[specs] Update layout specification - 2026-04-13

[github-actions]

Layout Specification Update

This PR updates scratchpad/layout.md with the latest patterns extracted from compiled workflow files.

What Changed

• Updated lock file count: 181 → 187 (6 new workflows added)
• Updated pinned SHAs for actions/upload-artifact, actions/github-script, docker/build-push-action, github/stale-repos
• Fixed artifact name: safe-output-items → safe-outputs-items (corrected to match Go constant)
• Added new artifact: safe-outputs-upload-artifacts (staging artifact for upload handlers)
• Added new file path entries: /tmp/gh-aw/otel.jsonl, /tmp/gh-aw/github_rate_limits.jsonl, /tmp/gh-aw/temporary-id-map.json, /tmp/gh-aw/apm-bundle, /tmp/gh-aw/proxy-logs/, /tmp/gh-aw/threat-detection/detection.log, /tmp/gh-aw/sarif/
• Added new Go constants: TokenUsageFilename, GithubRateLimitsFilename, OtelJsonlFilename, TemporaryIdMapFilename, SarifFileName, SarifArtifactDownloadPath, AWFAuditDir
• Added new step IDs: CheckSkipIfCheckFailingStepID, PreActivationAppTokenStepID, ParseMCPGatewayStepID, GetTriggerLabelStepID, RemoveTriggerLabelStepID
• Updated versions: DefaultFirewallVersion v0.25.13→v0.25.18, DefaultMCPGatewayVersion v0.2.14→v0.2.17, DefaultGitHubScriptVersion v8→v9
• Added engine CLI versions: DefaultCopilotVersion (1.0.21), DefaultClaudeCodeVersion (2.1.98), DefaultCodexVersion (0.118.0), DefaultGeminiVersion (0.37.1)
• Added minimum version guards: AWFExcludeEnvMinVersion, AWFCliProxyMinVersion, CopilotNoAskUserMinVersion
• Added new feature flags: CliProxyFeatureFlag (cli-proxy), CopilotIntegrationIDFeatureFlag (copilot-integration-id)
• Expanded temp file structure tree with all new paths

Extraction Summary

• Lock files analyzed: 187
• Actions cataloged: 25
• Artifacts documented: 27
• Job patterns found: 30
• File paths listed: 47

Source Analysis

• Scanned all .lock.yml files in .github/workflows/
• Reviewed Go constants in pkg/constants/ (constants.go, job_constants.go, version_constants.go, url_constants.go, feature_constants.go)
• Reviewed JavaScript code in actions/setup/js/

---

Auto-generated by Layout Specification Maintainer workflow

Generated by Layout Specification Maintainer · ● 2.9M · ◷

• expires on Apr 15, 2026, 8:11 AM UTC

[github-actions]

Hey @github-actions[bot] 👋 — thanks for this automated layout spec refresh! The changes to scratchpad/layout.md are well-structured and the PR description does an excellent job summarising all the additions (new constants, artifact names, file paths, step IDs, version bumps, and the expanded temp-file tree).

One mechanical note from the checklist:

• No test files changed — the diff touches only scratchpad/layout.md, which is a pure documentation artefact auto-generated from compiled workflow files. There is nothing executable to test here, so this flag is expected and not a real concern for this PR type.

All other signals are green: the PR is on-topic (core-team automation maintaining an internal spec), focused on a single concern, adds no new dependencies, and carries a detailed description.

If this PR were a code-change rather than a doc-only update, the missing test coverage would need addressing. For the Layout Specification Maintainer workflow specifically, consider adding a CI sanity-check that validates the markdown structure or confirms that the constants catalogued in scratchpad/layout.md match the actual values in pkg/constants/ — but that would be a separate improvement to the workflow itself rather than a blocker here.

Add a CI validation step to the Layout Specification Maintainer workflow that cross-checks the Go constant values documented in scratchpad/layout.md against the actual constants defined in pkg/constants/ (constants.go, version_constants.go, feature_constants.go, job_constants.go). The check should:
1. Parse the markdown code blocks in scratchpad/layout.md that contain Go const declarations.
2. Compare the values against the real source files in pkg/constants/.
3. Fail the workflow (non-zero exit) if any documented constant is missing from source or has a mismatched value.
This will prevent the spec from drifting out of sync with the code between extraction runs.

Generated by Contribution Check · ● 3.2M · ◷