
+    server.debug(`Invalid message: not an object`);
+    return;
+  }
+
+  if (req.jsonrpc !== "2.0") {
+    server.debug(`Invalid message: missing or invalid jsonrpc field`);
+    return;
+  }
+
+  const { id, method, params } = req;
+
+  // Validate method field
+  if (!method || typeof method !== "string") {
+    server.replyError(id, -32600, "Invalid Request: method must be a string");
+    return;
+  }
+
+  try {
+    if (method === "initialize") {
+      const clientInfo = params?.clientInfo ?? {};
+      server.debug(`client info: ${JSON.stringify(clientInfo)}`);
+      const protocolVersion = params?.protocolVersion ?? undefined;
+      const result = {
+        serverInfo: server.serverInfo,
+        ...(protocolVersion ? { protocolVersion } : {}),
+        capabilities: {
+          tools: {},
+        },
+      };
+      server.replyResult(id, result);
+    } else if (method === "tools/list") {
+      const list = [];
+      Object.values(server.tools).forEach(tool => {
+        const toolDef = {
+          name: tool.name,
+          description: tool.description,
+          inputSchema: tool.inputSchema,
+        };
+        list.push(toolDef);
+      });
+      server.replyResult(id, { tools: list });
+    } else if (method === "tools/call") {
+      const name = params?.name;
+      const args = params?.arguments ?? {};
+      if (!name || typeof name !== "string") {
+        server.replyError(id, -32602, "Invalid params: 'name' must be a string");
+        return;
+      }
+      const tool = server.tools[normalizeTool(name)];
+      if (!tool) {
+        server.replyError(id, -32601, `Tool not found: ${name} (${normalizeTool(name)})`);
+        return;
+      }
+
+      // Use tool handler, or default handler, or error
+      let handler = tool.handler;
+      if (!handler && defaultHandler) {
+        handler = defaultHandler(tool.name);
+      }
+      if (!handler) {
+        server.replyError(id, -32603, `No handler for tool: ${name}`);
+        return;
+      }
+
+      const missing = validateRequiredFields(args, tool.inputSchema);
+      if (missing.length) {
+        server.replyError(id, -32602, `Invalid arguments: missing or empty ${missing.map(m => `'${m}'`).join(", ")}`);
+        return;
+      }
+
+      // Call handler and await the result (supports both sync and async handlers)
+      server.debug(`Calling handler for tool: ${name}`);
+      const result = await Promise.resolve(handler(args));
+      server.debug(`Handler returned for tool: ${name}`);
+      const content = result && result.content ? result.content : [];
+      server.replyResult(id, { content, isError: false });
+    } else if (/^notifications\//.test(method)) {
+      server.debug(`ignore ${method}`);
+    } else {
+      server.replyError(id, -32601, `Method not found: ${method}`);
+    }
+  } catch (e) {
+    server.replyError(id, -32603, e instanceof Error ? e.message : String(e));
+  }
+}
+
+/**
+ * Process the read buffer and handle messages
+ * @param {MCPServer} server - The MCP server instance
+ * @param {Function} [defaultHandler] - Default handler for tools without a handler
+ * @returns {Promise<void>}
+ */
+async function processReadBuffer(server, defaultHandler) {
+  while (true) {
+    try {
+      const message = server.readBuffer.readMessage();
+      if (!message) {
+        break;
+      }
+      server.debug(`recv: ${JSON.stringify(message)}`);
+      await handleMessage(server, message, defaultHandler);
+    } catch (error) {
+      // For parse errors, we can't know the request id, so we shouldn't send a response
+      // according to JSON-RPC spec. Just log the error.
+      server.debug(`Parse error: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+}
+
+/**
+ * Start the MCP server on stdio
+ * @param {MCPServer} server - The MCP server instance
+ * @param {Object} [options] - Start options
+ * @param {Function} [options.defaultHandler] - Default handler for tools without a handler
+ */
+function start(server, options = {}) {
+  const { defaultHandler } = options;
+
+  server.debug(`v${server.serverInfo.version} ready on stdio`);
+  server.debug(`  tools: ${Object.keys(server.tools).join(", ")}`);
+
+  if (!Object.keys(server.tools).length) {
+    throw new Error("No tools registered");
+  }
+
+  const onData = async chunk => {
+    server.readBuffer.append(chunk);
+    await processReadBuffer(server, defaultHandler);
+  };
+
+  process.stdin.on("data", onData);
+  process.stdin.on("error", err => server.debug(`stdin error: ${err}`));
+  process.stdin.resume();
+  server.debug(`listening...`);
+}
+
+module.exports = {
+  createServer,
+  registerTool,
+  normalizeTool,
+  handleRequest,
+  handleMessage,
+  processReadBuffer,
+  start,
+  loadToolHandlers,
+};
diff --git a/actions/setup-safe-outputs/js/messages.cjs b/actions/setup-safe-outputs/js/messages.cjs
new file mode 100644
index 00000000000..401a4adf8e3
--- /dev/null
+++ b/actions/setup-safe-outputs/js/messages.cjs
@@ -0,0 +1,58 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+/**
+ * Safe Output Messages Module (Barrel File)
+ *
+ * This module re-exports all message functions from the modular message files.
+ * It provides backward compatibility for existing code that imports from messages.cjs.
+ *
+ * For new code, prefer importing directly from the specific modules:
+ * - ./messages_core.cjs - Core utilities (getMessages, renderTemplate, toSnakeCase)
+ * - ./messages_footer.cjs - Footer messages (getFooterMessage, getFooterInstallMessage, generateFooterWithMessages)
+ * - ./messages_staged.cjs - Staged mode messages (getStagedTitle, getStagedDescription)
+ * - ./messages_run_status.cjs - Run status messages (getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage)
+ * - ./messages_close_discussion.cjs - Close discussion messages (getCloseOlderDiscussionMessage)
+ *
+ * Supported placeholders:
+ * - {workflow_name} - Name of the workflow
+ * - {run_url} - URL to the workflow run
+ * - {workflow_source} - Source specification (owner/repo/path@ref)
+ * - {workflow_source_url} - GitHub URL for the workflow source
+ * - {triggering_number} - Issue/PR/Discussion number that triggered this workflow
+ * - {operation} - Operation name (for staged mode titles/descriptions)
+ * - {event_type} - Event type description (for run-started messages)
+ * - {status} - Workflow status text (for run-failure messages)
+ *
+ * Both camelCase and snake_case placeholder formats are supported.
+ */
+
+// Re-export core utilities
+const { getMessages, renderTemplate } = require("./messages_core.cjs");
+
+// Re-export footer messages
+const { getFooterMessage, getFooterInstallMessage, generateFooterWithMessages, generateXMLMarker } = require("./messages_footer.cjs");
+
+// Re-export staged mode messages
+const { getStagedTitle, getStagedDescription } = require("./messages_staged.cjs");
+
+// Re-export run status messages
+const { getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage } = require("./messages_run_status.cjs");
+
+// Re-export close discussion messages
+const { getCloseOlderDiscussionMessage } = require("./messages_close_discussion.cjs");
+
+module.exports = {
+  getMessages,
+  renderTemplate,
+  getFooterMessage,
+  getFooterInstallMessage,
+  generateFooterWithMessages,
+  generateXMLMarker,
+  getStagedTitle,
+  getStagedDescription,
+  getRunStartedMessage,
+  getRunSuccessMessage,
+  getRunFailureMessage,
+  getCloseOlderDiscussionMessage,
+};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs b/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
new file mode 100644
index 00000000000..68b63569e5a
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
@@ -0,0 +1,74 @@
+// @ts-check
+
+/**
+ * Safe Outputs Bootstrap Module
+ *
+ * This module provides shared bootstrap logic for safe-outputs MCP server.
+ * It handles configuration loading, tools loading, and cleanup that is
+ * common initialization logic.
+ *
+ * Usage:
+ *   const { bootstrapSafeOutputsServer } = require("./safe_outputs_bootstrap.cjs");
+ *   const { config, outputFile, tools } = bootstrapSafeOutputsServer(server);
+ */
+
+const fs = require("fs");
+const { loadConfig } = require("./safe_outputs_config.cjs");
+const { loadTools } = require("./safe_outputs_tools_loader.cjs");
+
+/**
+ * @typedef {Object} Logger
+ * @property {Function} debug - Debug logging function
+ * @property {Function} debugError - Error logging function
+ */
+
+/**
+ * @typedef {Object} BootstrapResult
+ * @property {Object} config - Loaded configuration
+ * @property {string} outputFile - Path to the output file
+ * @property {Array} tools - Loaded tool definitions
+ */
+
+/**
+ * Bootstrap a safe-outputs server by loading configuration and tools.
+ * This function performs the common initialization steps.
+ *
+ * @param {Logger} logger - Logger instance for debug messages
+ * @returns {BootstrapResult} Configuration, output file path, and loaded tools
+ */
+function bootstrapSafeOutputsServer(logger) {
+  // Load configuration
+  logger.debug("Loading safe-outputs configuration");
+  const { config, outputFile } = loadConfig(logger);
+
+  // Load tools
+  logger.debug("Loading safe-outputs tools");
+  const tools = loadTools(logger);
+
+  return { config, outputFile, tools };
+}
+
+/**
+ * Delete the configuration file to ensure no secrets remain on disk.
+ * This should be called after the server has been configured and started.
+ *
+ * @param {Logger} logger - Logger instance for debug messages
+ */
+function cleanupConfigFile(logger) {
+  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json";
+
+  try {
+    if (fs.existsSync(configPath)) {
+      fs.unlinkSync(configPath);
+      logger.debug(`Deleted configuration file: ${configPath}`);
+    }
+  } catch (error) {
+    logger.debugError("Warning: Could not delete configuration file: ", error);
+    // Continue anyway - the server is already running
+  }
+}
+
+module.exports = {
+  bootstrapSafeOutputsServer,
+  cleanupConfigFile,
+};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_config.cjs b/actions/setup-safe-outputs/js/safe_outputs_config.cjs
new file mode 100644
index 00000000000..debc3410425
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_config.cjs
@@ -0,0 +1,59 @@
+// @ts-check
+
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Load and process safe outputs configuration
+ * @param {Object} server - The MCP server instance for logging
+ * @returns {Object} An object containing the processed config and output file path
+ */
+function loadConfig(server) {
+  // Read configuration from file
+  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json";
+  let safeOutputsConfigRaw;
+
+  server.debug(`Reading config from file: ${configPath}`);
+
+  try {
+    if (fs.existsSync(configPath)) {
+      server.debug(`Config file exists at: ${configPath}`);
+      const configFileContent = fs.readFileSync(configPath, "utf8");
+      server.debug(`Config file content length: ${configFileContent.length} characters`);
+      // Don't log raw content to avoid exposing sensitive configuration data
+      server.debug(`Config file read successfully, attempting to parse JSON`);
+      safeOutputsConfigRaw = JSON.parse(configFileContent);
+      server.debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`);
+    } else {
+      server.debug(`Config file does not exist at: ${configPath}`);
+      server.debug(`Using minimal default configuration`);
+      safeOutputsConfigRaw = {};
+    }
+  } catch (error) {
+    server.debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`);
+    server.debug(`Falling back to empty configuration`);
+    safeOutputsConfigRaw = {};
+  }
+
+  const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v]));
+  server.debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`);
+
+  // Handle GH_AW_SAFE_OUTPUTS with default fallback
+  const outputFile = process.env.GH_AW_SAFE_OUTPUTS || "/tmp/gh-aw/safeoutputs/outputs.jsonl";
+  if (!process.env.GH_AW_SAFE_OUTPUTS) {
+    server.debug(`GH_AW_SAFE_OUTPUTS not set, using default: ${outputFile}`);
+  }
+  // Always ensure the directory exists, regardless of whether env var is set
+  const outputDir = path.dirname(outputFile);
+  if (!fs.existsSync(outputDir)) {
+    server.debug(`Creating output directory: ${outputDir}`);
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  return {
+    config: safeOutputsConfig,
+    outputFile: outputFile,
+  };
+}
+
+module.exports = { loadConfig };
diff --git a/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs b/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
new file mode 100644
index 00000000000..60c7569222d
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
@@ -0,0 +1,322 @@
+// @ts-check
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+const { normalizeBranchName } = require("./normalize_branch_name.cjs");
+const { estimateTokens } = require("./estimate_tokens.cjs");
+const { writeLargeContentToFile } = require("./write_large_content_to_file.cjs");
+const { getCurrentBranch } = require("./get_current_branch.cjs");
+const { getBaseBranch } = require("./get_base_branch.cjs");
+const { generateGitPatch } = require("./generate_git_patch.cjs");
+
+/**
+ * Create handlers for safe output tools
+ * @param {Object} server - The MCP server instance for logging
+ * @param {Function} appendSafeOutput - Function to append entries to the output file
+ * @param {Object} [config] - Optional configuration object with safe output settings
+ * @returns {Object} An object containing all handler functions
+ */
+function createHandlers(server, appendSafeOutput, config = {}) {
+  /**
+   * Default handler for safe output tools
+   * @param {string} type - The tool type
+   * @returns {Function} Handler function
+   */
+  const defaultHandler = type => args => {
+    const entry = { ...(args || {}), type };
+
+    // Check if any field in the entry has content exceeding 16000 tokens
+    let largeContent = null;
+    let largeFieldName = null;
+    const TOKEN_THRESHOLD = 16000;
+
+    for (const [key, value] of Object.entries(entry)) {
+      if (typeof value === "string") {
+        const tokens = estimateTokens(value);
+        if (tokens > TOKEN_THRESHOLD) {
+          largeContent = value;
+          largeFieldName = key;
+          server.debug(`Field '${key}' has ${tokens} tokens (exceeds ${TOKEN_THRESHOLD})`);
+          break;
+        }
+      }
+    }
+
+    if (largeContent && largeFieldName) {
+      // Write large content to file
+      const fileInfo = writeLargeContentToFile(largeContent);
+
+      // Replace large field with file reference
+      entry[largeFieldName] = `[Content too large, saved to file: ${fileInfo.filename}]`;
+
+      // Append modified entry to safe outputs
+      appendSafeOutput(entry);
+
+      // Return file info to the agent
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify(fileInfo),
+          },
+        ],
+      };
+    }
+
+    // Normal case - no large content
+    appendSafeOutput(entry);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({ result: "success" }),
+        },
+      ],
+    };
+  };
+
+  /**
+   * Handler for upload_asset tool
+   */
+  const uploadAssetHandler = args => {
+    const branchName = process.env.GH_AW_ASSETS_BRANCH;
+    if (!branchName) throw new Error("GH_AW_ASSETS_BRANCH not set");
+
+    // Normalize the branch name to ensure it's a valid git branch name
+    const normalizedBranchName = normalizeBranchName(branchName);
+
+    const { path: filePath } = args;
+
+    // Validate file path is within allowed directories
+    const absolutePath = path.resolve(filePath);
+    const workspaceDir = process.env.GITHUB_WORKSPACE || process.cwd();
+    const tmpDir = "/tmp";
+
+    const isInWorkspace = absolutePath.startsWith(path.resolve(workspaceDir));
+    const isInTmp = absolutePath.startsWith(tmpDir);
+
+    if (!isInWorkspace && !isInTmp) {
+      throw new Error(`File path must be within workspace directory (${workspaceDir}) or /tmp directory. ` + `Provided path: ${filePath} (resolved to: ${absolutePath})`);
+    }
+
+    // Validate file exists
+    if (!fs.existsSync(filePath)) {
+      throw new Error(`File not found: ${filePath}`);
+    }
+
+    // Get file stats
+    const stats = fs.statSync(filePath);
+    const sizeBytes = stats.size;
+    const sizeKB = Math.ceil(sizeBytes / 1024);
+
+    // Check file size - read from environment variable if available
+    const maxSizeKB = process.env.GH_AW_ASSETS_MAX_SIZE_KB ? parseInt(process.env.GH_AW_ASSETS_MAX_SIZE_KB, 10) : 10240; // Default 10MB
+    if (sizeKB > maxSizeKB) {
+      throw new Error(`File size ${sizeKB} KB exceeds maximum allowed size ${maxSizeKB} KB`);
+    }
+
+    // Check file extension - read from environment variable if available
+    const ext = path.extname(filePath).toLowerCase();
+    const allowedExts = process.env.GH_AW_ASSETS_ALLOWED_EXTS
+      ? process.env.GH_AW_ASSETS_ALLOWED_EXTS.split(",").map(ext => ext.trim())
+      : [
+          // Default set as specified in problem statement
+          ".png",
+          ".jpg",
+          ".jpeg",
+        ];
+
+    if (!allowedExts.includes(ext)) {
+      throw new Error(`File extension '${ext}' is not allowed. Allowed extensions: ${allowedExts.join(", ")}`);
+    }
+
+    // Create assets directory
+    const assetsDir = "/tmp/gh-aw/safeoutputs/assets";
+    if (!fs.existsSync(assetsDir)) {
+      fs.mkdirSync(assetsDir, { recursive: true });
+    }
+
+    // Read file and compute hash
+    const fileContent = fs.readFileSync(filePath);
+    const sha = crypto.createHash("sha256").update(fileContent).digest("hex");
+
+    // Extract filename and extension
+    const fileName = path.basename(filePath);
+    const fileExt = path.extname(fileName).toLowerCase();
+
+    // Copy file to assets directory with original name
+    const targetPath = path.join(assetsDir, fileName);
+    fs.copyFileSync(filePath, targetPath);
+
+    // Generate target filename as sha + extension (lowercased)
+    const targetFileName = (sha + fileExt).toLowerCase();
+
+    const githubServer = process.env.GITHUB_SERVER_URL || "https://github.com";
