Ensure workspace directory is accessible to copilot engine in threat detection job

[Copilot]

Problem

The threat detection job was unable to access workspace files when using the copilot engine. This occurred because:

1. The detection job lacked a checkout step to populate $GITHUB_WORKSPACE
2. The copilot CLI command only included --add-dir /tmp/ without the workspace directory

This meant the copilot engine in the detection job could not analyze repository files during threat detection, limiting its ability to understand the codebase context.

Solution

This PR adds workspace access to the copilot engine in two ways:

1. Added Checkout Step to Detection Job

The threat detection job now checks out the repository before running analysis:

detection:
  steps:
    - name: Checkout repository
      uses: actions/checkout@v5
    - name: Download agent output artifact
      # ...

2. Added Workspace Directory to Copilot CLI Arguments

The copilot engine now includes $GITHUB_WORKSPACE in its --add-dir arguments:

copilot --add-dir /tmp/ --add-dir "$GITHUB_WORKSPACE" --log-level all ...

This change applies to both the main agent job and the threat detection job, ensuring consistent workspace access across all copilot executions.

Testing

• ✅ All existing tests pass
• ✅ Updated copilot engine tests to verify workspace directory argument
• ✅ Recompiled all affected workflows successfully
• ✅ Verified generated workflow YAML includes both changes

Impact

This fix enables the threat detection job to properly analyze repository files when using the copilot engine, improving the security analysis capabilities of agentic workflows.

Original prompt

Ensure workspace dir is the in --add-dir in the copilot engine for the detection job

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[pelikhan]

Test https://github.com/githubnext/gh-aw/discussions/1212