fix: resolve 3 claude-engine workflow failures (safe-output misses + blocked commands)

[Copilot]

Three Claude-engine workflows in the 2026-05-04 6h failure report all exited without calling any safe-output tool, caused by broken GitHub tool access, missing bash permissions, and overly-restrictive command patterns.

Changes

• Schema Consistency Checker — github.mode: remote → gh-proxy. remote mode requires a PAT and silently fails with GITHUB_TOKEN, causing GitHub tool calls to error out; the agent exhausted its 60-turn limit without ever reaching create-discussion or noop.

• Multi-Device Docs Tester — Relies on the compiler's auto-injection of Bash(playwright-cli:*) when playwright.mode: cli is configured (introduced in feat: auto-allow playwright-cli bash command when playwright cli mode is enabled #30126). No manual bash restriction change needed in the source; the compiler now handles it automatically.

• Step Name Alignment — Two fixes:

  • Broadened yq restriction from the literal "yq eval '.jobs.*.steps[].name' .github/workflows/*.lock.yml" to "yq*". The specific pattern blocked single-file queries and loop constructs the agent naturally reaches for.
  • Updated cache prompt path from /tmp/gh-aw/cache-memory/step-name-alignment/patterns.json (subdirectory) to /tmp/gh-aw/cache-memory/step-name-alignment.json (flat). The compiled --allowed-tools uses Edit(/tmp/gh-aw/cache-memory/*) — a single-level glob that does not match subdirectory paths.

All three .lock.yml files recompiled after merging main.

[github-actions]

Hey @Copilot 👋 — great work tracking down these three Claude-engine workflow failures! The root-cause analysis in the PR body is thorough, and the targeted fixes to github.mode, bash restrictions (playwright-cli*), and the yq pattern / cache path all make sense.

One thing that would strengthen this PR:

• No test changes detected — the three .lock.yml files are recompiled and the workflow configs are updated, but there are no corresponding test file changes. If there are integration or unit tests that exercise workflow compilation, bash-restriction matching, or cache path resolution, adding coverage for the three fixed scenarios would help guard against regressions.

If you'd like a hand, you can assign this prompt to your coding agent:

Add regression tests for the three workflow fixes in PR #30110:
1. In the Schema Consistency Checker tests, assert that `github.mode: gh-proxy` is used (not `remote`) so GITHUB_TOKEN-based runs don't silently fail.
2. In the Multi-Device Docs Tester bash-restriction tests, assert that `playwright-cli*` is an allowed pattern alongside `npx playwright*`.
3. In the Step Name Alignment tests, assert (a) that the yq restriction matches `yq*` broadly and (b) that the cache path resolves to `/tmp/gh-aw/cache-memory/step-name-alignment.json` (flat file, not a subdirectory).
Place tests alongside existing test files for these workflows.

Generated by Contribution Check · ● 1.5M · ◷

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

This PR aims to prevent three Claude-based GitHub Actions workflows from exiting without producing any safe-output by fixing GitHub tool access mode mismatches and overly-restrictive bash allowlists, then recompiling the affected .lock.yml workflows.

Changes:

• Switches Schema Consistency Checker GitHub access from remote to gh-proxy and updates the compiled workflow to use the CLI proxy path.
• Broadens blocked bash command patterns (notably yq and playwright-cli) to match the commands the workflows instruct the agent to run.
• Updates action pin data with additional major-tag entries to support compilation/pinning.

Show a summary per file

File	Description
pkg/workflow/data/action_pins.json	Adds major-tag pins (e.g., actions/checkout@v4, actions/setup-python@v5) used during workflow compilation/pinning.
pkg/actionpins/data/action_pins.json	Mirrors the same action pin additions for the actionpins package dataset.
.github/workflows/step-name-alignment.md	Relaxes yq bash restrictions and fixes the documented cache-memory path.
.github/workflows/step-name-alignment.lock.yml	Recompiled lock workflow reflecting the updated yq allowlist and prompt/cache changes.
.github/workflows/schema-consistency-checker.md	Switches GitHub tool mode from remote to gh-proxy.
.github/workflows/schema-consistency-checker.lock.yml	Recompiled lock workflow to use CLI proxy approach and updated prompts/network config.
.github/workflows/daily-multi-device-docs-tester.md	Allows playwright-cli* to match the documented Playwright usage.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Recompiled lock workflow reflecting the updated bash allowlist.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 2

