chore: upgrade all workflows to gh-aw v0.68.7

[lpcox]

Summary

Upgrades all agentic workflows to gh-aw v0.68.7.

Changes

• gh-aw setup actions: v0.68.1 → v0.68.7
• gh-aw-actions/setup: v0.68.4 → v0.68.7
• actions/github-script: v8/v9 → v9.0.0
• softprops/action-gh-release: v2.6.1 → v3.0.0
• 17 container images pinned with digest hashes
• All 30 lock files recompiled and post-processed

Post-processing applied

• Local build steps injected for CI testing
• BYOK model fallback fixed (empty string → env.COPILOT_MODEL)
• Session state dir, excluded tools, services blocks injected where needed
• Cache-memory TTL and security scanning steps injected

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	84.33%	84.41%	📈 +0.08%
Statements	83.56%	83.64%	📈 +0.08%
Functions	87.39%	87.39%	➡️ +0.00%
Branches	74.78%	74.82%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Upgrades the repository’s agentic GitHub Actions workflows to gh-aw v0.68.7, including updated setup actions, pinned container images, and regenerated .lock.yml outputs to match the new compiler/runtime behavior.

Changes:

• Bump gh-aw compiler/setup versions across workflow lock files and refresh pinned action SHAs/container digests.
• Update workflow runtime behavior (e.g., Copilot/Codex execution wiring, new error detection step, base-branch agent config save/restore).
• Regenerate lock manifests and .github/aw/actions-lock.json for the new action/container pins.

Show a summary per file

File	Description
.github/workflows/update-release-notes.lock.yml	Recompiled lock workflow with updated gh-aw/setup pins, container digests, and runtime/script adjustments.
.github/workflows/smoke-codex.lock.yml	Recompiled Codex smoke workflow; updates pins and MCP gateway startup/config paths.
.github/workflows/security-review.lock.yml	Recompiled daily security review workflow; updates pins and runtime steps.
.github/workflows/plan.lock.yml	Recompiled /plan workflow; updates pins and runtime steps.
.github/workflows/firewall-issue-dispatcher.lock.yml	Recompiled dispatcher; updates pins and runtime steps (incl. CLI proxy image).
.github/workflows/copilot-token-usage-analyzer.lock.yml	Recompiled analyzer; updates pins and runtime steps.
.github/workflows/copilot-token-optimizer.lock.yml	Recompiled optimizer; updates pins and runtime steps.
.github/workflows/cli-flag-consistency-checker.lock.yml	Recompiled scheduled checker; updates pins and runtime steps.
.github/workflows/claude-token-usage-analyzer.lock.yml	Recompiled analyzer; updates pins and runtime steps.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Recompiled assessment workflow; updates pins and adds pinned alpine digest.
.github/aw/actions-lock.json	Updates pinned action SHAs and adds a container digest map used by workflows.
.github/agents/agentic-workflows.agent.md	Updates gh-aw documentation links to v0.68.7.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 31/31 changed files
• Comments generated: 6

[Copilot]

The Codex MCP config is being written to ${RUNNER_TEMP}/gh-aw/mcp-config/config.toml, but later the job sets CODEX_HOME=/tmp/gh-aw/mcp-config and runs codex ... without explicitly pointing it at this config file. If Codex resolves its config relative to CODEX_HOME (common behavior), it won’t find the generated config and MCP integration may silently break. Write the config into $CODEX_HOME/config.toml (or align CODEX_HOME to the RUNNER_TEMP path / explicitly pass the config path to Codex).

Suggested change

	cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_60f188872c24321c_EOF
	cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_60f188872c24321c_EOF

[Copilot]

This cron schedule changed (previously a different minute/hour). Since this PR is described as a version upgrade, please confirm the new run time is intentional; otherwise keep the prior cron expression to avoid shifting when the workflow executes.

[Copilot]

This cron schedule changed (previously a different minute). Please confirm the new run time is intentional; otherwise keep the prior cron expression to avoid unexpected shifts in when this daily security workflow runs.

[Copilot]

This cron schedule changed significantly (previously a different time of day). Please confirm the new run time is intentional; otherwise keep the prior cron expression so the analyzer continues to run at the expected time.

[Copilot]

This cron schedule changed significantly (previously a different time of day). Since this PR is primarily a gh-aw version upgrade, please confirm the new run time is intentional; otherwise keep the prior cron to avoid unexpected shifts in reporting cadence.

[Copilot]

This cron schedule changed (previously a different minute). Please confirm this is intentional; otherwise keep the prior cron expression to avoid shifting when the dispatcher runs.

[github-actions]

Smoke Test Results ✅ PASS

Test	Result
GitHub MCP (last 2 PRs: "Fix BYOK smoke workflow..." / "chore: upgrade all workflows to gh-aw v0.68.6")	✅
Playwright (github.com title contains "GitHub")	✅
File write (smoke-test-claude-24549105731.txt)	✅
Bash verify (cat confirms content)	✅

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) — PASS ✅

Test	Result
GitHub MCP (list merged PRs)	✅ Retrieved PR #2050: chore: upgrade all workflows to gh-aw v0.68.7
GitHub.com connectivity	✅
File write/read	✅
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.
cc @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔥 Smoke Test Results — Copilot Engine

PR: chore: upgrade all workflows to gh-aw v0.68.7 (by @lpcox, no assignees)

Test	Result
GitHub MCP (github-list_pull_requests)	❌ Tool not available in this session
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-24549105709.txt)	✅

Overall: PARTIAL PASS — GitHub.com and file I/O verified; MCP tool not available.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis PING (host.docker.internal:6379)	✅ PONG
PostgreSQL ready (host.docker.internal:5432)	✅ accepting connections
PostgreSQL SELECT 1 (smoketest db)	✅ Returns 1

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2050 · ● 646K · ◷

[github-actions]

Smoke Test Report

PR titles: "Fix BYOK smoke workflow COPILOT_MODEL fallback override in postprocessing"; "fix: allow package.json/lock in dep security monitor PRs"
GitHub MCP review: ✅
safeinputs-gh PR query: ❌
Playwright github.com title check: ✅
Tavily search: ❌
File write/read + bash cat: ✅
Discussion query + oracle comment: ❌
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex