Add CI check to prevent release-compiled lock files

[Copilot]

Lock files (.lock.yml) in the repository must be compiled with dev builds, not release builds. Release builds inject version numbers into headers (gh-aw (v1.0.0)) which should only appear in distributed binaries, not source-controlled workflows.

Changes

• New validation step in validate-yaml job
  • Scans all .lock.yml files for version patterns in headers
  • Regex: '# This file was automatically generated by gh-aw \([v0-9]'
  • Matches (v1.0.0), (1.0.0), etc.
  • Fails CI with remediation steps if detected

Header Formats

# Dev build (correct):
# This file was automatically generated by gh-aw. DO NOT EDIT.

# Release build (should fail CI):
# This file was automatically generated by gh-aw (v1.0.0). DO NOT EDIT.

The release flag (-X main.isRelease=true) is set only during scripts/build-release.sh and propagates to header generation via pkg/workflow.isReleaseBuild.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This pull request adds a CI validation step to prevent lock files from being compiled with release builds. Release builds inject version numbers into lock file headers (e.g., gh-aw (v1.0.0)), which should only appear in distributed binaries, not in source-controlled workflows. The check ensures all .lock.yml files use dev build headers without version numbers.

Changes:

• Added validation step in the validate-yaml job to detect release-compiled lock files
• Uses grep pattern to find version numbers in lock file headers
• Provides clear error messages and remediation instructions when violations are detected

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.