[Copilot]

@copilot merge main and recompile

Done in a292bc2. Merged origin/main, resolved the conflict in daily-multi-device-docs-tester.lock.yml (main's #30126 already auto-injects playwright-cli:* via the compiler, so I removed the manual playwright-cli* entry from the .md source), rebuilt the binary, and recompiled all three workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name k/node_modules/.bin/sh nore (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -d 168.63.129.16 bash k/gh�� --noprofile 53 1/x64/bin/node ACCEPT (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ed-objects.md (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 sh sv "prettier" --wrigit (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --get resolved$ /usr/bin/git get --local cal/bin/bash git rev-�� --show-toplevel git /usr/bin/git */*.ts' '**/*.jsgit credential.usernrev-parse DiscussionsEnabl--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 08565327 format:cjs 052775/b070=> (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 --jq bject.type] | @tsv 634092577 -tests /usr/bin/git git rev-�� ithub-script/git/ref/tags/v9 git bject.type] | @tsv v1.0.0 config /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel bash /usr/bin/infocmp--show-toplevel gh api /repos/actions/github-script/git/ref/tags/v9 --jq /opt/hostedtoolcache/go/1.25.8/x64/bin/node xterm-color bash /usr/bin/git node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 5356-7609/test-808565327 -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git github/workflowsgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript436149590/001/test-inlined-imports-enabled-with-body-congit l /usr/bin/git re --log-level=egit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260504-135356-7609/test-2787099483 rev-parse /opt/hostedtoolcache/node/24.14.1/x64/bin/node 01 (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git user.name Test User (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ath ../../../.pr**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv w/js/**/*.json' --ignore-path (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ath ../../../.pr**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build475052775/b070/importcfg -pack /tmp/go-build475052775/b070/_testmain.go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/gh Onlyrepos_only_winfocmp (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git th .prettierignogit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color bash /usr/bin/git ithub/workflows/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 ache/node/24.14.1/x64/bin/node bject.type] | @tsv ets.TOKEN }} (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/go-build475052775/b390/_pkg_.a (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --symref origin /usr/bin/git ith-tools.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260504-135356-7609/test-2787099483 remote om/upstream/repo.git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /tmp/TestHashStagit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git ErrorFormatting4gh /tmp/go-build475api /usr/bin/git git rev-�� /ref/tags/v9 git sv user.email test@example.comrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git ere (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv v1.0.0 config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp s/test.md config 0"}} infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/git 5356-7609/test-1gh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv true (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-27 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-04 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-03 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name zation_test.go 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 copilot/aw-failures-fix-claude-engine-runs 64/pkg/tool/linux_amd64/vet ignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name origin sh (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 origin /home/REDACTED/work/_temp/uv-python-dir/bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name origin cal/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 origin l_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, creatuser.email (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name HEAD 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 copilot/aw-failures-fix-claude-engine-runs ole.test ignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name HEAD 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 copilot/aw-failures-fix-claude-engine-runs 64/pkg/tool/linux_amd64/vet ignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name HEAD 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 copilot/aw-failures-fix-claude-engine-runs test ignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name son 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 copilot/aw-failures-fix-claude-engine-runs 64/pkg/tool/linux_amd64/link ignore E1NUkIi1IgJ9k/yJrev-parse nux-x86_64 64/pkg/tool/linux_amd64/link --no�� test (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path re --log-level=error (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build475052775/b404/cli.test /tmp/go-build475052775/b404/cli.test -test.testlogfile=/tmp/go-build475052775/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.pret.prettierignore ame t[bot] (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.prettierignore r n-dir/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.prettierignore r 64/bin/bash (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel l /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 2" 1>&2 Test User rue,"errors":[],--show-toplevel git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-pat--detach (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion nore (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 1/x64/bin/git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state bin/sh (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name re --log-level=error (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)