chore: upgrade workflows

[veverkap]

Greptile Summary

This PR upgrades the gh-aw (GitHub Agentic Workflows) tooling from v0.71.5 to v0.74.4 across 23 auto-generated workflow and lock files, and adds a new forecast maintenance operation.

• All gh-aw-actions/setup and gh-aw-actions/setup-cli action pins are updated to the new SHA for v0.74.4, and agentics-maintenance.yml gains a forecast_report job and the forecast enum value across its dispatch inputs.
• The lock files gain several runtime improvements: better Docker socket path resolution via DOCKER_HOST, OpenTelemetry parent/span-id propagation, enableTokenSteering in the API proxy config, and a new GH_AW_MAX_EFFECTIVE_TOKENS cap.
• Several container images in the new manifests — gh-aw-firewall/agent, api-proxy, squid, and github-mcp-server — are now referenced by tag only, dropping the @sha256: digest pins that were present in the v0.71.5 manifests.

Confidence Score: 4/5

Safe to merge for functional changes; the dropped container digest pins are worth resolving before this pattern spreads further.

The workflow upgrade is straightforward and the auto-generated files match the new tooling version. The one concrete concern is that four container images — the gh-aw-firewall trio and github-mcp-server — are now referenced by mutable tag rather than the immutable digest pins that existed in the previous version. Everything else (action SHA pins, CLI versions, new forecast job logic) looks consistent and correct.

All regenerated .lock.yml files that reference ghcr.io/github/gh-aw-firewall/ or ghcr.io/github/github-mcp-server images without @sha256: digests.

Security Review

• Missing container digest pins (code-simplifier.lock.yml and all other regenerated .lock.yml files): ghcr.io/github/gh-aw-firewall/agent:0.25.46, api-proxy:0.25.46, squid:0.25.46, and ghcr.io/github/github-mcp-server:v1.0.4 are now pulled by mutable tag rather than immutable SHA digest. If any of these tags are reassigned (accidentally or maliciously), the change would not be caught by the lock file. Previous versions of these same images carried @sha256: pins.

Important Files Changed

Filename	Overview
.github/aw/actions-lock.json	Updates gh-aw-actions SHA pins from v0.71.5 to v0.74.4, updates actions/github-script@v9 SHA, and adds newline at end of file.
.github/workflows/agentics-maintenance.yml	Upgrades all gh-aw-actions setup/setup-cli pins to v0.74.4, adds new forecast operation enum value and forecast_report job, and updates run_operation conditional to exclude forecast.
.github/workflows/code-simplifier.lock.yml	Auto-generated file bumped to v0.74.4; container images for gh-aw-firewall/agent, api-proxy, squid, and github-mcp-server are now referenced by tag only without SHA digest pins (regression from v0.71.5 where all had digests).
.github/workflows/daily-malicious-code-scan.lock.yml	Auto-generated version bump to v0.74.4; same pattern of missing digest pins for firewall container images.
.github/workflows/daily-security-red-team.lock.yml	Auto-generated version bump to v0.74.4 for the security red team workflow; firewall container images lack SHA digest pins.
.github/workflows/go-fan.lock.yml	Auto-generated version bump to v0.74.4; firewall container images missing SHA digest pins.
.github/workflows/update-docs.lock.yml	Auto-generated version bump to v0.74.4; firewall container images missing SHA digest pins.

Sequence Diagram

sequenceDiagram
    participant User as User / Scheduler
    participant Dispatch as workflow_dispatch / workflow_call
    participant PreAct as pre_activation job
    participant RunOp as run_operation job
    participant Forecast as forecast_report job (NEW)
    participant GH as GitHub API

    User->>Dispatch: "operation = "forecast""
    Dispatch->>PreAct: "validate permissions & setup trace"
    PreAct->>RunOp: "operation check → excluded by new inputs.operation != 'forecast' guard"
    Note over RunOp: Skipped — forecast is excluded
    PreAct->>Forecast: "operation == 'forecast' → runs"
    Forecast->>Forecast: checkout repo
    Forecast->>Forecast: setup gh-aw-actions v0.74.4
    Forecast->>Forecast: check admin/maintainer permissions
    Forecast->>Forecast: install gh-aw CLI v0.74.4
    Forecast->>Forecast: restore forecast logs cache
    Forecast->>Forecast: gh aw logs (last 30d, 1500 runs)
    Forecast->>Forecast: gh aw forecast --json → .cache/gh-aw/forecast/report.json
    Forecast->>Forecast: save forecast logs cache
    Forecast->>GH: create_forecast_issue.cjs → open GitHub Issue with report

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/code-simplifier.lock.yml:2
**Container images missing SHA digest pins**

Several container images introduced in this upgrade no longer include `@sha256:` digest pins, unlike the previous version. In the old manifest, `ghcr.io/github/gh-aw-firewall/agent:0.25.40`, `api-proxy:0.25.40`, `squid:0.25.40`, and `ghcr.io/github/github-mcp-server:v1.0.3` all carried explicit digests; their replacements (`0.25.46` and `v1.0.4`) do not. This means the tag could be silently reassigned to a different image layer without triggering any lockfile change, undermining the supply-chain guarantees the rest of this infrastructure is designed to provide. The same pattern appears in the other regenerated `.lock.yml` files.