+    const repo = process.env.GITHUB_REPOSITORY || "owner/repo";
+    const url = `${githubServer.replace("github.com", "raw.githubusercontent.com")}/${repo}/${normalizedBranchName}/${targetFileName}`;
+
+    // Create entry for safe outputs
+    const entry = {
+      type: "upload_asset",
+      path: filePath,
+      fileName: fileName,
+      sha: sha,
+      size: sizeBytes,
+      url: url,
+      targetFileName: targetFileName,
+    };
+
+    appendSafeOutput(entry);
+
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({ result: url }),
+        },
+      ],
+    };
+  };
+
+  /**
+   * Handler for create_pull_request tool
+   * Resolves the current branch if branch is not provided or is the base branch
+   * Generates git patch for the changes (unless allow-empty is true)
+   */
+  const createPullRequestHandler = args => {
+    const entry = { ...args, type: "create_pull_request" };
+    const baseBranch = getBaseBranch();
+
+    // If branch is not provided, is empty, or equals the base branch, use the current branch from git
+    // This handles cases where the agent incorrectly passes the base branch instead of the working branch
+    if (!entry.branch || entry.branch.trim() === "" || entry.branch === baseBranch) {
+      const detectedBranch = getCurrentBranch();
+
+      if (entry.branch === baseBranch) {
+        server.debug(`Branch equals base branch (${baseBranch}), detecting actual working branch: ${detectedBranch}`);
+      } else {
+        server.debug(`Using current branch for create_pull_request: ${detectedBranch}`);
+      }
+
+      entry.branch = detectedBranch;
+    }
+
+    // Check if allow-empty is enabled in configuration
+    const allowEmpty = config.create_pull_request?.allow_empty === true;
+
+    if (allowEmpty) {
+      server.debug(`allow-empty is enabled for create_pull_request - skipping patch generation`);
+      // Append the safe output entry without generating a patch
+      appendSafeOutput(entry);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              result: "success",
+              message: "Pull request prepared (allow-empty mode - no patch generated)",
+              branch: entry.branch,
+            }),
+          },
+        ],
+      };
+    }
+
+    // Generate git patch
+    server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}`);
+    const patchResult = generateGitPatch(entry.branch);
+
+    if (!patchResult.success) {
+      // Patch generation failed or patch is empty
+      const errorMsg = patchResult.error || "Failed to generate patch";
+      server.debug(`Patch generation failed: ${errorMsg}`);
+      throw new Error(errorMsg);
+    }
+
+    // prettier-ignore
+    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);
+
+    appendSafeOutput(entry);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({
+            result: "success",
+            patch: {
+              path: patchResult.patchPath,
+              size: patchResult.patchSize,
+              lines: patchResult.patchLines,
+            },
+          }),
+        },
+      ],
+    };
+  };
+
+  /**
+   * Handler for push_to_pull_request_branch tool
+   * Resolves the current branch if branch is not provided or is the base branch
+   * Generates git patch for the changes
+   */
+  const pushToPullRequestBranchHandler = args => {
+    const entry = { ...args, type: "push_to_pull_request_branch" };
+    const baseBranch = getBaseBranch();
+
+    // If branch is not provided, is empty, or equals the base branch, use the current branch from git
+    // This handles cases where the agent incorrectly passes the base branch instead of the working branch
+    if (!entry.branch || entry.branch.trim() === "" || entry.branch === baseBranch) {
+      const detectedBranch = getCurrentBranch();
+
+      if (entry.branch === baseBranch) {
+        server.debug(`Branch equals base branch (${baseBranch}), detecting actual working branch: ${detectedBranch}`);
+      } else {
+        server.debug(`Using current branch for push_to_pull_request_branch: ${detectedBranch}`);
+      }
+
+      entry.branch = detectedBranch;
+    }
+
+    // Generate git patch
+    server.debug(`Generating patch for push_to_pull_request_branch with branch: ${entry.branch}`);
+    const patchResult = generateGitPatch(entry.branch);
+
+    if (!patchResult.success) {
+      // Patch generation failed or patch is empty
+      const errorMsg = patchResult.error || "Failed to generate patch";
+      server.debug(`Patch generation failed: ${errorMsg}`);
+      throw new Error(errorMsg);
+    }
+
+    // prettier-ignore
+    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);
+
+    appendSafeOutput(entry);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({
+            result: "success",
+            patch: {
+              path: patchResult.patchPath,
+              size: patchResult.patchSize,
+              lines: patchResult.patchLines,
+            },
+          }),
+        },
+      ],
+    };
+  };
+
+  return {
+    defaultHandler,
+    uploadAssetHandler,
+    createPullRequestHandler,
+    pushToPullRequestBranchHandler,
+  };
+}
+
+module.exports = { createHandlers };
diff --git a/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs b/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
new file mode 100644
index 00000000000..0abd29c73a9
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
@@ -0,0 +1,80 @@
+// @ts-check
+
+// Safe Outputs MCP Server Module
+//
+// This module provides a reusable MCP server for safe-outputs configuration.
+// It uses the mcp_server_core module for JSON-RPC handling and tool registration.
+//
+// Usage:
+//   node safe_outputs_mcp_server.cjs
+//
+// Or as a module:
+//   const server = require("./safe_outputs_mcp_server.cjs");
+//   server.startSafeOutputsServer();
+
+const { createServer, registerTool, normalizeTool, start } = require("./mcp_server_core.cjs");
+const { createAppendFunction } = require("./safe_outputs_append.cjs");
+const { createHandlers } = require("./safe_outputs_handlers.cjs");
+const { attachHandlers, registerPredefinedTools, registerDynamicTools } = require("./safe_outputs_tools_loader.cjs");
+const { bootstrapSafeOutputsServer, cleanupConfigFile } = require("./safe_outputs_bootstrap.cjs");
+
+/**
+ * Start the safe-outputs MCP server
+ * @param {Object} [options] - Additional options
+ * @param {string} [options.logDir] - Override log directory
+ * @param {boolean} [options.skipCleanup] - Skip deletion of config file (useful for testing)
+ */
+function startSafeOutputsServer(options = {}) {
+  // Server info for safe outputs MCP server
+  const SERVER_INFO = { name: "safeoutputs", version: "1.0.0" };
+
+  // Create the server instance with optional log directory
+  const MCP_LOG_DIR = options.logDir || process.env.GH_AW_MCP_LOG_DIR;
+  const server = createServer(SERVER_INFO, { logDir: MCP_LOG_DIR });
+
+  // Bootstrap: load configuration and tools using shared logic
+  const { config: safeOutputsConfig, outputFile, tools: ALL_TOOLS } = bootstrapSafeOutputsServer(server);
+
+  // Create append function
+  const appendSafeOutput = createAppendFunction(outputFile);
+
+  // Create handlers with configuration
+  const handlers = createHandlers(server, appendSafeOutput, safeOutputsConfig);
+  const { defaultHandler } = handlers;
+
+  // Attach handlers to tools
+  const toolsWithHandlers = attachHandlers(ALL_TOOLS, handlers);
+
+  server.debug(`  output file: ${outputFile}`);
+  server.debug(`  config: ${JSON.stringify(safeOutputsConfig)}`);
+
+  // Register predefined tools that are enabled in configuration
+  registerPredefinedTools(server, toolsWithHandlers, safeOutputsConfig, registerTool, normalizeTool);
+
+  // Add safe-jobs as dynamic tools
+  registerDynamicTools(server, toolsWithHandlers, safeOutputsConfig, outputFile, registerTool, normalizeTool);
+
+  server.debug(`  tools: ${Object.keys(server.tools).join(", ")}`);
+  if (!Object.keys(server.tools).length) throw new Error("No tools enabled in configuration");
+
+  // Note: We do NOT cleanup the config file here because it's needed by the ingestion
+  // phase (collect_ndjson_output.cjs) that runs after the MCP server completes.
+  // The config file only contains schema information (no secrets), so it's safe to leave.
+
+  // Start the server with the default handler
+  start(server, { defaultHandler });
+}
+
+// If run directly, start the server
+if (require.main === module) {
+  try {
+    startSafeOutputsServer();
+  } catch (error) {
+    console.error(`Error starting safe-outputs server: ${error instanceof Error ? error.message : String(error)}`);
+    process.exit(1);
+  }
+}
+
+module.exports = {
+  startSafeOutputsServer,
+};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_tools.json b/actions/setup-safe-outputs/js/safe_outputs_tools.json
new file mode 100644
index 00000000000..986b5ab682b
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_tools.json
@@ -0,0 +1,591 @@
+[
+  {
+    "name": "create_issue",
+    "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["title", "body"],
+      "properties": {
+        "title": {
+          "type": "string",
+          "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive."
+        },
+        "body": {
+          "type": "string",
+          "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate."
+        },
+        "labels": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository."
+        },
+        "parent": {
+          "type": ["number", "string"],
+          "description": "Parent issue number for creating sub-issues. Can be a real issue number (e.g., 42) or a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run."
+        },
+        "temporary_id": {
+          "type": "string",
+          "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "create_agent_task",
+    "description": "Create a GitHub Copilot agent task to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["body"],
+      "properties": {
+        "body": {
+          "type": "string",
+          "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "create_discussion",
+    "description": "Create a GitHub discussion for announcements, Q&A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["title", "body"],
+      "properties": {
+        "title": {
+          "type": "string",
+          "description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive."
+        },
+        "body": {
+          "type": "string",
+          "description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions."
+        },
+        "category": {
+          "type": "string",
+          "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "close_discussion",
+    "description": "Close a GitHub discussion with a resolution comment and optional reason. Use this to mark discussions as resolved, answered, or no longer needed. The closing comment should explain why the discussion is being closed.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["body"],
+      "properties": {
+        "body": {
+          "type": "string",
+          "description": "Closing comment explaining why the discussion is being closed and summarizing any resolution or conclusion."
+        },
+        "reason": {
+          "type": "string",
+          "enum": ["RESOLVED", "DUPLICATE", "OUTDATED", "ANSWERED"],
+          "description": "Resolution reason: RESOLVED (issue addressed), DUPLICATE (discussed elsewhere), OUTDATED (no longer relevant), or ANSWERED (question answered)."
+        },
+        "discussion_number": {
+          "type": ["number", "string"],
+          "description": "Discussion number to close. If omitted, closes the discussion that triggered this workflow (requires a discussion event trigger)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "close_issue",
+    "description": "Close a GitHub issue with a closing comment. Use this when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["body"],
+      "properties": {
+        "body": {
+          "type": "string",
+          "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion."
+        },
+        "issue_number": {
+          "type": ["number", "string"],
+          "description": "Issue number to close. If omitted, closes the issue that triggered this workflow (requires an issue event trigger)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "close_pull_request",
+    "description": "Close a pull request WITHOUT merging, adding a closing comment. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["body"],
+      "properties": {
+        "body": {
+          "type": "string",
+          "description": "Closing comment explaining why the PR is being closed without merging (e.g., superseded by another PR, no longer needed, approach rejected)."
+        },
+        "pull_request_number": {
+          "type": ["number", "string"],
+          "description": "Pull request number to close. If omitted, closes the PR that triggered this workflow (requires a pull_request event trigger)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "add_comment",
+    "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["body", "item_number"],
+      "properties": {
+        "body": {
+          "type": "string",
+          "description": "Comment content in Markdown. Provide helpful, relevant information that adds value to the conversation."
+        },
+        "item_number": {
+          "type": "number",
+          "description": "The issue, pull request, or discussion number to comment on. Must be a valid existing item in the repository."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "create_pull_request",
+    "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["title", "body"],
+      "properties": {
+        "title": {
+          "type": "string",
+          "description": "Concise PR title describing the changes. Follow repository conventions (e.g., conventional commits). The title appears as the main heading."
+        },
+        "body": {
+          "type": "string",
+          "description": "Detailed PR description in Markdown. Include what changes were made, why, testing notes, and any breaking changes. Do NOT repeat the title as a heading."
+        },
+        "branch": {
+          "type": "string",
+          "description": "Source branch name containing the changes. If omitted, uses the current working branch."
+        },
+        "labels": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Labels to categorize the PR (e.g., 'enhancement', 'bugfix'). Labels must exist in the repository."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "create_pull_request_review_comment",
+    "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["path", "line", "body"],
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "File path relative to the repository root (e.g., 'src/auth/login.js'). Must be a file that was changed in the PR."
+        },
+        "line": {
+          "type": ["number", "string"],
+          "description": "Line number for the comment. For single-line comments, this is the target line. For multi-line comments, this is the ending line."
+        },
+        "body": {
+          "type": "string",
+          "description": "Review comment content in Markdown. Provide specific, actionable feedback about the code at this location."
+        },
+        "start_line": {
+          "type": ["number", "string"],
+          "description": "Starting line number for multi-line comments. When set, the comment spans from start_line to line. Omit for single-line comments."
+        },
+        "side": {
+          "type": "string",
+          "enum": ["LEFT", "RIGHT"],
+          "description": "Side of the diff to comment on: RIGHT for the new version (additions), LEFT for the old version (deletions). Defaults to RIGHT."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "create_code_scanning_alert",
+    "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["file", "line", "severity", "message"],
+      "properties": {
+        "file": {
+          "type": "string",
+          "description": "File path relative to the repository root where the issue was found (e.g., 'src/auth/password.js')."
+        },
+        "line": {
+          "type": ["number", "string"],
+          "description": "Line number where the issue was found in the file."
+        },
+        "severity": {
+          "type": "string",
+          "enum": ["error", "warning", "info", "note"],
+          "description": "Alert severity level: 'error' (critical security issues), 'warning' (potential problems), 'info' (informational), or 'note' (minor observations)."
+        },
+        "message": {
+          "type": "string",
+          "description": "Clear description of the security issue or finding. Include what's wrong and ideally how to fix it."
+        },
+        "column": {
+          "type": ["number", "string"],
+          "description": "Column number for more precise location of the issue within the line."
+        },
+        "ruleIdSuffix": {
+          "type": "string",
+          "description": "Suffix to append to the rule ID for categorizing different types of findings (e.g., 'sql-injection', 'xss')."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "add_labels",
+    "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["labels"],
+      "properties": {
+        "labels": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository."
+        },
+        "item_number": {
+          "type": "number",
+          "description": "Issue or PR number to add labels to. If omitted, adds labels to the item that triggered this workflow."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "add_reviewer",
+    "description": "Add reviewers to a GitHub pull request. Reviewers receive notifications and can approve or request changes. Use 'copilot' as a reviewer name to request the Copilot PR review bot.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["reviewers"],
+      "properties": {
+        "reviewers": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "GitHub usernames to add as reviewers (e.g., ['octocat', 'copilot']). Users must have access to the repository."
+        },
+        "pull_request_number": {
+          "type": ["number", "string"],
+          "description": "Pull request number to add reviewers to. If omitted, adds reviewers to the PR that triggered this workflow."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "assign_milestone",
+    "description": "Assign an issue to a milestone for release planning and progress tracking. Milestones must exist in the repository before assignment.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["issue_number", "milestone_number"],
+      "properties": {
+        "issue_number": {
+          "type": ["number", "string"],
+          "description": "Issue number to assign to the milestone."
+        },
+        "milestone_number": {
+          "type": ["number", "string"],
+          "description": "Milestone number (not title) to assign the issue to. Find milestone numbers in the repository's Milestones page."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "assign_to_agent",
+    "description": "Assign the GitHub Copilot coding agent to work on an issue. The agent will analyze the issue and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["issue_number"],
+      "properties": {
+        "issue_number": {
+          "type": ["number", "string"],
+          "description": "Issue number to assign the Copilot agent to. The issue should contain clear, actionable requirements."
+        },
+        "agent": {
+          "type": "string",
+          "description": "Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "assign_to_user",
+    "description": "Assign one or more GitHub users to an issue. Use this to delegate work to specific team members. Users must have access to the repository.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["issue_number"],
+      "properties": {
+        "issue_number": {
+          "type": ["number", "string"],
+          "description": "Issue number to assign users to. If omitted, assigns to the issue that triggered this workflow."
+        },
+        "assignees": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "GitHub usernames to assign to the issue (e.g., ['octocat', 'mona']). Users must have access to the repository."
+        },
+        "assignee": {
+          "type": "string",
+          "description": "Single GitHub username to assign. Use 'assignees' array for multiple users."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "update_issue",
+    "description": "Update an existing GitHub issue's status, title, or body. Use this to modify issue properties after creation. Only the fields you specify will be updated; other fields remain unchanged.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["open", "closed"],
+          "description": "New issue status: 'open' to reopen a closed issue, 'closed' to close an open issue."
+        },
+        "title": {
+          "type": "string",
+          "description": "New issue title to replace the existing title."
+        },
+        "body": {
+          "type": "string",
+          "description": "New issue body to replace the existing content. Use Markdown formatting."
+        },
+        "issue_number": {
+          "type": ["number", "string"],
+          "description": "Issue number to update. Required when the workflow target is '*' (any issue)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "update_pull_request",
+    "description": "Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged.",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "title": {
+          "type": "string",
+          "description": "New pull request title to replace the existing title."
+        },
+        "body": {
+          "type": "string",
+          "description": "Pull request body content in Markdown. For 'replace', this becomes the entire body. For 'append'/'prepend', this is added with a separator."
+        },
+        "operation": {
+          "type": "string",
+          "enum": ["replace", "append", "prepend"],
+          "description": "How to update the PR body: 'replace' (default - completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator). Title is always replaced."
+        },
+        "pull_request_number": {
+          "type": ["number", "string"],
+          "description": "Pull request number to update. Required when the workflow target is '*' (any PR)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "push_to_pull_request_branch",
+    "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["message"],
+      "properties": {
+        "branch": {
+          "type": "string",
+          "description": "Branch name to push changes from. If omitted, uses the current working branch. Only specify if you need to push from a different branch."
+        },
+        "message": {
+          "type": "string",
+          "description": "Commit message describing the changes. Follow repository commit message conventions (e.g., conventional commits)."
+        },
+        "pull_request_number": {
+          "type": ["number", "string"],
+          "description": "Pull request number to push changes to. Required when the workflow target is '*' (any PR)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "upload_asset",
+    "description": "Upload a file as a URL-addressable asset that can be referenced in issues, PRs, or comments. The file is stored on an orphaned git branch and returns a permanent URL. Use this for images, diagrams, or other files that need to be embedded in GitHub content.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["path"],
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "Absolute file path to upload (e.g., '/tmp/chart.png'). Must be under the workspace or /tmp directory. By default, only image files (.png, .jpg, .jpeg) are allowed; other file types require workflow configuration."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "update_release",
+    "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["tag", "operation", "body"],
+      "properties": {
+        "tag": {
+          "type": "string",
+          "description": "Release tag name (e.g., 'v1.0.0'). REQUIRED - must be provided explicitly as the tag cannot always be inferred from event context."
+        },
+        "operation": {
+          "type": "string",
+          "enum": ["replace", "append", "prepend"],
+          "description": "How to update the release body: 'replace' (completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator)."
+        },
+        "body": {
+          "type": "string",
+          "description": "Release body content in Markdown. For 'replace', this becomes the entire release body. For 'append'/'prepend', this is added with a separator."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "missing_tool",
+    "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["tool", "reason"],
+      "properties": {
+        "tool": {
+          "type": "string",
+          "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed."
+        },
+        "reason": {
+          "type": "string",
+          "description": "Explanation of why this tool is needed to complete the task (max 256 characters)."
+        },
+        "alternatives": {
+          "type": "string",
+          "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "noop",
+    "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["message"],
+      "properties": {
+        "message": {
+          "type": "string",
+          "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing')."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "link_sub_issue",
+    "description": "Link an issue as a sub-issue of a parent issue. Use this to establish parent-child relationships between issues for better organization and tracking of related work items.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["parent_issue_number", "sub_issue_number"],
+      "properties": {
+        "parent_issue_number": {
+          "type": ["number", "string"],
+          "description": "The parent issue number to link the sub-issue to."
+        },
+        "sub_issue_number": {
+          "type": ["number", "string"],
+          "description": "The issue number to link as a sub-issue of the parent."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "hide_comment",
+    "description": "Hide a comment on a GitHub issue, pull request, or discussion. This collapses the comment and marks it as spam, abuse, off-topic, outdated, or resolved. Use this for inappropriate, off-topic, or outdated comments. The comment_id must be a GraphQL node ID (string like 'IC_kwDOABCD123456'), not a numeric REST API comment ID.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["comment_id"],
+      "properties": {
+        "comment_id": {
+          "type": "string",
+          "description": "GraphQL node ID of the comment to hide (e.g., 'IC_kwDOABCD123456'). This is the GraphQL node ID, not the numeric comment ID from REST API. Can be obtained from GraphQL queries or comment API responses."
+        },
+        "reason": {
+          "type": "string",
+          "enum": ["SPAM", "ABUSE", "OFF_TOPIC", "OUTDATED", "RESOLVED"],
+          "description": "Optional reason for hiding the comment. Defaults to SPAM if not provided. Valid values: SPAM (spam content), ABUSE (abusive/harassment content), OFF_TOPIC (not relevant to discussion), OUTDATED (no longer applicable), RESOLVED (issue/question has been resolved)."
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  {
+    "name": "update_project",
+    "description": "Add or update items in GitHub Projects v2 boards. Can add issues/PRs to a project and update custom field values. Requires the project URL, content type (issue or pull_request), and content number. Use campaign_id to group related items.",
+    "inputSchema": {
+      "type": "object",
+      "required": ["project", "content_type", "content_number"],
+      "properties": {
+        "project": {
+          "type": "string",
+          "pattern": "^https://github\\.com/(orgs|users)/[^/]+/projects/\\d+$",
+          "description": "Full GitHub project URL (e.g., 'https://github.com/orgs/myorg/projects/42' or 'https://github.com/users/username/projects/5'). Project names or numbers alone are NOT accepted."
+        },
+        "content_type": {
+          "type": "string",
+          "enum": ["issue", "pull_request"],
+          "description": "Type of content to add to the project. Must be either 'issue' or 'pull_request'."
+        },
+        "content_number": {
+          "type": "number",
+          "description": "Issue or pull request number to add to the project (e.g., 123 for issue #123)."
+        },
+        "fields": {
+          "type": "object",
+          "description": "Custom field values to set on the project item (e.g., {'Status': 'In Progress', 'Priority': 'High'}). Field names must match custom fields defined in the project."
+        },
+        "campaign_id": {
+          "type": "string",
+          "description": "Campaign identifier to group related project items. Used to track items created by the same campaign or workflow run."
+        },
+        "create_if_missing": {
+          "type": "boolean",
+          "description": "Whether to create the project if it doesn't exist. Defaults to false. Requires projects:write permission when true."
+        }
+      },
+      "additionalProperties": false
+    }
+  }
+]
diff --git a/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs b/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs
new file mode 100644
index 00000000000..69eb19e315d
--- /dev/null
+++ b/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs
@@ -0,0 +1,165 @@
+// @ts-check
+
+const fs = require("fs");
+
+/**
+ * Load tools from tools.json file
+ * @param {Object} server - The MCP server instance for logging
+ * @returns {Array} Array of tool definitions
+ */
+function loadTools(server) {
+  const toolsPath = process.env.GH_AW_SAFE_OUTPUTS_TOOLS_PATH || "/tmp/gh-aw/safeoutputs/tools.json";
+  let ALL_TOOLS = [];
+
+  server.debug(`Reading tools from file: ${toolsPath}`);
+
+  try {
+    if (fs.existsSync(toolsPath)) {
+      server.debug(`Tools file exists at: ${toolsPath}`);
+      const toolsFileContent = fs.readFileSync(toolsPath, "utf8");
+      server.debug(`Tools file content length: ${toolsFileContent.length} characters`);
+      server.debug(`Tools file read successfully, attempting to parse JSON`);
+      ALL_TOOLS = JSON.parse(toolsFileContent);
+      server.debug(`Successfully parsed ${ALL_TOOLS.length} tools from file`);
+    } else {
+      server.debug(`Tools file does not exist at: ${toolsPath}`);
+      server.debug(`Using empty tools array`);
+      ALL_TOOLS = [];
+    }
+  } catch (error) {
+    server.debug(`Error reading tools file: ${error instanceof Error ? error.message : String(error)}`);
+    server.debug(`Falling back to empty tools array`);
+    ALL_TOOLS = [];
+  }
+
+  return ALL_TOOLS;
+}
+
+/**
+ * Attach handlers to tools
+ * @param {Array} tools - Array of tool definitions
+ * @param {Object} handlers - Object containing handler functions
+ * @returns {Array} Tools with handlers attached
+ */
+function attachHandlers(tools, handlers) {
+  tools.forEach(tool => {
+    if (tool.name === "create_pull_request") {
+      tool.handler = handlers.createPullRequestHandler;
+    } else if (tool.name === "push_to_pull_request_branch") {
+      tool.handler = handlers.pushToPullRequestBranchHandler;
+    } else if (tool.name === "upload_asset") {
+      tool.handler = handlers.uploadAssetHandler;
+    }
+  });
+  return tools;
+}
+
+/**
+ * Register predefined tools based on configuration
+ * @param {Object} server - The MCP server instance
+ * @param {Array} tools - Array of tool definitions
+ * @param {Object} config - Safe outputs configuration
+ * @param {Function} registerTool - Function to register a tool
+ * @param {Function} normalizeTool - Function to normalize tool names
+ */
+function registerPredefinedTools(server, tools, config, registerTool, normalizeTool) {
+  tools.forEach(tool => {
+    if (Object.keys(config).find(configKey => normalizeTool(configKey) === tool.name)) {
+      registerTool(server, tool);
+    }
+  });
+}
+
+/**
+ * Register dynamic safe-job tools based on configuration
+ * @param {Object} server - The MCP server instance
+ * @param {Array} tools - Array of predefined tool definitions
+ * @param {Object} config - Safe outputs configuration
+ * @param {string} outputFile - Path to the output file
+ * @param {Function} registerTool - Function to register a tool
+ * @param {Function} normalizeTool - Function to normalize tool names
+ */
+function registerDynamicTools(server, tools, config, outputFile, registerTool, normalizeTool) {
+  Object.keys(config).forEach(configKey => {
+    const normalizedKey = normalizeTool(configKey);
+
+    // Skip if it's already a predefined tool
+    if (server.tools[normalizedKey]) {
+      return;
+    }
+
+    // Check if this is a safe-job (not in ALL_TOOLS)
+    if (!tools.find(t => t.name === normalizedKey)) {
+      const jobConfig = config[configKey];
+
+      // Create a dynamic tool for this safe-job
+      const dynamicTool = {
+        name: normalizedKey,
+        description: jobConfig && jobConfig.description ? jobConfig.description : `Custom safe-job: ${configKey}`,
+        inputSchema: {
+          type: "object",
+          properties: {},
+          additionalProperties: true, // Allow any properties for flexibility
+        },
+        handler: args => {
+          // Create a generic safe-job output entry
+          const entry = {
+            type: normalizedKey,
+            ...args,
+          };
+
+          // Write the entry to the output file in JSONL format
+          // CRITICAL: Use JSON.stringify WITHOUT formatting parameters for JSONL format
+          // Each entry must be on a single line, followed by a newline character
+          const entryJSON = JSON.stringify(entry);
+          fs.appendFileSync(outputFile, entryJSON + "\n");
+
+          // Use output from safe-job config if available
+          const outputText = jobConfig && jobConfig.output ? jobConfig.output : `Safe-job '${configKey}' executed successfully with arguments: ${JSON.stringify(args)}`;
+
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({ result: outputText }),
+              },
+            ],
+          };
+        },
+      };
+
+      // Add input schema based on job configuration if available
+      if (jobConfig && jobConfig.inputs) {
+        dynamicTool.inputSchema.properties = {};
+        dynamicTool.inputSchema.required = [];
+
+        Object.keys(jobConfig.inputs).forEach(inputName => {
+          const inputDef = jobConfig.inputs[inputName];
+          const propSchema = {
+            type: inputDef.type || "string",
+            description: inputDef.description || `Input parameter: ${inputName}`,
+          };
+
+          if (inputDef.options && Array.isArray(inputDef.options)) {
+            propSchema.enum = inputDef.options;
+          }
+
+          dynamicTool.inputSchema.properties[inputName] = propSchema;
+
+          if (inputDef.required) {
+            dynamicTool.inputSchema.required.push(inputName);
+          }
+        });
+      }
+
+      registerTool(server, dynamicTool);
+    }
+  });
+}
+
+module.exports = {
+  loadTools,
+  attachHandlers,
+  registerPredefinedTools,
+  registerDynamicTools,
+};
diff --git a/actions/setup-safe-outputs/src/index.js b/actions/setup-safe-outputs/src/index.js
deleted file mode 100644
index 1b91680935e..00000000000
--- a/actions/setup-safe-outputs/src/index.js
+++ /dev/null
@@ -1,43 +0,0 @@
-// Safe Outputs Copy Action
-// Copies safe-outputs MCP server files to the agent environment
-
-const core = require('@actions/core');
-const fs = require('fs');
-const path = require('path');
-
-// Embedded safe-outputs files will be inserted here during build
-const FILES = {
-  // This will be populated by the build script
-};
-
-async function run() {
-  try {
-    const destination = core.getInput('destination') || '/tmp/gh-aw/safeoutputs';
-    
-    core.info(`Copying safe-outputs files to ${destination}`);
-    
-    // Create destination directory if it doesn't exist
-    if (!fs.existsSync(destination)) {
-      fs.mkdirSync(destination, { recursive: true });
-      core.info(`Created directory: ${destination}`);
