chore: disable threat-detection for release.md and recompile

[Copilot]

Disables threat-detection for the release workflow by adding threat-detection: false under the safe-outputs section in .github/workflows/release.md, then recompiles to update release.lock.yml.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Disables threat-detection in the release workflow Safe Outputs configuration and recompiles workflow lock files.

Changes:

• Added threat-detection: false under safe-outputs in .github/workflows/release.md
• Recompiled .github/workflows/release.lock.yml, removing the detection job/steps and related dependencies
• Recompiled multiple other *.lock.yml workflows, updating Safe Outputs protected files/path prefixes (e.g., adding DESIGN.md, .githooks/, .husky/)

Show a summary per file

File	Description
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/weekly-editors-health-check.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/weekly-blog-post-writer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/update-astro.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/unbloat-docs.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/ubuntu-image-analyzer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/tidy.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/test-create-pr-error-handling.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/technical-doc-writer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/spec-extractor.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/spec-enforcer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/smoke-project.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/smoke-multi-pr.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/smoke-claude.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/slide-deck-maintainer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/schema-feature-coverage.lock.yml	Recompiled Safe Outputs + regenerated MCP heredoc ids.
.github/workflows/release.md	Disables threat detection via Safe Outputs setting.
.github/workflows/release.lock.yml	Recompiled release workflow; removes threat-detection job/steps and wiring.
.github/workflows/refiner.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/q.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/poem-bot.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/mergefest.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/layout-spec-maintainer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/jsweep.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/instructions-janitor.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/hourly-ci-cleaner.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/go-logger.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/glossary-maintainer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/github-remote-mcp-auth-test.lock.yml	Recompiled MCP gateway docker env list ordering.
.github/workflows/github-mcp-tools-report.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/functional-pragmatist.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/dictation-prompt.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/developer-docs-consolidator.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/design-decision-gate.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/dead-code-remover.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-workflow-updater.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-safe-output-integrator.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-doc-updater.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-doc-healer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-community-attribution.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/daily-architecture-diagram.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/craft.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/code-simplifier.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/code-scanning-fixer.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/cloclo.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/ci-coach.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).
.github/workflows/changeset.lock.yml	Recompiled Safe Outputs config (expanded protected files/path prefixes).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (4)

.github/workflows/weekly-safe-outputs-spec-review.lock.yml:1

• The PR description says only .github/workflows/release.md and release.lock.yml were updated, but many additional workflow lock files (including this one) changed due to recompilation (e.g., adding DESIGN.md and .githooks//.husky/). Please either (a) update the PR description to reflect the broader lockfile regeneration, or (b) split/reduce the PR to only the intended release workflow changes.
  .github/workflows/release.md:1
• Disabling threat detection for the release workflow reduces a security safeguard on a high-impact workflow. If this is intentional, please add a brief rationale (and ideally a tracking issue/link) in the PR description or adjacent workflow documentation so future reviewers understand why this protection is disabled.
  .github/workflows/release.md:1
• The update-release: entry is an implicit null value. For readability and to avoid ambiguity in downstream tooling, consider making it an explicit empty mapping (e.g., update-release: {}) and keeping threat-detection grouped/ordered consistently with other safe-outputs settings.
  .github/workflows/release.lock.yml:1
• This removes uploading /tmp/gh-aw/aw-*.patch and /tmp/gh-aw/aw-*.bundle artifacts. Even with threat detection disabled, these artifacts can be valuable for debugging/auditing unexpected release behavior. Consider keeping them unless there's a specific reason (e.g., size/sensitivity) to stop collecting them.

• Files reviewed: 51/51 changed files
• Comments generated: 0