[plan] Roll out verified Copilot CLI installation to all affected workflows

[github-actions]

Objective

Apply the verified Copilot CLI installation method (developed in the previous task) to all 20+ workflows that currently use unverified script execution.

Context

After developing and testing the secure installation method, this task rolls it out across the repository. Each affected workflow has TWO occurrences of the installation pattern:

1. Initial installation step
2. Cleanup/teardown step

Prerequisites

• Verified installation method tested and documented (from previous sub-issue)
• List of affected workflows prepared

Known Affected Workflows (Sample)

Based on the scan report, at minimum:

• smoke-copilot.md (2 locations)
• daily-news.md (2 locations)
• dev.md (2 locations)
• research.md (2 locations)
• q.md (2 locations)
• plan.md (2 locations)
• mergefest.md (2 locations)
• tidy.md (2 locations)
• archie.md (2 locations)

Note: Historical data suggests 40+ total occurrences across 27+ workflows.

Implementation Steps

1. Get complete list of affected workflows using grep:

   grep -r "curl.*copilot-install" .github/workflows/*.md

2. For each workflow, update BOTH installation locations
3. Run make recompile after each batch of changes
4. Test a representative sample of updated workflows
5. Run full static analysis to verify all warnings resolved

Acceptance Criteria

• All Copilot CLI installations use checksum verification
• All workflows successfully recompiled (make recompile)
• Representative sample tested and working
• Poutine scan shows zero unverified_script_exec warnings
• No regression in workflow functionality
  Related to [plan] Security remediation: Fix static analysis findings from December 16, 2024 #6672

AI generated by Plan Command for discussion #6670