-    }
-    
-    let fileCount = 0;
-    
-    // Copy each embedded file
-    for (const [filename, content] of Object.entries(FILES)) {
-      const filePath = path.join(destination, filename);
-      fs.writeFileSync(filePath, content, 'utf8');
-      core.info(`Copied: ${filename}`);
-      fileCount++;
-    }
-    
-    core.setOutput('files-copied', fileCount.toString());
-    core.info(`✓ Successfully copied ${fileCount} files`);
-    
-  } catch (error) {
-    core.setFailed(`Action failed: ${error.message}`);
-  }
-}
-
-run();
diff --git a/pkg/cli/actions_build_command.go b/pkg/cli/actions_build_command.go
index 362c0769925..38fb2838d08 100644
--- a/pkg/cli/actions_build_command.go
+++ b/pkg/cli/actions_build_command.go
@@ -105,13 +105,28 @@ func ActionsCleanCommand() error {
 
 	cleanedCount := 0
 	for _, actionName := range actionDirs {
-		indexPath := filepath.Join(actionsDir, actionName, "index.js")
-		if _, err := os.Stat(indexPath); err == nil {
-			if err := os.Remove(indexPath); err != nil {
-				return fmt.Errorf("failed to remove %s: %w", indexPath, err)
+		// Clean index.js for actions that use it
+		if actionName != "setup-safe-outputs" {
+			indexPath := filepath.Join(actionsDir, actionName, "index.js")
+			if _, err := os.Stat(indexPath); err == nil {
+				if err := os.Remove(indexPath); err != nil {
+					return fmt.Errorf("failed to remove %s: %w", indexPath, err)
+				}
+				fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("  ✓ Removed %s/index.js", actionName)))
+				cleanedCount++
+			}
+		}
+
+		// Clean js/ directory for setup-safe-outputs
+		if actionName == "setup-safe-outputs" {
+			jsDir := filepath.Join(actionsDir, actionName, "js")
+			if _, err := os.Stat(jsDir); err == nil {
+				if err := os.RemoveAll(jsDir); err != nil {
+					return fmt.Errorf("failed to remove %s: %w", jsDir, err)
+				}
+				fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("  ✓ Removed %s/js/", actionName)))
+				cleanedCount++
 			}
-			fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("  ✓ Removed %s/index.js", actionName)))
-			cleanedCount++
 		}
 	}
 
@@ -164,9 +179,12 @@ func validateActionYml(actionPath string) error {
 		}
 	}
 
-	// Check that it's a node20 action
-	if !strings.Contains(contentStr, "using: 'node20'") && !strings.Contains(contentStr, "using: \"node20\"") {
-		return fmt.Errorf("action must use 'node20' runtime")
+	// Check that it's either a node20 or composite action
+	isNode20 := strings.Contains(contentStr, "using: 'node20'") || strings.Contains(contentStr, "using: \"node20\"")
+	isComposite := strings.Contains(contentStr, "using: 'composite'") || strings.Contains(contentStr, "using: \"composite\"")
+	
+	if !isNode20 && !isComposite {
+		return fmt.Errorf("action must use either 'node20' or 'composite' runtime")
 	}
 
 	return nil
@@ -179,8 +197,6 @@ func buildAction(actionsDir, actionName string) error {
 	fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("\n📦 Building action: %s", actionName)))
 
 	actionPath := filepath.Join(actionsDir, actionName)
-	srcPath := filepath.Join(actionPath, "src", "index.js")
-	outputPath := filepath.Join(actionPath, "index.js")
 
 	// Validate action.yml
 	fmt.Fprintln(os.Stderr, console.FormatInfoMessage("  ✓ Validating action.yml"))
@@ -188,6 +204,14 @@ func buildAction(actionsDir, actionName string) error {
 		return err
 	}
 
+	// Special handling for setup-safe-outputs: copy files instead of embedding
+	if actionName == "setup-safe-outputs" {
+		return buildSetupSafeOutputsAction(actionsDir, actionName)
+	}
+
+	srcPath := filepath.Join(actionPath, "src", "index.js")
+	outputPath := filepath.Join(actionPath, "index.js")
+
 	// Check if source file exists
 	if _, err := os.Stat(srcPath); os.IsNotExist(err) {
 		return fmt.Errorf("source file not found: %s", srcPath)
@@ -243,6 +267,43 @@ func buildAction(actionsDir, actionName string) error {
 	return nil
 }
 
+// buildSetupSafeOutputsAction builds the setup-safe-outputs action by copying JavaScript files
+func buildSetupSafeOutputsAction(actionsDir, actionName string) error {
+	actionPath := filepath.Join(actionsDir, actionName)
+	jsDir := filepath.Join(actionPath, "js")
+
+	// Get dependencies for this action
+	dependencies := getActionDependencies(actionName)
+	fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("  ✓ Found %d dependencies", len(dependencies))))
+
+	// Get all JavaScript sources
+	sources := workflow.GetJavaScriptSources()
+
+	// Create js directory if it doesn't exist
+	if err := os.MkdirAll(jsDir, 0755); err != nil {
+		return fmt.Errorf("failed to create js directory: %w", err)
+	}
+
+	// Copy each dependency file to the js directory
+	copiedCount := 0
+	for _, dep := range dependencies {
+		if content, ok := sources[dep]; ok {
+			destPath := filepath.Join(jsDir, dep)
+			if err := os.WriteFile(destPath, []byte(content), 0644); err != nil {
+				return fmt.Errorf("failed to write %s: %w", dep, err)
+			}
+			fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("    - %s", dep)))
+			copiedCount++
+		} else {
+			fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("    ⚠ Warning: Could not find %s", dep)))
+		}
+	}
+
+	fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("  ✓ Copied %d files to js/", copiedCount)))
+
+	return nil
+}
+
 // getActionDependencies returns the list of JavaScript dependencies for an action
 // This mapping defines which files from pkg/workflow/js/ are needed for each action
 func getActionDependencies(actionName string) []string {

From 0d13659a37b333f7876cdbc943405fb37d6a8048 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 07:39:28 +0000
Subject: [PATCH 4/5] Remove js/ files from git tracking - they are generated

---
 .gitignore                                    |   5 +-
 actions/setup-safe-outputs/js/mcp_logger.cjs  |  53 --
 .../setup-safe-outputs/js/mcp_server_core.cjs | 747 ------------------
 actions/setup-safe-outputs/js/messages.cjs    |  58 --
 .../js/safe_outputs_bootstrap.cjs             |  74 --
 .../js/safe_outputs_config.cjs                |  59 --
 .../js/safe_outputs_handlers.cjs              | 322 --------
 .../js/safe_outputs_mcp_server.cjs            |  80 --
 .../js/safe_outputs_tools.json                | 591 --------------
 .../js/safe_outputs_tools_loader.cjs          | 165 ----
 10 files changed, 4 insertions(+), 2150 deletions(-)
 delete mode 100644 actions/setup-safe-outputs/js/mcp_logger.cjs
 delete mode 100644 actions/setup-safe-outputs/js/mcp_server_core.cjs
 delete mode 100644 actions/setup-safe-outputs/js/messages.cjs
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_config.cjs
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_tools.json
 delete mode 100644 actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs

diff --git a/.gitignore b/.gitignore
index b59f4e408d8..7c8ef90e4b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -118,4 +118,7 @@ test-runs/
 gosec-report.json
 gosec-results.sarif
 govulncheck-results.sarif
-trivy-results.sarifactions/setup-safe-outputs/js/
+trivy-results.sarif
+
+# Generated action files
+actions/setup-safe-outputs/js/
diff --git a/actions/setup-safe-outputs/js/mcp_logger.cjs b/actions/setup-safe-outputs/js/mcp_logger.cjs
deleted file mode 100644
index c4e764160ac..00000000000
--- a/actions/setup-safe-outputs/js/mcp_logger.cjs
+++ /dev/null
@@ -1,53 +0,0 @@
-// @ts-check
-/// <reference types="@actions/github-script" />
-
-/**
- * MCP Logger Utility
- *
- * This module provides logger creation utilities for MCP servers.
- * It creates logger objects with debug and debugError methods that write
- * timestamped messages to stderr.
- *
- * Usage:
- *   const { createLogger } = require("./mcp_logger.cjs");
- *   const logger = createLogger("my-server");
- *   logger.debug("Server started");
- *   logger.debugError("Error: ", new Error("Something went wrong"));
- */
-
-/**
- * Create a logger object with debug and debugError methods
- * @param {string} serverName - Name to include in log messages
- * @returns {Object} Logger object with debug and debugError methods
- */
-function createLogger(serverName) {
-  const logger = {
-    /**
-     * Log a debug message to stderr with timestamp
-     * @param {string} msg - Message to log
-     */
-    debug: msg => {
-      const timestamp = new Date().toISOString();
-      process.stderr.write(`[${timestamp}] [${serverName}] ${msg}\n`);
-    },
-
-    /**
-     * Log an error with optional stack trace
-     * @param {string} prefix - Prefix for the error message
-     * @param {Error|string|any} error - Error object or message
-     */
-    debugError: (prefix, error) => {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      logger.debug(`${prefix}${errorMessage}`);
-      if (error instanceof Error && error.stack) {
-        logger.debug(`${prefix}Stack trace: ${error.stack}`);
-      }
-    },
-  };
-
-  return logger;
-}
-
-module.exports = {
-  createLogger,
-};
diff --git a/actions/setup-safe-outputs/js/mcp_server_core.cjs b/actions/setup-safe-outputs/js/mcp_server_core.cjs
deleted file mode 100644
index ab1a60832cf..00000000000
--- a/actions/setup-safe-outputs/js/mcp_server_core.cjs
+++ /dev/null
@@ -1,747 +0,0 @@
-// @ts-check
-/// <reference types="@actions/github-script" />
-
-/**
- * MCP Server Core Module
- *
- * This module provides a reusable API for creating MCP (Model Context Protocol) servers.
- * It handles JSON-RPC 2.0 message parsing, tool registration, and server lifecycle.
- *
- * Usage:
- *   const { createServer, registerTool, start } = require("./mcp_server_core.cjs");
- *
- *   const server = createServer({ name: "my-server", version: "1.0.0" });
- *   registerTool(server, {
- *     name: "my_tool",
- *     description: "A tool",
- *     inputSchema: { type: "object", properties: {} },
- *     handler: (args) => ({ content: [{ type: "text", text: "result" }] })
- *   });
- *   start(server);
- */
-
-const fs = require("fs");
-const path = require("path");
-
-const { ReadBuffer } = require("./read_buffer.cjs");
-const { validateRequiredFields } = require("./safe_inputs_validation.cjs");
-
-const encoder = new TextEncoder();
-
-/**
- * @typedef {Object} ServerInfo
- * @property {string} name - Server name
- * @property {string} version - Server version
- */
-
-/**
- * @typedef {Object} Tool
- * @property {string} name - Tool name
- * @property {string} description - Tool description
- * @property {Object} inputSchema - JSON Schema for tool inputs
- * @property {Function} [handler] - Tool handler function
- * @property {string} [handlerPath] - Optional file path to handler module (original path from config)
- * @property {number} [timeout] - Timeout in seconds for tool execution (default: 60)
- */
-
-/**
- * @typedef {Object} MCPServer
- * @property {ServerInfo} serverInfo - Server information
- * @property {Object<string, Tool>} tools - Registered tools
- * @property {Function} debug - Debug logging function
- * @property {Function} debugError - Debug logging function for errors (extracts message from Error objects)
- * @property {Function} writeMessage - Write message to stdout
- * @property {Function} replyResult - Send a result response
- * @property {Function} replyError - Send an error response
- * @property {ReadBuffer} readBuffer - Message buffer
- * @property {string} [logDir] - Optional log directory
- * @property {string} [logFilePath] - Optional log file path
- * @property {boolean} logFileInitialized - Whether log file has been initialized
- */
-
-/**
- * Initialize log file for the server
- * @param {MCPServer} server - The MCP server instance
- */
-function initLogFile(server) {
-  if (server.logFileInitialized || !server.logDir || !server.logFilePath) return;
-  try {
-    if (!fs.existsSync(server.logDir)) {
-      fs.mkdirSync(server.logDir, { recursive: true });
-    }
-    // Initialize/truncate log file with header
-    const timestamp = new Date().toISOString();
-    fs.writeFileSync(server.logFilePath, `# ${server.serverInfo.name} MCP Server Log\n# Started: ${timestamp}\n# Version: ${server.serverInfo.version}\n\n`);
-    server.logFileInitialized = true;
-  } catch {
-    // Silently ignore errors - logging to stderr will still work
-  }
-}
-
-/**
- * Create a debug function for the server
- * @param {MCPServer} server - The MCP server instance
- * @returns {Function} Debug function
- */
-function createDebugFunction(server) {
-  return msg => {
-    const timestamp = new Date().toISOString();
-    const formattedMsg = `[${timestamp}] [${server.serverInfo.name}] ${msg}\n`;
-
-    // Always write to stderr
-    process.stderr.write(formattedMsg);
-
-    // Also write to log file if log directory is set (initialize on first use)
-    if (server.logDir && server.logFilePath) {
-      if (!server.logFileInitialized) {
-        initLogFile(server);
-      }
-      if (server.logFileInitialized) {
-        try {
-          fs.appendFileSync(server.logFilePath, formattedMsg);
-        } catch {
-          // Silently ignore file write errors - stderr logging still works
-        }
-      }
-    }
-  };
-}
-
-/**
- * Create a debugError function for the server that handles error casting
- * @param {MCPServer} server - The MCP server instance
- * @returns {Function} Debug error function that extracts message from Error objects
- */
-function createDebugErrorFunction(server) {
-  return (prefix, error) => {
-    const errorMessage = error instanceof Error ? error.message : String(error);
-    server.debug(`${prefix}${errorMessage}`);
-    if (error instanceof Error && error.stack) {
-      server.debug(`${prefix}Stack trace: ${error.stack}`);
-    }
-  };
-}
-
-/**
- * Create a writeMessage function for the server
- * @param {MCPServer} server - The MCP server instance
- * @returns {Function} Write message function
- */
-function createWriteMessageFunction(server) {
-  return obj => {
-    const json = JSON.stringify(obj);
-    server.debug(`send: ${json}`);
-    const message = json + "\n";
-    const bytes = encoder.encode(message);
-    fs.writeSync(1, bytes);
-  };
-}
-
-/**
- * Create a replyResult function for the server
- * @param {MCPServer} server - The MCP server instance
- * @returns {Function} Reply result function
- */
-function createReplyResultFunction(server) {
-  return (id, result) => {
-    if (id === undefined || id === null) return; // notification
-    const res = { jsonrpc: "2.0", id, result };
-    server.writeMessage(res);
-  };
-}
-
-/**
- * Create a replyError function for the server
- * @param {MCPServer} server - The MCP server instance
- * @returns {Function} Reply error function
- */
-function createReplyErrorFunction(server) {
-  return (id, code, message) => {
-    // Don't send error responses for notifications (id is null/undefined)
-    if (id === undefined || id === null) {
-      server.debug(`Error for notification: ${message}`);
-      return;
-    }
-
-    const error = { code, message };
-    const res = {
-      jsonrpc: "2.0",
-      id,
-      error,
-    };
-    server.writeMessage(res);
-  };
-}
-
-/**
- * Create a new MCP server instance
- * @param {ServerInfo} serverInfo - Server information (name and version)
- * @param {Object} [options] - Optional server configuration
- * @param {string} [options.logDir] - Directory for log file (optional)
- * @returns {MCPServer} The MCP server instance
- */
-function createServer(serverInfo, options = {}) {
-  const logDir = options.logDir || undefined;
-  const logFilePath = logDir ? path.join(logDir, "server.log") : undefined;
-
-  /** @type {MCPServer} */
-  const server = {
-    serverInfo,
-    tools: {},
-    debug: () => {}, // placeholder
-    debugError: () => {}, // placeholder
-    writeMessage: () => {}, // placeholder
-    replyResult: () => {}, // placeholder
-    replyError: () => {}, // placeholder
-    readBuffer: new ReadBuffer(),
-    logDir,
-    logFilePath,
-    logFileInitialized: false,
-  };
-
-  // Initialize functions with references to server
-  server.debug = createDebugFunction(server);
-  server.debugError = createDebugErrorFunction(server);
-  server.writeMessage = createWriteMessageFunction(server);
-  server.replyResult = createReplyResultFunction(server);
-  server.replyError = createReplyErrorFunction(server);
-
-  return server;
-}
-
-/**
- * Create a wrapped handler function that normalizes results to MCP format.
- * Extracted to avoid creating closures with excessive scope in loadToolHandlers.
- *
- * @param {MCPServer} server - The MCP server instance for logging
- * @param {string} toolName - Name of the tool for logging purposes
- * @param {Function} handlerFn - The original handler function to wrap
- * @returns {Function} Wrapped async handler function
- */
-function createWrappedHandler(server, toolName, handlerFn) {
-  return async args => {
-    server.debug(`  [${toolName}] Invoking handler with args: ${JSON.stringify(args)}`);
-
-    try {
-      // Call the handler (may be sync or async)
-      const result = await Promise.resolve(handlerFn(args));
-      server.debug(`  [${toolName}] Handler returned result type: ${typeof result}`);
-
-      // If the result is already in MCP format (has content array), return as-is
-      if (result && typeof result === "object" && Array.isArray(result.content)) {
-        server.debug(`  [${toolName}] Result is already in MCP format`);
-        return result;
-      }
-
-      // Otherwise, serialize the result to text
-      // Use try-catch for serialization to handle circular references and non-serializable values
-      let serializedResult;
-      try {
-        serializedResult = JSON.stringify(result);
-      } catch (serializationError) {
-        server.debugError(`  [${toolName}] Serialization error: `, serializationError);
-        // Fall back to String() for non-serializable values
-        serializedResult = String(result);
-      }
-      server.debug(`  [${toolName}] Serialized result: ${serializedResult.substring(0, 200)}${serializedResult.length > 200 ? "..." : ""}`);
-
-      return {
-        content: [
-          {
-            type: "text",
-            text: serializedResult,
-          },
-        ],
-      };
-    } catch (error) {
-      server.debugError(`  [${toolName}] Handler threw error: `, error);
-      throw error;
-    }
-  };
-}
-
-/**
- * Load handler functions from file paths specified in tools configuration.
- * This function iterates through tools and loads handler modules based on file extension:
- *
- * For JavaScript handlers (.js, .cjs, .mjs):
- *   - Uses require() to load the module
- *   - Handler must export a function as default export
- *   - Handler signature: async function handler(args: Record<string, unknown>): Promise<unknown>
- *
- * For Shell script handlers (.sh):
- *   - Uses GitHub Actions convention for passing inputs/outputs
- *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)
- *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)
- *   - Returns: { stdout, stderr, outputs }
- *
- * For Python script handlers (.py):
- *   - Uses GitHub Actions convention for passing inputs/outputs
- *   - Inputs are passed as environment variables prefixed with INPUT_ (uppercased)
- *   - Outputs are read from GITHUB_OUTPUT file (key=value format per line)
- *   - Executed using python3 command
- *   - Returns: { stdout, stderr, outputs }
- *
- * SECURITY NOTE: Handler paths are loaded from tools.json configuration file,
- * which should be controlled by the server administrator. When basePath is provided,
- * relative paths are resolved within it, preventing directory traversal outside
- * the intended directory. Absolute paths bypass this validation but are still
- * logged for auditing purposes.
- *
- * @param {MCPServer} server - The MCP server instance for logging
- * @param {Array<Object>} tools - Array of tool configurations from tools.json
- * @param {string} [basePath] - Optional base path for resolving relative handler paths.
- *                              When provided, relative paths are validated to be within this directory.
- * @returns {Array<Object>} The tools array with loaded handlers attached
- */
-function loadToolHandlers(server, tools, basePath) {
-  server.debug(`Loading tool handlers...`);
-  server.debug(`  Total tools to process: ${tools.length}`);
-  server.debug(`  Base path: ${basePath || "(not specified)"}`);
-
-  let loadedCount = 0;
-  let skippedCount = 0;
-  let errorCount = 0;
-
-  for (const tool of tools) {
-    const toolName = tool.name || "(unnamed)";
-
-    // Check if tool has a handler path specified
-    if (!tool.handler) {
-      server.debug(`  [${toolName}] No handler path specified, skipping handler load`);
-      skippedCount++;
-      continue;
-    }
-
-    const handlerPath = tool.handler;
-    server.debug(`  [${toolName}] Handler path specified: ${handlerPath}`);
-
-    // Resolve the handler path
-    let resolvedPath = handlerPath;
-    if (basePath && !path.isAbsolute(handlerPath)) {
-      resolvedPath = path.resolve(basePath, handlerPath);
-      server.debug(`  [${toolName}] Resolved relative path to: ${resolvedPath}`);
-
-      // Security validation: Ensure resolved path is within basePath to prevent directory traversal
-      const normalizedBase = path.resolve(basePath);
-      const normalizedResolved = path.resolve(resolvedPath);
-      if (!normalizedResolved.startsWith(normalizedBase + path.sep) && normalizedResolved !== normalizedBase) {
-        server.debug(`  [${toolName}] ERROR: Handler path escapes base directory: ${resolvedPath} is not within ${basePath}`);
-        errorCount++;
-        continue;
-      }
-    } else if (path.isAbsolute(handlerPath)) {
-      server.debug(`  [${toolName}] Using absolute path (bypasses basePath validation): ${handlerPath}`);
-    }
-
-    // Store the original handler path for reference
-    tool.handlerPath = handlerPath;
-
-    try {
-      server.debug(`  [${toolName}] Loading handler from: ${resolvedPath}`);
-
-      // Check if file exists before loading
-      if (!fs.existsSync(resolvedPath)) {
-        server.debug(`  [${toolName}] ERROR: Handler file does not exist: ${resolvedPath}`);
-        errorCount++;
-        continue;
-      }
-
-      // Detect handler type by file extension
-      const ext = path.extname(resolvedPath).toLowerCase();
-      server.debug(`  [${toolName}] Handler file extension: ${ext}`);
-
-      if (ext === ".sh") {
-        // Shell script handler - use GitHub Actions convention
-        server.debug(`  [${toolName}] Detected shell script handler`);
-
-        // Make sure the script is executable (on Unix-like systems)
-        try {
-          fs.accessSync(resolvedPath, fs.constants.X_OK);
-          server.debug(`  [${toolName}] Shell script is executable`);
-        } catch {
-          // Try to make it executable
-          try {
-            fs.chmodSync(resolvedPath, 0o755);
-            server.debug(`  [${toolName}] Made shell script executable`);
-          } catch (chmodError) {
-            server.debugError(`  [${toolName}] Warning: Could not make shell script executable: `, chmodError);
-            // Continue anyway - it might work depending on the shell
-          }
-        }
-
-        // Lazy-load shell handler module
-        const { createShellHandler } = require("./mcp_handler_shell.cjs");
-        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified
-        tool.handler = createShellHandler(server, toolName, resolvedPath, timeout);
-
-        loadedCount++;
-        server.debug(`  [${toolName}] Shell handler created successfully with timeout: ${timeout}s`);
-      } else if (ext === ".py") {
-        // Python script handler - use GitHub Actions convention
-        server.debug(`  [${toolName}] Detected Python script handler`);
-
-        // Make sure the script is executable (on Unix-like systems)
-        try {
-          fs.accessSync(resolvedPath, fs.constants.X_OK);
-          server.debug(`  [${toolName}] Python script is executable`);
-        } catch {
-          // Try to make it executable
-          try {
-            fs.chmodSync(resolvedPath, 0o755);
-            server.debug(`  [${toolName}] Made Python script executable`);
-          } catch (chmodError) {
-            server.debugError(`  [${toolName}] Warning: Could not make Python script executable: `, chmodError);
-            // Continue anyway - python3 will be called explicitly
-          }
-        }
-
-        // Lazy-load Python handler module
-        const { createPythonHandler } = require("./mcp_handler_python.cjs");
-        const timeout = tool.timeout || 60; // Default to 60 seconds if not specified
-        tool.handler = createPythonHandler(server, toolName, resolvedPath, timeout);
-
-        loadedCount++;
-        server.debug(`  [${toolName}] Python handler created successfully with timeout: ${timeout}s`);
-      } else {
-        // JavaScript/CommonJS handler - use require()
-        server.debug(`  [${toolName}] Loading JavaScript handler module`);
-
-        // Load the handler module
-        const handlerModule = require(resolvedPath);
-        server.debug(`  [${toolName}] Handler module loaded successfully`);
-        server.debug(`  [${toolName}] Module type: ${typeof handlerModule}`);
-
-        // Get the handler function (support default export patterns)
-        let handlerFn = handlerModule;
-
-        // Handle ES module default export pattern (module.default)
-        if (handlerModule && typeof handlerModule === "object" && typeof handlerModule.default === "function") {
-          handlerFn = handlerModule.default;
-          server.debug(`  [${toolName}] Using module.default export`);
-        }
-
-        // Validate that the handler is a function
-        if (typeof handlerFn !== "function") {
-          server.debug(`  [${toolName}] ERROR: Handler is not a function, got: ${typeof handlerFn}`);
-          server.debug(`  [${toolName}] Module keys: ${Object.keys(handlerModule || {}).join(", ") || "(none)"}`);
-          errorCount++;
-          continue;
-        }
-
-        server.debug(`  [${toolName}] Handler function validated successfully`);
-        server.debug(`  [${toolName}] Handler function name: ${handlerFn.name || "(anonymous)"}`);
-
-        // Wrap the handler using the separate function to avoid bloating the closure
-        tool.handler = createWrappedHandler(server, toolName, handlerFn);
-
-        loadedCount++;
-        server.debug(`  [${toolName}] JavaScript handler loaded and wrapped successfully`);
-      }
-    } catch (error) {
-      server.debugError(`  [${toolName}] ERROR loading handler: `, error);
-      errorCount++;
-    }
-  }
-
-  server.debug(`Handler loading complete:`);
-  server.debug(`  Loaded: ${loadedCount}`);
-  server.debug(`  Skipped (no handler path): ${skippedCount}`);
-  server.debug(`  Errors: ${errorCount}`);
-
-  return tools;
-}
-
-/**
- * Register a tool with the server
- * @param {MCPServer} server - The MCP server instance
- * @param {Tool} tool - The tool to register
- */
-function registerTool(server, tool) {
-  const normalizedName = normalizeTool(tool.name);
-  server.tools[normalizedName] = {
-    ...tool,
-    name: normalizedName,
-  };
-  server.debug(`Registered tool: ${normalizedName}`);
-}
-
-/**
- * Normalize a tool name (convert dashes to underscores, lowercase)
- * @param {string} name - The tool name to normalize
- * @returns {string} Normalized tool name
- */
-function normalizeTool(name) {
-  return name.replace(/-/g, "_").toLowerCase();
-}
-
-/**
- * Handle an incoming JSON-RPC request and return a response (for HTTP transport)
- * This function is compatible with the MCPServer class's handleRequest method.
- * @param {MCPServer} server - The MCP server instance
- * @param {Object} request - The incoming JSON-RPC request
- * @param {Function} [defaultHandler] - Default handler for tools without a handler
- * @returns {Promise<Object|null>} JSON-RPC response object, or null for notifications
- */
-async function handleRequest(server, request, defaultHandler) {
-  const { id, method, params } = request;
-
-  try {
-    // Handle notifications per JSON-RPC 2.0 spec:
-    // Requests without id field are notifications (no response)
-    // Note: id can be null for valid requests, so we check for field presence with "in" operator
-    if (!("id" in request)) {
-      // No id field - this is a notification (no response)
-      return null;
-    }
-
-    let result;
-
-    if (method === "initialize") {
-      const protocolVersion = params?.protocolVersion || "2024-11-05";
-      result = {
-        protocolVersion,
-        serverInfo: server.serverInfo,
-        capabilities: {
-          tools: {},
-        },
-      };
-    } else if (method === "ping") {
-      result = {};
-    } else if (method === "tools/list") {
-      const list = [];
-      Object.values(server.tools).forEach(tool => {
-        const toolDef = {
-          name: tool.name,
-          description: tool.description,
-          inputSchema: tool.inputSchema,
-        };
-        list.push(toolDef);
-      });
-      result = { tools: list };
-    } else if (method === "tools/call") {
-      const name = params?.name;
-      const args = params?.arguments ?? {};
-      if (!name || typeof name !== "string") {
-        throw {
-          code: -32602,
-          message: "Invalid params: 'name' must be a string",
-        };
-      }
-      const tool = server.tools[normalizeTool(name)];
-      if (!tool) {
-        throw {
-          code: -32602,
-          message: `Tool '${name}' not found`,
-        };
-      }
-
-      // Use tool handler, or default handler, or error
-      let handler = tool.handler;
-      if (!handler && defaultHandler) {
-        handler = defaultHandler(tool.name);
-      }
-      if (!handler) {
-        throw {
-          code: -32603,
-          message: `No handler for tool: ${name}`,
-        };
-      }
-
-      const missing = validateRequiredFields(args, tool.inputSchema);
-      if (missing.length) {
-        throw {
-          code: -32602,
-          message: `Invalid arguments: missing or empty ${missing.map(m => `'${m}'`).join(", ")}`,
-        };
-      }
-
-      // Call handler and await the result (supports both sync and async handlers)
-      const handlerResult = await Promise.resolve(handler(args));
-      const content = handlerResult && handlerResult.content ? handlerResult.content : [];
-      result = { content, isError: false };
-    } else if (/^notifications\//.test(method)) {
-      // Notifications don't need a response
-      return null;
-    } else {
-      throw {
-        code: -32601,
-        message: `Method not found: ${method}`,
-      };
-    }
-
-    return {
-      jsonrpc: "2.0",
-      id,
-      result,
-    };
-  } catch (error) {
-    /** @type {any} */
-    const err = error;
-    return {
-      jsonrpc: "2.0",
-      id,
-      error: {
-        code: err.code || -32603,
-        message: err.message || "Internal error",
-      },
-    };
-  }
-}
-
-/**
- * Handle an incoming JSON-RPC message (for stdio transport)
- * @param {MCPServer} server - The MCP server instance
- * @param {Object} req - The incoming request
- * @param {Function} [defaultHandler] - Default handler for tools without a handler
- * @returns {Promise<void>}
- */
-async function handleMessage(server, req, defaultHandler) {
-  // Validate basic JSON-RPC structure
-  if (!req || typeof req !== "object") {
-    server.debug(`Invalid message: not an object`);
-    return;
-  }
-
-  if (req.jsonrpc !== "2.0") {
-    server.debug(`Invalid message: missing or invalid jsonrpc field`);
-    return;
-  }
-
-  const { id, method, params } = req;
-
-  // Validate method field
-  if (!method || typeof method !== "string") {
-    server.replyError(id, -32600, "Invalid Request: method must be a string");
-    return;
-  }
-
-  try {
-    if (method === "initialize") {
-      const clientInfo = params?.clientInfo ?? {};
-      server.debug(`client info: ${JSON.stringify(clientInfo)}`);
-      const protocolVersion = params?.protocolVersion ?? undefined;
-      const result = {
-        serverInfo: server.serverInfo,
-        ...(protocolVersion ? { protocolVersion } : {}),
-        capabilities: {
-          tools: {},
-        },
-      };
-      server.replyResult(id, result);
-    } else if (method === "tools/list") {
-      const list = [];
-      Object.values(server.tools).forEach(tool => {
-        const toolDef = {
-          name: tool.name,
-          description: tool.description,
-          inputSchema: tool.inputSchema,
-        };
-        list.push(toolDef);
-      });
-      server.replyResult(id, { tools: list });
-    } else if (method === "tools/call") {
-      const name = params?.name;
-      const args = params?.arguments ?? {};
-      if (!name || typeof name !== "string") {
-        server.replyError(id, -32602, "Invalid params: 'name' must be a string");
-        return;
-      }
-      const tool = server.tools[normalizeTool(name)];
-      if (!tool) {
-        server.replyError(id, -32601, `Tool not found: ${name} (${normalizeTool(name)})`);
-        return;
-      }
-
-      // Use tool handler, or default handler, or error
-      let handler = tool.handler;
-      if (!handler && defaultHandler) {
-        handler = defaultHandler(tool.name);
-      }
-      if (!handler) {
-        server.replyError(id, -32603, `No handler for tool: ${name}`);
-        return;
-      }
-
-      const missing = validateRequiredFields(args, tool.inputSchema);
-      if (missing.length) {
-        server.replyError(id, -32602, `Invalid arguments: missing or empty ${missing.map(m => `'${m}'`).join(", ")}`);
-        return;
-      }
-
-      // Call handler and await the result (supports both sync and async handlers)
-      server.debug(`Calling handler for tool: ${name}`);
-      const result = await Promise.resolve(handler(args));
-      server.debug(`Handler returned for tool: ${name}`);
-      const content = result && result.content ? result.content : [];
-      server.replyResult(id, { content, isError: false });
-    } else if (/^notifications\//.test(method)) {
-      server.debug(`ignore ${method}`);
-    } else {
-      server.replyError(id, -32601, `Method not found: ${method}`);
-    }
-  } catch (e) {
-    server.replyError(id, -32603, e instanceof Error ? e.message : String(e));
-  }
-}
-
-/**
- * Process the read buffer and handle messages
- * @param {MCPServer} server - The MCP server instance
- * @param {Function} [defaultHandler] - Default handler for tools without a handler
- * @returns {Promise<void>}
- */
-async function processReadBuffer(server, defaultHandler) {
-  while (true) {
-    try {
-      const message = server.readBuffer.readMessage();
-      if (!message) {
-        break;
-      }
-      server.debug(`recv: ${JSON.stringify(message)}`);
-      await handleMessage(server, message, defaultHandler);
-    } catch (error) {
-      // For parse errors, we can't know the request id, so we shouldn't send a response
-      // according to JSON-RPC spec. Just log the error.
