Fix Copilot driver startup failure by removing runtime minimatch dependency

[Copilot]

Daily Secrets Analysis failed before producing agent output because copilot_sdk_driver.cjs required minimatch at runtime in the workflow temp environment, where that module was not available. This PR removes that runtime coupling so the Copilot engine can initialize reliably in compiled workflow execution.

• Root cause

  • actions/setup/js/copilot_sdk_driver.cjs imported minimatch for read-path allowlist checks.
  • In the failing job, the driver executed from _temp/gh-aw/actions/... without a resolvable minimatch package, causing immediate process termination.

• Code change

  • Replaced minimatch usage with Node 24 built-in glob matching for permission path evaluation.
  • Removed custom runtime glob helpers from copilot_sdk_driver.cjs.
  • Kept existing permission semantics (exact match still short-circuits; glob match is fallback).

• Test update

  • Extended actions/setup/js/copilot_sdk_driver.test.cjs read-path allowlist coverage to include nested ** behavior, ensuring parity for recursive path patterns.

// before
const { minimatch } = require("minimatch");
return minimatch(normalizedRequestedPath, normalizedPattern, { dot: true });

// after
return path.posix.matchesGlob(normalizedRequestedPath, normalizedPattern);

[pelikhan]

@copilot use node 24 builtin glob function

[Copilot]

Updated in 5df00ff: switched the read-path glob check to Node 24 built-in path.posix.matchesGlob(...) and removed the custom runtime glob-to-regex helpers from copilot_sdk_driver.cjs.

[Copilot]

Pull request overview

This PR aims to prevent Copilot driver startup failures in compiled workflow execution by eliminating the runtime minimatch require from actions/setup/js/copilot_sdk_driver.cjs, and it updates the allowlist tests to cover recursive (**) read-path behavior. It also adjusts SARIF upload jobs in several locked workflows to explicitly grant actions: read so they can download artifacts before uploading to code scanning.

Changes:

• Replaced runtime minimatch glob checks in copilot_sdk_driver.cjs with a Node path-based glob matcher.
• Extended the SDK driver permission test to cover nested ** read-path behavior.
• Added permissions: actions: read to SARIF upload jobs in multiple locked workflows to support artifact downloads.

Show a summary per file

File	Description
actions/setup/js/copilot_sdk_driver.cjs	Removes runtime minimatch usage and updates read-path glob matching logic.
actions/setup/js/copilot_sdk_driver.test.cjs	Adds coverage for nested ** read-path allowlist behavior.
.github/workflows/smoke-claude.lock.yml	Grants actions: read to SARIF upload job so it can download artifacts.
.github/workflows/daily-semgrep-scan.lock.yml	Grants actions: read to SARIF upload job so it can download artifacts.
.github/workflows/daily-malicious-code-scan.lock.yml	Grants actions: read to SARIF upload job so it can download artifacts.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 1