feat: guard DIFC proxy emission with difc-proxy feature flag

[Copilot]

DIFC proxy steps were unconditionally emitted whenever min-integrity was configured. They should be opt-in via a feature flag so existing workflows aren't affected.

Changes

• pkg/constants — Added DIFCProxyFeatureFlag = "difc-proxy" constant.
• pkg/workflow/compiler_difc_proxy.go — Added feature flag check as the first gate in hasDIFCGuardsConfigured. This single function controls all DIFC emission paths (main job start/stop, qmd indexing wrapping, artifact log paths), so no other call sites needed changing.
• Tests — Added Features: map[string]any{"difc-proxy": true} to all test cases expecting proxy injection; added TestDIFCProxyNotInjectedWithoutFeatureFlag to assert proxy steps are absent when only min-integrity is set without the flag.
• Lock files — Recompiled all 22 workflow lock files that had min-integrity configured; DIFC proxy steps have been removed from all of them since none include the difc-proxy feature flag.

Usage

To enable DIFC proxy injection, opt in via frontmatter:

features:
  difc-proxy: true
tools:
  github:
    min-integrity: approved

Or via environment variable: GH_AW_FEATURES=difc-proxy.

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[pelikhan]

@copilot recompile and make sure the difc proxy is not emitted unless the feature flag is enabled

[Copilot]

@copilot recompile and make sure the difc proxy is not emitted unless the feature flag is enabled

Recompiled in 62cb48c. All 22 lock files that previously had DIFC proxy steps (from workflows with min-integrity but no features: difc-proxy: true) have been regenerated — DIFC proxy steps are now absent from all of them.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR makes DIFC proxy step injection opt-in by gating all DIFC proxy emission behind a new difc-proxy feature flag, preventing existing workflows that only set min-integrity from changing behavior.

Changes:

• Added constants.DIFCProxyFeatureFlag and included it in feature-flag constant tests.
• Updated DIFC proxy compilation gating to require both min-integrity and difc-proxy being enabled.
• Updated/added tests and regenerated workflow lock files to remove DIFC proxy steps/paths unless the flag is present.

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/compiler_difc_proxy.go	Adds feature-flag gate to the core DIFC proxy injection predicate.
pkg/workflow/compiler_difc_proxy_test.go	Updates existing tests to opt into difc-proxy and adds coverage for “guards set but flag absent”.
pkg/constants/constants.go	Introduces DIFCProxyFeatureFlag constant with documentation.
pkg/constants/constants_test.go	Extends feature-flag constant table test to include difc-proxy.
.github/workflows/workflow-generator.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/weekly-issue-summary.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/weekly-blog-post-writer.lock.yml	Removes DIFC proxy start/stop steps and log paths (flag not enabled).
.github/workflows/stale-repo-identifier.lock.yml	Removes DIFC proxy start/stop steps and log paths (flag not enabled).
.github/workflows/smoke-agent-scoped-approved.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/smoke-agent-public-none.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/smoke-agent-public-approved.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/smoke-agent-all-none.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/smoke-agent-all-merged.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/scout.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/refiner.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/pr-triage-agent.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/plan.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/org-health-report.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/issue-triage-agent.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/issue-monster.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/issue-arborist.lock.yml	Removes DIFC proxy start/stop steps and log paths (flag not enabled).
.github/workflows/grumpy-reviewer.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/discussion-task-miner.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.
.github/workflows/daily-issues-report.lock.yml	Removes DIFC proxy start/stop steps and log paths (flag not enabled).
.github/workflows/contribution-check.lock.yml	Removes DIFC proxy log paths now that proxy isn’t emitted by default.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This test assumes the difc-proxy feature flag is disabled, but isFeatureEnabled also considers the GH_AW_FEATURES environment variable. To avoid flakiness when running tests with GH_AW_FEATURES set, explicitly clear it (e.g., via t.Setenv) within the test.

[Copilot]

hasDIFCGuardsConfigured now returns false when guard policies are present but the difc-proxy feature flag is disabled. The updated doc comment explains this, but the function name is now misleading (it no longer answers whether guards are configured). Consider renaming to reflect the combined condition (e.g., guards configured and DIFC proxy feature enabled) or splitting the checks into two functions.