-      server.debug(`Parse error: ${error instanceof Error ? error.message : String(error)}`);
-    }
-  }
-}
-
-/**
- * Start the MCP server on stdio
- * @param {MCPServer} server - The MCP server instance
- * @param {Object} [options] - Start options
- * @param {Function} [options.defaultHandler] - Default handler for tools without a handler
- */
-function start(server, options = {}) {
-  const { defaultHandler } = options;
-
-  server.debug(`v${server.serverInfo.version} ready on stdio`);
-  server.debug(`  tools: ${Object.keys(server.tools).join(", ")}`);
-
-  if (!Object.keys(server.tools).length) {
-    throw new Error("No tools registered");
-  }
-
-  const onData = async chunk => {
-    server.readBuffer.append(chunk);
-    await processReadBuffer(server, defaultHandler);
-  };
-
-  process.stdin.on("data", onData);
-  process.stdin.on("error", err => server.debug(`stdin error: ${err}`));
-  process.stdin.resume();
-  server.debug(`listening...`);
-}
-
-module.exports = {
-  createServer,
-  registerTool,
-  normalizeTool,
-  handleRequest,
-  handleMessage,
-  processReadBuffer,
-  start,
-  loadToolHandlers,
-};
diff --git a/actions/setup-safe-outputs/js/messages.cjs b/actions/setup-safe-outputs/js/messages.cjs
deleted file mode 100644
index 401a4adf8e3..00000000000
--- a/actions/setup-safe-outputs/js/messages.cjs
+++ /dev/null
@@ -1,58 +0,0 @@
-// @ts-check
-/// <reference types="@actions/github-script" />
-
-/**
- * Safe Output Messages Module (Barrel File)
- *
- * This module re-exports all message functions from the modular message files.
- * It provides backward compatibility for existing code that imports from messages.cjs.
- *
- * For new code, prefer importing directly from the specific modules:
- * - ./messages_core.cjs - Core utilities (getMessages, renderTemplate, toSnakeCase)
- * - ./messages_footer.cjs - Footer messages (getFooterMessage, getFooterInstallMessage, generateFooterWithMessages)
- * - ./messages_staged.cjs - Staged mode messages (getStagedTitle, getStagedDescription)
- * - ./messages_run_status.cjs - Run status messages (getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage)
- * - ./messages_close_discussion.cjs - Close discussion messages (getCloseOlderDiscussionMessage)
- *
- * Supported placeholders:
- * - {workflow_name} - Name of the workflow
- * - {run_url} - URL to the workflow run
- * - {workflow_source} - Source specification (owner/repo/path@ref)
- * - {workflow_source_url} - GitHub URL for the workflow source
- * - {triggering_number} - Issue/PR/Discussion number that triggered this workflow
- * - {operation} - Operation name (for staged mode titles/descriptions)
- * - {event_type} - Event type description (for run-started messages)
- * - {status} - Workflow status text (for run-failure messages)
- *
- * Both camelCase and snake_case placeholder formats are supported.
- */
-
-// Re-export core utilities
-const { getMessages, renderTemplate } = require("./messages_core.cjs");
-
-// Re-export footer messages
-const { getFooterMessage, getFooterInstallMessage, generateFooterWithMessages, generateXMLMarker } = require("./messages_footer.cjs");
-
-// Re-export staged mode messages
-const { getStagedTitle, getStagedDescription } = require("./messages_staged.cjs");
-
-// Re-export run status messages
-const { getRunStartedMessage, getRunSuccessMessage, getRunFailureMessage } = require("./messages_run_status.cjs");
-
-// Re-export close discussion messages
-const { getCloseOlderDiscussionMessage } = require("./messages_close_discussion.cjs");
-
-module.exports = {
-  getMessages,
-  renderTemplate,
-  getFooterMessage,
-  getFooterInstallMessage,
-  generateFooterWithMessages,
-  generateXMLMarker,
-  getStagedTitle,
-  getStagedDescription,
-  getRunStartedMessage,
-  getRunSuccessMessage,
-  getRunFailureMessage,
-  getCloseOlderDiscussionMessage,
-};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs b/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
deleted file mode 100644
index 68b63569e5a..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_bootstrap.cjs
+++ /dev/null
@@ -1,74 +0,0 @@
-// @ts-check
-
-/**
- * Safe Outputs Bootstrap Module
- *
- * This module provides shared bootstrap logic for safe-outputs MCP server.
- * It handles configuration loading, tools loading, and cleanup that is
- * common initialization logic.
- *
- * Usage:
- *   const { bootstrapSafeOutputsServer } = require("./safe_outputs_bootstrap.cjs");
- *   const { config, outputFile, tools } = bootstrapSafeOutputsServer(server);
- */
-
-const fs = require("fs");
-const { loadConfig } = require("./safe_outputs_config.cjs");
-const { loadTools } = require("./safe_outputs_tools_loader.cjs");
-
-/**
- * @typedef {Object} Logger
- * @property {Function} debug - Debug logging function
- * @property {Function} debugError - Error logging function
- */
-
-/**
- * @typedef {Object} BootstrapResult
- * @property {Object} config - Loaded configuration
- * @property {string} outputFile - Path to the output file
- * @property {Array} tools - Loaded tool definitions
- */
-
-/**
- * Bootstrap a safe-outputs server by loading configuration and tools.
- * This function performs the common initialization steps.
- *
- * @param {Logger} logger - Logger instance for debug messages
- * @returns {BootstrapResult} Configuration, output file path, and loaded tools
- */
-function bootstrapSafeOutputsServer(logger) {
-  // Load configuration
-  logger.debug("Loading safe-outputs configuration");
-  const { config, outputFile } = loadConfig(logger);
-
-  // Load tools
-  logger.debug("Loading safe-outputs tools");
-  const tools = loadTools(logger);
-
-  return { config, outputFile, tools };
-}
-
-/**
- * Delete the configuration file to ensure no secrets remain on disk.
- * This should be called after the server has been configured and started.
- *
- * @param {Logger} logger - Logger instance for debug messages
- */
-function cleanupConfigFile(logger) {
-  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json";
-
-  try {
-    if (fs.existsSync(configPath)) {
-      fs.unlinkSync(configPath);
-      logger.debug(`Deleted configuration file: ${configPath}`);
-    }
-  } catch (error) {
-    logger.debugError("Warning: Could not delete configuration file: ", error);
-    // Continue anyway - the server is already running
-  }
-}
-
-module.exports = {
-  bootstrapSafeOutputsServer,
-  cleanupConfigFile,
-};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_config.cjs b/actions/setup-safe-outputs/js/safe_outputs_config.cjs
deleted file mode 100644
index debc3410425..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_config.cjs
+++ /dev/null
@@ -1,59 +0,0 @@
-// @ts-check
-
-const fs = require("fs");
-const path = require("path");
-
-/**
- * Load and process safe outputs configuration
- * @param {Object} server - The MCP server instance for logging
- * @returns {Object} An object containing the processed config and output file path
- */
-function loadConfig(server) {
-  // Read configuration from file
-  const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/tmp/gh-aw/safeoutputs/config.json";
-  let safeOutputsConfigRaw;
-
-  server.debug(`Reading config from file: ${configPath}`);
-
-  try {
-    if (fs.existsSync(configPath)) {
-      server.debug(`Config file exists at: ${configPath}`);
-      const configFileContent = fs.readFileSync(configPath, "utf8");
-      server.debug(`Config file content length: ${configFileContent.length} characters`);
-      // Don't log raw content to avoid exposing sensitive configuration data
-      server.debug(`Config file read successfully, attempting to parse JSON`);
-      safeOutputsConfigRaw = JSON.parse(configFileContent);
-      server.debug(`Successfully parsed config from file with ${Object.keys(safeOutputsConfigRaw).length} configuration keys`);
-    } else {
-      server.debug(`Config file does not exist at: ${configPath}`);
-      server.debug(`Using minimal default configuration`);
-      safeOutputsConfigRaw = {};
-    }
-  } catch (error) {
-    server.debug(`Error reading config file: ${error instanceof Error ? error.message : String(error)}`);
-    server.debug(`Falling back to empty configuration`);
-    safeOutputsConfigRaw = {};
-  }
-
-  const safeOutputsConfig = Object.fromEntries(Object.entries(safeOutputsConfigRaw).map(([k, v]) => [k.replace(/-/g, "_"), v]));
-  server.debug(`Final processed config: ${JSON.stringify(safeOutputsConfig)}`);
-
-  // Handle GH_AW_SAFE_OUTPUTS with default fallback
-  const outputFile = process.env.GH_AW_SAFE_OUTPUTS || "/tmp/gh-aw/safeoutputs/outputs.jsonl";
-  if (!process.env.GH_AW_SAFE_OUTPUTS) {
-    server.debug(`GH_AW_SAFE_OUTPUTS not set, using default: ${outputFile}`);
-  }
-  // Always ensure the directory exists, regardless of whether env var is set
-  const outputDir = path.dirname(outputFile);
-  if (!fs.existsSync(outputDir)) {
-    server.debug(`Creating output directory: ${outputDir}`);
-    fs.mkdirSync(outputDir, { recursive: true });
-  }
-
-  return {
-    config: safeOutputsConfig,
-    outputFile: outputFile,
-  };
-}
-
-module.exports = { loadConfig };
diff --git a/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs b/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
deleted file mode 100644
index 60c7569222d..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_handlers.cjs
+++ /dev/null
@@ -1,322 +0,0 @@
-// @ts-check
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-const { normalizeBranchName } = require("./normalize_branch_name.cjs");
-const { estimateTokens } = require("./estimate_tokens.cjs");
-const { writeLargeContentToFile } = require("./write_large_content_to_file.cjs");
-const { getCurrentBranch } = require("./get_current_branch.cjs");
-const { getBaseBranch } = require("./get_base_branch.cjs");
-const { generateGitPatch } = require("./generate_git_patch.cjs");
-
-/**
- * Create handlers for safe output tools
- * @param {Object} server - The MCP server instance for logging
- * @param {Function} appendSafeOutput - Function to append entries to the output file
- * @param {Object} [config] - Optional configuration object with safe output settings
- * @returns {Object} An object containing all handler functions
- */
-function createHandlers(server, appendSafeOutput, config = {}) {
-  /**
-   * Default handler for safe output tools
-   * @param {string} type - The tool type
-   * @returns {Function} Handler function
-   */
-  const defaultHandler = type => args => {
-    const entry = { ...(args || {}), type };
-
-    // Check if any field in the entry has content exceeding 16000 tokens
-    let largeContent = null;
-    let largeFieldName = null;
-    const TOKEN_THRESHOLD = 16000;
-
-    for (const [key, value] of Object.entries(entry)) {
-      if (typeof value === "string") {
-        const tokens = estimateTokens(value);
-        if (tokens > TOKEN_THRESHOLD) {
-          largeContent = value;
-          largeFieldName = key;
-          server.debug(`Field '${key}' has ${tokens} tokens (exceeds ${TOKEN_THRESHOLD})`);
-          break;
-        }
-      }
-    }
-
-    if (largeContent && largeFieldName) {
-      // Write large content to file
-      const fileInfo = writeLargeContentToFile(largeContent);
-
-      // Replace large field with file reference
-      entry[largeFieldName] = `[Content too large, saved to file: ${fileInfo.filename}]`;
-
-      // Append modified entry to safe outputs
-      appendSafeOutput(entry);
-
-      // Return file info to the agent
-      return {
-        content: [
-          {
-            type: "text",
-            text: JSON.stringify(fileInfo),
-          },
-        ],
-      };
-    }
-
-    // Normal case - no large content
-    appendSafeOutput(entry);
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({ result: "success" }),
-        },
-      ],
-    };
-  };
-
-  /**
-   * Handler for upload_asset tool
-   */
-  const uploadAssetHandler = args => {
-    const branchName = process.env.GH_AW_ASSETS_BRANCH;
-    if (!branchName) throw new Error("GH_AW_ASSETS_BRANCH not set");
-
-    // Normalize the branch name to ensure it's a valid git branch name
-    const normalizedBranchName = normalizeBranchName(branchName);
-
-    const { path: filePath } = args;
-
-    // Validate file path is within allowed directories
-    const absolutePath = path.resolve(filePath);
-    const workspaceDir = process.env.GITHUB_WORKSPACE || process.cwd();
-    const tmpDir = "/tmp";
-
-    const isInWorkspace = absolutePath.startsWith(path.resolve(workspaceDir));
-    const isInTmp = absolutePath.startsWith(tmpDir);
-
-    if (!isInWorkspace && !isInTmp) {
-      throw new Error(`File path must be within workspace directory (${workspaceDir}) or /tmp directory. ` + `Provided path: ${filePath} (resolved to: ${absolutePath})`);
-    }
-
-    // Validate file exists
-    if (!fs.existsSync(filePath)) {
-      throw new Error(`File not found: ${filePath}`);
-    }
-
-    // Get file stats
-    const stats = fs.statSync(filePath);
-    const sizeBytes = stats.size;
-    const sizeKB = Math.ceil(sizeBytes / 1024);
-
-    // Check file size - read from environment variable if available
-    const maxSizeKB = process.env.GH_AW_ASSETS_MAX_SIZE_KB ? parseInt(process.env.GH_AW_ASSETS_MAX_SIZE_KB, 10) : 10240; // Default 10MB
-    if (sizeKB > maxSizeKB) {
-      throw new Error(`File size ${sizeKB} KB exceeds maximum allowed size ${maxSizeKB} KB`);
-    }
-
-    // Check file extension - read from environment variable if available
-    const ext = path.extname(filePath).toLowerCase();
-    const allowedExts = process.env.GH_AW_ASSETS_ALLOWED_EXTS
-      ? process.env.GH_AW_ASSETS_ALLOWED_EXTS.split(",").map(ext => ext.trim())
-      : [
-          // Default set as specified in problem statement
-          ".png",
-          ".jpg",
-          ".jpeg",
-        ];
-
-    if (!allowedExts.includes(ext)) {
-      throw new Error(`File extension '${ext}' is not allowed. Allowed extensions: ${allowedExts.join(", ")}`);
-    }
-
-    // Create assets directory
-    const assetsDir = "/tmp/gh-aw/safeoutputs/assets";
-    if (!fs.existsSync(assetsDir)) {
-      fs.mkdirSync(assetsDir, { recursive: true });
-    }
-
-    // Read file and compute hash
-    const fileContent = fs.readFileSync(filePath);
-    const sha = crypto.createHash("sha256").update(fileContent).digest("hex");
-
-    // Extract filename and extension
-    const fileName = path.basename(filePath);
-    const fileExt = path.extname(fileName).toLowerCase();
-
-    // Copy file to assets directory with original name
-    const targetPath = path.join(assetsDir, fileName);
-    fs.copyFileSync(filePath, targetPath);
-
-    // Generate target filename as sha + extension (lowercased)
-    const targetFileName = (sha + fileExt).toLowerCase();
-
-    const githubServer = process.env.GITHUB_SERVER_URL || "https://github.com";
-    const repo = process.env.GITHUB_REPOSITORY || "owner/repo";
-    const url = `${githubServer.replace("github.com", "raw.githubusercontent.com")}/${repo}/${normalizedBranchName}/${targetFileName}`;
-
-    // Create entry for safe outputs
-    const entry = {
-      type: "upload_asset",
-      path: filePath,
-      fileName: fileName,
-      sha: sha,
-      size: sizeBytes,
-      url: url,
-      targetFileName: targetFileName,
-    };
-
-    appendSafeOutput(entry);
-
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({ result: url }),
-        },
-      ],
-    };
-  };
-
-  /**
-   * Handler for create_pull_request tool
-   * Resolves the current branch if branch is not provided or is the base branch
-   * Generates git patch for the changes (unless allow-empty is true)
-   */
-  const createPullRequestHandler = args => {
-    const entry = { ...args, type: "create_pull_request" };
-    const baseBranch = getBaseBranch();
-
-    // If branch is not provided, is empty, or equals the base branch, use the current branch from git
-    // This handles cases where the agent incorrectly passes the base branch instead of the working branch
-    if (!entry.branch || entry.branch.trim() === "" || entry.branch === baseBranch) {
-      const detectedBranch = getCurrentBranch();
-
-      if (entry.branch === baseBranch) {
-        server.debug(`Branch equals base branch (${baseBranch}), detecting actual working branch: ${detectedBranch}`);
-      } else {
-        server.debug(`Using current branch for create_pull_request: ${detectedBranch}`);
-      }
-
-      entry.branch = detectedBranch;
-    }
-
-    // Check if allow-empty is enabled in configuration
-    const allowEmpty = config.create_pull_request?.allow_empty === true;
-
-    if (allowEmpty) {
-      server.debug(`allow-empty is enabled for create_pull_request - skipping patch generation`);
-      // Append the safe output entry without generating a patch
-      appendSafeOutput(entry);
-      return {
-        content: [
-          {
-            type: "text",
-            text: JSON.stringify({
-              result: "success",
-              message: "Pull request prepared (allow-empty mode - no patch generated)",
-              branch: entry.branch,
-            }),
-          },
-        ],
-      };
-    }
-
-    // Generate git patch
-    server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}`);
-    const patchResult = generateGitPatch(entry.branch);
-
-    if (!patchResult.success) {
-      // Patch generation failed or patch is empty
-      const errorMsg = patchResult.error || "Failed to generate patch";
-      server.debug(`Patch generation failed: ${errorMsg}`);
-      throw new Error(errorMsg);
-    }
-
-    // prettier-ignore
-    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);
-
-    appendSafeOutput(entry);
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({
-            result: "success",
-            patch: {
-              path: patchResult.patchPath,
-              size: patchResult.patchSize,
-              lines: patchResult.patchLines,
-            },
-          }),
-        },
-      ],
-    };
-  };
-
-  /**
-   * Handler for push_to_pull_request_branch tool
-   * Resolves the current branch if branch is not provided or is the base branch
-   * Generates git patch for the changes
-   */
-  const pushToPullRequestBranchHandler = args => {
-    const entry = { ...args, type: "push_to_pull_request_branch" };
-    const baseBranch = getBaseBranch();
-
-    // If branch is not provided, is empty, or equals the base branch, use the current branch from git
-    // This handles cases where the agent incorrectly passes the base branch instead of the working branch
-    if (!entry.branch || entry.branch.trim() === "" || entry.branch === baseBranch) {
-      const detectedBranch = getCurrentBranch();
-
-      if (entry.branch === baseBranch) {
-        server.debug(`Branch equals base branch (${baseBranch}), detecting actual working branch: ${detectedBranch}`);
-      } else {
-        server.debug(`Using current branch for push_to_pull_request_branch: ${detectedBranch}`);
-      }
-
-      entry.branch = detectedBranch;
-    }
-
-    // Generate git patch
-    server.debug(`Generating patch for push_to_pull_request_branch with branch: ${entry.branch}`);
-    const patchResult = generateGitPatch(entry.branch);
-
-    if (!patchResult.success) {
-      // Patch generation failed or patch is empty
-      const errorMsg = patchResult.error || "Failed to generate patch";
-      server.debug(`Patch generation failed: ${errorMsg}`);
-      throw new Error(errorMsg);
-    }
-
-    // prettier-ignore
-    server.debug(`Patch generated successfully: ${patchResult.patchPath} (${patchResult.patchSize} bytes, ${patchResult.patchLines} lines)`);
-
-    appendSafeOutput(entry);
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({
-            result: "success",
-            patch: {
-              path: patchResult.patchPath,
-              size: patchResult.patchSize,
-              lines: patchResult.patchLines,
-            },
-          }),
-        },
-      ],
-    };
-  };
-
-  return {
-    defaultHandler,
-    uploadAssetHandler,
-    createPullRequestHandler,
-    pushToPullRequestBranchHandler,
-  };
-}
-
-module.exports = { createHandlers };
diff --git a/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs b/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
deleted file mode 100644
index 0abd29c73a9..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_mcp_server.cjs
+++ /dev/null
@@ -1,80 +0,0 @@
-// @ts-check
-
-// Safe Outputs MCP Server Module
-//
-// This module provides a reusable MCP server for safe-outputs configuration.
-// It uses the mcp_server_core module for JSON-RPC handling and tool registration.
-//
-// Usage:
-//   node safe_outputs_mcp_server.cjs
-//
-// Or as a module:
-//   const server = require("./safe_outputs_mcp_server.cjs");
-//   server.startSafeOutputsServer();
-
-const { createServer, registerTool, normalizeTool, start } = require("./mcp_server_core.cjs");
-const { createAppendFunction } = require("./safe_outputs_append.cjs");
-const { createHandlers } = require("./safe_outputs_handlers.cjs");
-const { attachHandlers, registerPredefinedTools, registerDynamicTools } = require("./safe_outputs_tools_loader.cjs");
-const { bootstrapSafeOutputsServer, cleanupConfigFile } = require("./safe_outputs_bootstrap.cjs");
-
-/**
- * Start the safe-outputs MCP server
- * @param {Object} [options] - Additional options
- * @param {string} [options.logDir] - Override log directory
- * @param {boolean} [options.skipCleanup] - Skip deletion of config file (useful for testing)
- */
-function startSafeOutputsServer(options = {}) {
-  // Server info for safe outputs MCP server
-  const SERVER_INFO = { name: "safeoutputs", version: "1.0.0" };
-
-  // Create the server instance with optional log directory
-  const MCP_LOG_DIR = options.logDir || process.env.GH_AW_MCP_LOG_DIR;
-  const server = createServer(SERVER_INFO, { logDir: MCP_LOG_DIR });
-
-  // Bootstrap: load configuration and tools using shared logic
-  const { config: safeOutputsConfig, outputFile, tools: ALL_TOOLS } = bootstrapSafeOutputsServer(server);
-
-  // Create append function
-  const appendSafeOutput = createAppendFunction(outputFile);
-
-  // Create handlers with configuration
-  const handlers = createHandlers(server, appendSafeOutput, safeOutputsConfig);
-  const { defaultHandler } = handlers;
-
-  // Attach handlers to tools
-  const toolsWithHandlers = attachHandlers(ALL_TOOLS, handlers);
-
-  server.debug(`  output file: ${outputFile}`);
-  server.debug(`  config: ${JSON.stringify(safeOutputsConfig)}`);
-
-  // Register predefined tools that are enabled in configuration
-  registerPredefinedTools(server, toolsWithHandlers, safeOutputsConfig, registerTool, normalizeTool);
-
-  // Add safe-jobs as dynamic tools
-  registerDynamicTools(server, toolsWithHandlers, safeOutputsConfig, outputFile, registerTool, normalizeTool);
-
-  server.debug(`  tools: ${Object.keys(server.tools).join(", ")}`);
-  if (!Object.keys(server.tools).length) throw new Error("No tools enabled in configuration");
-
-  // Note: We do NOT cleanup the config file here because it's needed by the ingestion
-  // phase (collect_ndjson_output.cjs) that runs after the MCP server completes.
-  // The config file only contains schema information (no secrets), so it's safe to leave.
-
-  // Start the server with the default handler
-  start(server, { defaultHandler });
-}
-
-// If run directly, start the server
-if (require.main === module) {
-  try {
-    startSafeOutputsServer();
-  } catch (error) {
-    console.error(`Error starting safe-outputs server: ${error instanceof Error ? error.message : String(error)}`);
-    process.exit(1);
-  }
-}
-
-module.exports = {
-  startSafeOutputsServer,
-};
diff --git a/actions/setup-safe-outputs/js/safe_outputs_tools.json b/actions/setup-safe-outputs/js/safe_outputs_tools.json
deleted file mode 100644
index 986b5ab682b..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_tools.json
+++ /dev/null
@@ -1,591 +0,0 @@
-[
-  {
-    "name": "create_issue",
-    "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["title", "body"],
-      "properties": {
-        "title": {
-          "type": "string",
-          "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive."
-        },
-        "body": {
-          "type": "string",
-          "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate."
-        },
-        "labels": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository."
-        },
-        "parent": {
-          "type": ["number", "string"],
-          "description": "Parent issue number for creating sub-issues. Can be a real issue number (e.g., 42) or a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run."
-        },
-        "temporary_id": {
-          "type": "string",
-          "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "create_agent_task",
-    "description": "Create a GitHub Copilot agent task to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["body"],
-      "properties": {
-        "body": {
-          "type": "string",
-          "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "create_discussion",
-    "description": "Create a GitHub discussion for announcements, Q&A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["title", "body"],
-      "properties": {
-        "title": {
-          "type": "string",
-          "description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive."
-        },
-        "body": {
-          "type": "string",
-          "description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions."
-        },
-        "category": {
-          "type": "string",
-          "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "close_discussion",
-    "description": "Close a GitHub discussion with a resolution comment and optional reason. Use this to mark discussions as resolved, answered, or no longer needed. The closing comment should explain why the discussion is being closed.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["body"],
-      "properties": {
-        "body": {
-          "type": "string",
-          "description": "Closing comment explaining why the discussion is being closed and summarizing any resolution or conclusion."
-        },
-        "reason": {
-          "type": "string",
-          "enum": ["RESOLVED", "DUPLICATE", "OUTDATED", "ANSWERED"],
-          "description": "Resolution reason: RESOLVED (issue addressed), DUPLICATE (discussed elsewhere), OUTDATED (no longer relevant), or ANSWERED (question answered)."
-        },
-        "discussion_number": {
-          "type": ["number", "string"],
-          "description": "Discussion number to close. If omitted, closes the discussion that triggered this workflow (requires a discussion event trigger)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "close_issue",
-    "description": "Close a GitHub issue with a closing comment. Use this when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["body"],
-      "properties": {
-        "body": {
-          "type": "string",
-          "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion."
-        },
-        "issue_number": {
-          "type": ["number", "string"],
-          "description": "Issue number to close. If omitted, closes the issue that triggered this workflow (requires an issue event trigger)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "close_pull_request",
-    "description": "Close a pull request WITHOUT merging, adding a closing comment. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["body"],
-      "properties": {
-        "body": {
-          "type": "string",
-          "description": "Closing comment explaining why the PR is being closed without merging (e.g., superseded by another PR, no longer needed, approach rejected)."
-        },
-        "pull_request_number": {
-          "type": ["number", "string"],
-          "description": "Pull request number to close. If omitted, closes the PR that triggered this workflow (requires a pull_request event trigger)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "add_comment",
-    "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["body", "item_number"],
-      "properties": {
-        "body": {
-          "type": "string",
-          "description": "Comment content in Markdown. Provide helpful, relevant information that adds value to the conversation."
-        },
-        "item_number": {
-          "type": "number",
-          "description": "The issue, pull request, or discussion number to comment on. Must be a valid existing item in the repository."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "create_pull_request",
-    "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["title", "body"],
-      "properties": {
-        "title": {
-          "type": "string",
-          "description": "Concise PR title describing the changes. Follow repository conventions (e.g., conventional commits). The title appears as the main heading."
-        },
-        "body": {
-          "type": "string",
-          "description": "Detailed PR description in Markdown. Include what changes were made, why, testing notes, and any breaking changes. Do NOT repeat the title as a heading."
-        },
-        "branch": {
-          "type": "string",
-          "description": "Source branch name containing the changes. If omitted, uses the current working branch."
-        },
-        "labels": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Labels to categorize the PR (e.g., 'enhancement', 'bugfix'). Labels must exist in the repository."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "create_pull_request_review_comment",
-    "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["path", "line", "body"],
-      "properties": {
-        "path": {
-          "type": "string",
-          "description": "File path relative to the repository root (e.g., 'src/auth/login.js'). Must be a file that was changed in the PR."
-        },
-        "line": {
-          "type": ["number", "string"],
-          "description": "Line number for the comment. For single-line comments, this is the target line. For multi-line comments, this is the ending line."
-        },
-        "body": {
-          "type": "string",
-          "description": "Review comment content in Markdown. Provide specific, actionable feedback about the code at this location."
-        },
-        "start_line": {
-          "type": ["number", "string"],
-          "description": "Starting line number for multi-line comments. When set, the comment spans from start_line to line. Omit for single-line comments."
-        },
-        "side": {
-          "type": "string",
-          "enum": ["LEFT", "RIGHT"],
-          "description": "Side of the diff to comment on: RIGHT for the new version (additions), LEFT for the old version (deletions). Defaults to RIGHT."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "create_code_scanning_alert",
-    "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["file", "line", "severity", "message"],
-      "properties": {
-        "file": {
-          "type": "string",
-          "description": "File path relative to the repository root where the issue was found (e.g., 'src/auth/password.js')."
-        },
-        "line": {
-          "type": ["number", "string"],
-          "description": "Line number where the issue was found in the file."
-        },
-        "severity": {
-          "type": "string",
-          "enum": ["error", "warning", "info", "note"],
-          "description": "Alert severity level: 'error' (critical security issues), 'warning' (potential problems), 'info' (informational), or 'note' (minor observations)."
-        },
-        "message": {
-          "type": "string",
-          "description": "Clear description of the security issue or finding. Include what's wrong and ideally how to fix it."
-        },
-        "column": {
-          "type": ["number", "string"],
-          "description": "Column number for more precise location of the issue within the line."
-        },
-        "ruleIdSuffix": {
-          "type": "string",
-          "description": "Suffix to append to the rule ID for categorizing different types of findings (e.g., 'sql-injection', 'xss')."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "add_labels",
-    "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["labels"],
-      "properties": {
-        "labels": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository."
-        },
-        "item_number": {
-          "type": "number",
-          "description": "Issue or PR number to add labels to. If omitted, adds labels to the item that triggered this workflow."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "add_reviewer",
-    "description": "Add reviewers to a GitHub pull request. Reviewers receive notifications and can approve or request changes. Use 'copilot' as a reviewer name to request the Copilot PR review bot.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["reviewers"],
-      "properties": {
-        "reviewers": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "GitHub usernames to add as reviewers (e.g., ['octocat', 'copilot']). Users must have access to the repository."
-        },
-        "pull_request_number": {
-          "type": ["number", "string"],
-          "description": "Pull request number to add reviewers to. If omitted, adds reviewers to the PR that triggered this workflow."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "assign_milestone",
-    "description": "Assign an issue to a milestone for release planning and progress tracking. Milestones must exist in the repository before assignment.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["issue_number", "milestone_number"],
-      "properties": {
-        "issue_number": {
-          "type": ["number", "string"],
-          "description": "Issue number to assign to the milestone."
-        },
-        "milestone_number": {
-          "type": ["number", "string"],
-          "description": "Milestone number (not title) to assign the issue to. Find milestone numbers in the repository's Milestones page."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "assign_to_agent",
-    "description": "Assign the GitHub Copilot coding agent to work on an issue. The agent will analyze the issue and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["issue_number"],
-      "properties": {
-        "issue_number": {
-          "type": ["number", "string"],
-          "description": "Issue number to assign the Copilot agent to. The issue should contain clear, actionable requirements."
-        },
-        "agent": {
-          "type": "string",
-          "description": "Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "assign_to_user",
-    "description": "Assign one or more GitHub users to an issue. Use this to delegate work to specific team members. Users must have access to the repository.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["issue_number"],
-      "properties": {
-        "issue_number": {
-          "type": ["number", "string"],
-          "description": "Issue number to assign users to. If omitted, assigns to the issue that triggered this workflow."
-        },
-        "assignees": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "GitHub usernames to assign to the issue (e.g., ['octocat', 'mona']). Users must have access to the repository."
-        },
-        "assignee": {
-          "type": "string",
-          "description": "Single GitHub username to assign. Use 'assignees' array for multiple users."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "update_issue",
-    "description": "Update an existing GitHub issue's status, title, or body. Use this to modify issue properties after creation. Only the fields you specify will be updated; other fields remain unchanged.",
-    "inputSchema": {
-      "type": "object",
-      "properties": {
-        "status": {
-          "type": "string",
-          "enum": ["open", "closed"],
-          "description": "New issue status: 'open' to reopen a closed issue, 'closed' to close an open issue."
-        },
-        "title": {
-          "type": "string",
-          "description": "New issue title to replace the existing title."
