chore: recompile smoke-project workflow lock file

[Copilot]

Regenerated smoke-project.lock.yml from the updated markdown source to sync the compiled workflow with recent frontmatter changes.

Changes:

• Recompiled workflow lock file via make recompile
• Updated frontmatter hash to reflect current markdown configuration
• Applied pull request trigger with label filtering
• Updated concurrency group to be PR-specific
• Added workflow run comment step with safe-output messages
• Switched engine validation from CODEX to COPILOT

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR regenerates the compiled smoke-project.lock.yml workflow to align with recent frontmatter/engine updates, adding PR label-trigger activation and switching the agent engine from Codex to GitHub Copilot CLI.

Changes:

• Recompiled the workflow lock file with updated frontmatter hash and refreshed generated sections.
• Added pull_request trigger (label-based) with PR-specific concurrency and a pre-activation membership gate.
• Switched execution/validation from Codex to GitHub Copilot CLI and expanded safe-output tooling (comments/labels/PR creation).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the generated safe-outputs validation config, create_pull_request.fields.branch is marked as required: true, but the safe-outputs MCP tool schema (and tests in actions/setup/js/safe_outputs_mcp_server_defaults.test.cjs) explicitly treat branch as optional (it can default to the current branch). Requiring it here will cause collect_ndjson_output/validation to reject valid create_pull_request messages that omit branch.

Adjust the generated validation.json for create_pull_request so branch is not required (or ensure the tool schema and handler behavior are updated to match, but today they expect it optional).

Suggested change

"required": true,

[Copilot]

create_pull_request is configured with base_branch set to ${{ github.ref_name }}. For pull_request events, github.ref_name resolves to a PR ref (e.g. 123/merge), not the repository base branch, which will cause create_pull_request handling to fail if that tool is used in PR-triggered runs.

Consider setting base_branch to ${{ github.event.pull_request.base.ref }} for PR events (and falling back to ${{ github.ref_name }} or ${{ github.event.repository.default_branch }} for workflow_dispatch), so the base branch is always a real branch name.

Suggested change

GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"add_labels\":{\"allowed\":[\"smoke-project\"]},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"group\":true,\"max\":1},\"create_project_status_update\":{\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\",\"max\":1,\"project\":\"https://github.com/orgs/github-agentic-workflows/projects/1\"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"if_no_changes\":\"warn\",\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[smoke-project] \"},\"missing_data\":{},\"missing_tool\":{},\"remove_labels\":{\"allowed\":[\"smoke-project\"]},\"update_project\":{\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\",\"max\":20,\"project\":\"https://github.com/orgs/github-agentic-workflows/projects/1\",\"views\":[{\"name\":\"Smoke Test Board\",\"layout\":\"board\",\"filter\":\"is:open\"}]}}"

GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":2},\"add_labels\":{\"allowed\":[\"smoke-project\"]},\"create_issue\":{\"close_older_issues\":true,\"expires\":2,\"group\":true,\"max\":1},\"create_project_status_update\":{\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\",\"max\":1,\"project\":\"https://github.com/orgs/github-agentic-workflows/projects/1\"},\"create_pull_request\":{\"base_branch\":\"${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || github.ref_name }}\",\"if_no_changes\":\"warn\",\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[smoke-project] \"},\"missing_data\":{},\"missing_tool\":{},\"remove_labels\":{\"allowed\":[\"smoke-project\"]},\"update_project\":{\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\",\"max\":20,\"project\":\"https://github.com/orgs/github-agentic-workflows/projects/1\",\"views\":[{\"name\":\"Smoke Test Board\",\"layout\":\"board\",\"filter\":\"is:open\"}]}}"

[Copilot]

This step persists ${{ github.token }} into .git/config by rewriting the origin URL to include x-access-token:.... That defeats the safety of persist-credentials: false and increases the chance of accidental token exposure (e.g., via later logs, debug output, or unintended artifact packaging of the workspace).

Prefer an authentication method that does not store the token in the remote URL (e.g., use a one-off git -c http.extraheader=... for push/fetch, or provide credentials via an askpass helper). If you do need to persist credentials, scope it tightly and ensure nothing ever uploads the repository (or .git/) as an artifact.

Suggested change

	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	# Configure non-persistent Git authentication via GIT_ASKPASS
	cat > /tmp/gh-askpass.sh << EOF
	#!/usr/bin/env bash
	case "\$1" in
	*Username*) echo "x-access-token" ;;
	*Password*) echo "${GIT_TOKEN}" ;;
	esac
	EOF
	chmod 700 /tmp/gh-askpass.sh
	echo "GIT_ASKPASS=/tmp/gh-askpass.sh" >> "$GITHUB_ENV"
	echo "GIT_TERMINAL_PROMPT=0" >> "$GITHUB_ENV"
	echo "Git configured with standard GitHub Actions identity and non-persistent credentials"