_{Reviews (1): Last reviewed commit: "chore: recompile" | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[greptile-apps]

Container images missing SHA digest pins

Several container images introduced in this upgrade no longer include @sha256: digest pins, unlike the previous version. In the old manifest, ghcr.io/github/gh-aw-firewall/agent:0.25.40, api-proxy:0.25.40, squid:0.25.40, and ghcr.io/github/github-mcp-server:v1.0.3 all carried explicit digests; their replacements (0.25.46 and v1.0.4) do not. This means the tag could be silently reassigned to a different image layer without triggering any lockfile change, undermining the supply-chain guarantees the rest of this infrastructure is designed to provide. The same pattern appears in the other regenerated .lock.yml files.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/code-simplifier.lock.yml
Line: 2

Comment:
**Container images missing SHA digest pins**

Several container images introduced in this upgrade no longer include `@sha256:` digest pins, unlike the previous version. In the old manifest, `ghcr.io/github/gh-aw-firewall/agent:0.25.40`, `api-proxy:0.25.40`, `squid:0.25.40`, and `ghcr.io/github/github-mcp-server:v1.0.3` all carried explicit digests; their replacements (`0.25.46` and `v1.0.4`) do not. This means the tag could be silently reassigned to a different image layer without triggering any lockfile change, undermining the supply-chain guarantees the rest of this infrastructure is designed to provide. The same pattern appears in the other regenerated `.lock.yml` files.

How can I resolve this? If you propose a fix, please make it concise.

[Copilot]

Pull request overview

Upgrades the repository’s agentic workflow infrastructure (gh-aw compiler/runtime versions, container images, and workflow templates), and introduces new shared imports and scheduled workflows to expand automation (file-size hygiene, caveman optimization, maintenance forecasting).

Changes:

• Bumps generated .lock.yml workflows to gh-aw v0.74.4 / AWF v0.25.46 / MCPG v0.3.9 and updates related runtime wiring.
• Adds new shared workflow imports for skipping duplicates, OTLP observability, and safe-outputs GitHub App configuration.
• Adds new scheduled workflows (daily-file-diet, daily-caveman-optimizer) and extends agentics-maintenance.yml with a new forecast operation.

Show a summary per file

File	Description
.github/workflows/update-docs.lock.yml	Regenerated locked workflow with upgraded gh-aw/AWF/MCP components and updated runtime behavior.
.github/workflows/shared/skip-if-issue-open.md	New shared skip guard to prevent duplicate scheduled issues/PRs by title-prefix search.
.github/workflows/shared/safe-output-app.md	New shared import intended to centralize safe-outputs GitHub App credentials.
.github/workflows/shared/otlp.md	New OTLP observability config (network allowlist + endpoints/headers).
.github/workflows/shared/otel.md	New wrapper import intended to enable OTLP observability via a shared include.
.github/workflows/go-fan.md	Updates source pin and adds explicit emoji metadata in frontmatter.
.github/workflows/daily-security-red-team.lock.yml	Regenerated locked workflow with upgraded gh-aw/AWF/MCP components and updated runtime behavior.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated locked workflow with upgraded gh-aw/AWF/MCP components and updated runtime behavior.
.github/workflows/daily-grumpy-reviewer.lock.yml	Regenerated locked workflow with upgraded gh-aw/AWF/MCP components and updated runtime behavior.
.github/workflows/daily-file-diet.md	New daily agentic workflow definition to report oversized Go files (refactoring hygiene).
.github/workflows/daily-caveman-optimizer.md	New daily workflow to compress/optimize instruction files in .github/aw and .github/agents.
.github/workflows/agentics-maintenance.yml	Regenerated maintenance workflow and adds new forecast operation/job.
.github/aw/actions-lock.json	Updates action pins for gh-aw actions and actions/github-script major reference.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (3)

.github/workflows/shared/otel.md:18

• shared/otel.md currently imports shared/observability-otlp.md, but that file is empty in this repo, so importing shared/otel.md won’t actually enable any OTLP/network config. Point otel.md at the real OTLP config file (e.g., shared/otlp.md) or populate shared/observability-otlp.md so the import has an effect.

imports:
  - shared/observability-otlp.md
---

.github/workflows/daily-file-diet.md:226

• The instructions reference make test-unit, but the repo Makefile exposes make test (and no test-unit target). Update the workflow’s suggested commands to match the repo’s actual Make targets so the agent’s guidance is actionable.

3. **Add Tests First**: Write tests for each new file before refactoring
4. **Incremental Changes**: Split one module at a time
5. **Run Tests Frequently**: Verify `make test-unit` passes after each split

.github/workflows/daily-file-diet.md:238

• The acceptance criteria mention make build, but this repo’s Makefile doesn’t define a build target (it has make all, make test, make lint, etc.). Please update the referenced command(s) to ones that actually exist in this repository.

- [ ] No breaking changes to public API
- [ ] Code passes linting (`make lint`)
- [ ] Build succeeds (`make build`)

• Files reviewed: 23/23 changed files
• Comments generated: 7