-        },
-        "body": {
-          "type": "string",
-          "description": "New issue body to replace the existing content. Use Markdown formatting."
-        },
-        "issue_number": {
-          "type": ["number", "string"],
-          "description": "Issue number to update. Required when the workflow target is '*' (any issue)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "update_pull_request",
-    "description": "Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged.",
-    "inputSchema": {
-      "type": "object",
-      "properties": {
-        "title": {
-          "type": "string",
-          "description": "New pull request title to replace the existing title."
-        },
-        "body": {
-          "type": "string",
-          "description": "Pull request body content in Markdown. For 'replace', this becomes the entire body. For 'append'/'prepend', this is added with a separator."
-        },
-        "operation": {
-          "type": "string",
-          "enum": ["replace", "append", "prepend"],
-          "description": "How to update the PR body: 'replace' (default - completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator). Title is always replaced."
-        },
-        "pull_request_number": {
-          "type": ["number", "string"],
-          "description": "Pull request number to update. Required when the workflow target is '*' (any PR)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "push_to_pull_request_branch",
-    "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["message"],
-      "properties": {
-        "branch": {
-          "type": "string",
-          "description": "Branch name to push changes from. If omitted, uses the current working branch. Only specify if you need to push from a different branch."
-        },
-        "message": {
-          "type": "string",
-          "description": "Commit message describing the changes. Follow repository commit message conventions (e.g., conventional commits)."
-        },
-        "pull_request_number": {
-          "type": ["number", "string"],
-          "description": "Pull request number to push changes to. Required when the workflow target is '*' (any PR)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "upload_asset",
-    "description": "Upload a file as a URL-addressable asset that can be referenced in issues, PRs, or comments. The file is stored on an orphaned git branch and returns a permanent URL. Use this for images, diagrams, or other files that need to be embedded in GitHub content.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["path"],
-      "properties": {
-        "path": {
-          "type": "string",
-          "description": "Absolute file path to upload (e.g., '/tmp/chart.png'). Must be under the workspace or /tmp directory. By default, only image files (.png, .jpg, .jpeg) are allowed; other file types require workflow configuration."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "update_release",
-    "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["tag", "operation", "body"],
-      "properties": {
-        "tag": {
-          "type": "string",
-          "description": "Release tag name (e.g., 'v1.0.0'). REQUIRED - must be provided explicitly as the tag cannot always be inferred from event context."
-        },
-        "operation": {
-          "type": "string",
-          "enum": ["replace", "append", "prepend"],
-          "description": "How to update the release body: 'replace' (completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator)."
-        },
-        "body": {
-          "type": "string",
-          "description": "Release body content in Markdown. For 'replace', this becomes the entire release body. For 'append'/'prepend', this is added with a separator."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "missing_tool",
-    "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["tool", "reason"],
-      "properties": {
-        "tool": {
-          "type": "string",
-          "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed."
-        },
-        "reason": {
-          "type": "string",
-          "description": "Explanation of why this tool is needed to complete the task (max 256 characters)."
-        },
-        "alternatives": {
-          "type": "string",
-          "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "noop",
-    "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["message"],
-      "properties": {
-        "message": {
-          "type": "string",
-          "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing')."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "link_sub_issue",
-    "description": "Link an issue as a sub-issue of a parent issue. Use this to establish parent-child relationships between issues for better organization and tracking of related work items.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["parent_issue_number", "sub_issue_number"],
-      "properties": {
-        "parent_issue_number": {
-          "type": ["number", "string"],
-          "description": "The parent issue number to link the sub-issue to."
-        },
-        "sub_issue_number": {
-          "type": ["number", "string"],
-          "description": "The issue number to link as a sub-issue of the parent."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "hide_comment",
-    "description": "Hide a comment on a GitHub issue, pull request, or discussion. This collapses the comment and marks it as spam, abuse, off-topic, outdated, or resolved. Use this for inappropriate, off-topic, or outdated comments. The comment_id must be a GraphQL node ID (string like 'IC_kwDOABCD123456'), not a numeric REST API comment ID.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["comment_id"],
-      "properties": {
-        "comment_id": {
-          "type": "string",
-          "description": "GraphQL node ID of the comment to hide (e.g., 'IC_kwDOABCD123456'). This is the GraphQL node ID, not the numeric comment ID from REST API. Can be obtained from GraphQL queries or comment API responses."
-        },
-        "reason": {
-          "type": "string",
-          "enum": ["SPAM", "ABUSE", "OFF_TOPIC", "OUTDATED", "RESOLVED"],
-          "description": "Optional reason for hiding the comment. Defaults to SPAM if not provided. Valid values: SPAM (spam content), ABUSE (abusive/harassment content), OFF_TOPIC (not relevant to discussion), OUTDATED (no longer applicable), RESOLVED (issue/question has been resolved)."
-        }
-      },
-      "additionalProperties": false
-    }
-  },
-  {
-    "name": "update_project",
-    "description": "Add or update items in GitHub Projects v2 boards. Can add issues/PRs to a project and update custom field values. Requires the project URL, content type (issue or pull_request), and content number. Use campaign_id to group related items.",
-    "inputSchema": {
-      "type": "object",
-      "required": ["project", "content_type", "content_number"],
-      "properties": {
-        "project": {
-          "type": "string",
-          "pattern": "^https://github\\.com/(orgs|users)/[^/]+/projects/\\d+$",
-          "description": "Full GitHub project URL (e.g., 'https://github.com/orgs/myorg/projects/42' or 'https://github.com/users/username/projects/5'). Project names or numbers alone are NOT accepted."
-        },
-        "content_type": {
-          "type": "string",
-          "enum": ["issue", "pull_request"],
-          "description": "Type of content to add to the project. Must be either 'issue' or 'pull_request'."
-        },
-        "content_number": {
-          "type": "number",
-          "description": "Issue or pull request number to add to the project (e.g., 123 for issue #123)."
-        },
-        "fields": {
-          "type": "object",
-          "description": "Custom field values to set on the project item (e.g., {'Status': 'In Progress', 'Priority': 'High'}). Field names must match custom fields defined in the project."
-        },
-        "campaign_id": {
-          "type": "string",
-          "description": "Campaign identifier to group related project items. Used to track items created by the same campaign or workflow run."
-        },
-        "create_if_missing": {
-          "type": "boolean",
-          "description": "Whether to create the project if it doesn't exist. Defaults to false. Requires projects:write permission when true."
-        }
-      },
-      "additionalProperties": false
-    }
-  }
-]
diff --git a/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs b/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs
deleted file mode 100644
index 69eb19e315d..00000000000
--- a/actions/setup-safe-outputs/js/safe_outputs_tools_loader.cjs
+++ /dev/null
@@ -1,165 +0,0 @@
-// @ts-check
-
-const fs = require("fs");
-
-/**
- * Load tools from tools.json file
- * @param {Object} server - The MCP server instance for logging
- * @returns {Array} Array of tool definitions
- */
-function loadTools(server) {
-  const toolsPath = process.env.GH_AW_SAFE_OUTPUTS_TOOLS_PATH || "/tmp/gh-aw/safeoutputs/tools.json";
-  let ALL_TOOLS = [];
-
-  server.debug(`Reading tools from file: ${toolsPath}`);
-
-  try {
-    if (fs.existsSync(toolsPath)) {
-      server.debug(`Tools file exists at: ${toolsPath}`);
-      const toolsFileContent = fs.readFileSync(toolsPath, "utf8");
-      server.debug(`Tools file content length: ${toolsFileContent.length} characters`);
-      server.debug(`Tools file read successfully, attempting to parse JSON`);
-      ALL_TOOLS = JSON.parse(toolsFileContent);
-      server.debug(`Successfully parsed ${ALL_TOOLS.length} tools from file`);
-    } else {
-      server.debug(`Tools file does not exist at: ${toolsPath}`);
-      server.debug(`Using empty tools array`);
-      ALL_TOOLS = [];
-    }
-  } catch (error) {
-    server.debug(`Error reading tools file: ${error instanceof Error ? error.message : String(error)}`);
-    server.debug(`Falling back to empty tools array`);
-    ALL_TOOLS = [];
-  }
-
-  return ALL_TOOLS;
-}
-
-/**
- * Attach handlers to tools
- * @param {Array} tools - Array of tool definitions
- * @param {Object} handlers - Object containing handler functions
- * @returns {Array} Tools with handlers attached
- */
-function attachHandlers(tools, handlers) {
-  tools.forEach(tool => {
-    if (tool.name === "create_pull_request") {
-      tool.handler = handlers.createPullRequestHandler;
-    } else if (tool.name === "push_to_pull_request_branch") {
-      tool.handler = handlers.pushToPullRequestBranchHandler;
-    } else if (tool.name === "upload_asset") {
-      tool.handler = handlers.uploadAssetHandler;
-    }
-  });
-  return tools;
-}
-
-/**
- * Register predefined tools based on configuration
- * @param {Object} server - The MCP server instance
- * @param {Array} tools - Array of tool definitions
- * @param {Object} config - Safe outputs configuration
- * @param {Function} registerTool - Function to register a tool
- * @param {Function} normalizeTool - Function to normalize tool names
- */
-function registerPredefinedTools(server, tools, config, registerTool, normalizeTool) {
-  tools.forEach(tool => {
-    if (Object.keys(config).find(configKey => normalizeTool(configKey) === tool.name)) {
-      registerTool(server, tool);
-    }
-  });
-}
-
-/**
- * Register dynamic safe-job tools based on configuration
- * @param {Object} server - The MCP server instance
- * @param {Array} tools - Array of predefined tool definitions
- * @param {Object} config - Safe outputs configuration
- * @param {string} outputFile - Path to the output file
- * @param {Function} registerTool - Function to register a tool
- * @param {Function} normalizeTool - Function to normalize tool names
- */
-function registerDynamicTools(server, tools, config, outputFile, registerTool, normalizeTool) {
-  Object.keys(config).forEach(configKey => {
-    const normalizedKey = normalizeTool(configKey);
-
-    // Skip if it's already a predefined tool
-    if (server.tools[normalizedKey]) {
-      return;
-    }
-
-    // Check if this is a safe-job (not in ALL_TOOLS)
-    if (!tools.find(t => t.name === normalizedKey)) {
-      const jobConfig = config[configKey];
-
-      // Create a dynamic tool for this safe-job
-      const dynamicTool = {
-        name: normalizedKey,
-        description: jobConfig && jobConfig.description ? jobConfig.description : `Custom safe-job: ${configKey}`,
-        inputSchema: {
-          type: "object",
-          properties: {},
-          additionalProperties: true, // Allow any properties for flexibility
-        },
-        handler: args => {
-          // Create a generic safe-job output entry
-          const entry = {
-            type: normalizedKey,
-            ...args,
-          };
-
-          // Write the entry to the output file in JSONL format
-          // CRITICAL: Use JSON.stringify WITHOUT formatting parameters for JSONL format
-          // Each entry must be on a single line, followed by a newline character
-          const entryJSON = JSON.stringify(entry);
-          fs.appendFileSync(outputFile, entryJSON + "\n");
-
-          // Use output from safe-job config if available
-          const outputText = jobConfig && jobConfig.output ? jobConfig.output : `Safe-job '${configKey}' executed successfully with arguments: ${JSON.stringify(args)}`;
-
-          return {
-            content: [
-              {
-                type: "text",
-                text: JSON.stringify({ result: outputText }),
-              },
-            ],
-          };
-        },
-      };
-
-      // Add input schema based on job configuration if available
-      if (jobConfig && jobConfig.inputs) {
-        dynamicTool.inputSchema.properties = {};
-        dynamicTool.inputSchema.required = [];
-
-        Object.keys(jobConfig.inputs).forEach(inputName => {
-          const inputDef = jobConfig.inputs[inputName];
-          const propSchema = {
-            type: inputDef.type || "string",
-            description: inputDef.description || `Input parameter: ${inputName}`,
-          };
-
-          if (inputDef.options && Array.isArray(inputDef.options)) {
-            propSchema.enum = inputDef.options;
-          }
-
-          dynamicTool.inputSchema.properties[inputName] = propSchema;
-
-          if (inputDef.required) {
-            dynamicTool.inputSchema.required.push(inputName);
-          }
-        });
-      }
-
-      registerTool(server, dynamicTool);
-    }
-  });
-}
-
-module.exports = {
-  loadTools,
-  attachHandlers,
-  registerPredefinedTools,
-  registerDynamicTools,
-};

From d156322ee52e50065c01f9e49e7e75a869c7cd42 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Dec 2025 07:46:55 +0000
Subject: [PATCH 5/5] Completed: Replace index.js file copying with bash script

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/daily-team-status.lock.yml |  4 ++--
 .github/workflows/lockfile-stats.lock.yml    |  7 ++++++-
 .github/workflows/smoke-copilot.lock.yml     | 14 ++++++++++++--
 pkg/cli/actions_build_command.go             |  2 +-
 pkg/workflow/compiler_activation_jobs.go     |  4 ++--
 5 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml
index 6557d1cd221..8437d7d22a2 100644
--- a/.github/workflows/daily-team-status.lock.yml
+++ b/.github/workflows/daily-team-status.lock.yml
@@ -58,7 +58,7 @@ jobs:
       comment_repo: ""
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: githubnext/gh-aw/actions/setup-activation@0d13659-dirty
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6473,7 +6473,7 @@ jobs:
       activated: ${{ steps.check_stop_time.outputs.stop_time_ok == 'true' }}
     steps:
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@d57d309
+        uses: githubnext/gh-aw/actions/setup-activation@0d13659-dirty
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check stop-time limit
diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml
index c554ae67e68..7e4a180bc3e 100644
--- a/.github/workflows/lockfile-stats.lock.yml
+++ b/.github/workflows/lockfile-stats.lock.yml
@@ -48,8 +48,13 @@ jobs:
       comment_id: ""
       comment_repo: ""
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index 395d4585ede..2c1dee828d7 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -58,8 +58,13 @@ jobs:
       comment_url: ${{ steps.react.outputs.comment-url }}
       reaction_id: ${{ steps.react.outputs.reaction-id }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check workflow file timestamps
@@ -6603,8 +6608,13 @@ jobs:
     outputs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          sparse-checkout: |
+            actions
       - name: Setup Activation Scripts
-        uses: githubnext/gh-aw/actions/setup-activation@da672d6-dirty
+        uses: ./actions/setup-activation
         with:
           destination: /tmp/gh-aw/actions/activation
       - name: Check team membership for workflow
diff --git a/pkg/cli/actions_build_command.go b/pkg/cli/actions_build_command.go
index 38fb2838d08..f59ddac4a57 100644
--- a/pkg/cli/actions_build_command.go
+++ b/pkg/cli/actions_build_command.go
@@ -182,7 +182,7 @@ func validateActionYml(actionPath string) error {
 	// Check that it's either a node20 or composite action
 	isNode20 := strings.Contains(contentStr, "using: 'node20'") || strings.Contains(contentStr, "using: \"node20\"")
 	isComposite := strings.Contains(contentStr, "using: 'composite'") || strings.Contains(contentStr, "using: \"composite\"")
-	
+
 	if !isNode20 && !isComposite {
 		return fmt.Errorf("action must use either 'node20' or 'composite' runtime")
 	}
diff --git a/pkg/workflow/compiler_activation_jobs.go b/pkg/workflow/compiler_activation_jobs.go
index aa6b1f75abf..59ebc85102e 100644
--- a/pkg/workflow/compiler_activation_jobs.go
+++ b/pkg/workflow/compiler_activation_jobs.go
@@ -34,7 +34,7 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec
 			steps = append(steps, "          sparse-checkout: |\n")
 			steps = append(steps, "            actions\n")
 		}
-		
+
 		steps = append(steps, "      - name: Setup Activation Scripts\n")
 		steps = append(steps, fmt.Sprintf("        uses: %s\n", setupActivationActionRef))
 		steps = append(steps, "        with:\n")
@@ -347,7 +347,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
 			steps = append(steps, "          sparse-checkout: |\n")
 			steps = append(steps, "            actions\n")
 		}
-		
+
 		steps = append(steps, "      - name: Setup Activation Scripts\n")
 		steps = append(steps, fmt.Sprintf("        uses: %s\n", setupActivationActionRef))
 		steps = append(steps, "        with:\n")