fix(aw): Issue Arborist - revert curl /meta workaround now that mcpg v0.3.12+ ships

[Evangelink]

Per githubnext/agentics#339 the DIFC proxy /meta block was fixed in gh-aw-mcpg v0.3.12.

This PR:

• Upgrades the bundled gh-aw-actions/setup to v0.75.4 (recompiled with gh aw v0.75.4 compile --strict), which now pins ghcr.io/github/gh-aw-mcpg:v0.3.18 as the DIFC proxy image.
• Reverts .github/workflows/issue-arborist.md to the upstream githubnext/agentics source (gh issue list instead of the curl + REST API workaround from fix(aw): Issue Arborist - re-apply curl REST API workaround for DIFC proxy /meta block #8507 / fix(aw): Issue Arborist - replace gh CLI with curl REST API to bypass DIFC proxy /meta block #8185).
• Regenerates .github/workflows/issue-arborist.lock.yml and .github/aw/actions-lock.json accordingly.

The point of this PR is to validate the GH team's fix once the next scheduled run executes. If the Fetch issues data step succeeds, we can keep the upstream version; otherwise we'll restore the curl workaround.

[Copilot]

Pull request overview

Updates the Issue Arborist agentic workflow to validate that the DIFC proxy /meta block is resolved in newer gh-aw-mcpg images, by moving back to the upstream gh issue list implementation and bumping the bundled gh-aw-actions/setup tooling.

Changes:

• Reverts Issue Arborist “Fetch issues data” from the curl+REST workaround back to gh issue list.
• Regenerates the compiled issue-arborist.lock.yml using gh aw v0.75.4 (bringing in newer AWF/mcpg/firewall versions).
• Updates .github/aw/actions-lock.json entries for the new github/gh-aw-actions/setup@v0.75.4 reference.

Show a summary per file

File	Description
.github/workflows/issue-arborist.md	Reverts issue fetching back to gh issue list (upstream behavior).
.github/workflows/issue-arborist.lock.yml	Regenerated compiled workflow with updated gh-aw tooling and proxy image versions.
.github/aw/actions-lock.json	Updates locked action entry for github/gh-aw-actions/setup to v0.75.4.

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 3

[Evangelink]

✅ 21/21 dimensions clean — no findings.

---

Review Summary

This PR correctly reverts the curl-based workaround introduced in #8507 and #8185, restoring the upstream gh issue list command now that the DIFC proxy /meta block is fixed in gh-aw-mcpg v0.3.18.

Verified:

• ✅ gh-aw-actions/setup upgraded from v0.75.0 → v0.75.4 (SHA 9f050961da586148d135e113d8bb025185cdf2b8)
• ✅ gh-aw-mcpg upgraded from v0.3.17 → v0.3.18 in the lock file manifest
• ✅ .github/workflows/issue-arborist.md reverted to upstream githubnext/agentics source (simplified from 38-line curl + jq to 6-line gh issue list)
• ✅ .github/workflows/issue-arborist.lock.yml regenerated with 1465 lines (up from 1428 — includes updated firewall components v0.25.53)
• ✅ Search filter equivalence: -is:sub-issue (REST API) ≈ -parent-issue:* (GraphQL via gh CLI)
• ✅ Error handling change is intentional: removed || echo '[]' fallback so the workflow will fail-fast if gh issue list still breaks, allowing validation of the DIFC proxy fix

Scope discipline: Single-purpose PR with proper cross-references to #8507, #8185, and githubnext/agentics#339. All changes are mechanical (version bumps + lock file regeneration + upstream revert).

No action items.

Generated by Expert Code Review (on open) for issue #8550 · ● 1.3M

[Evangelink]

Addressed by re-compiling with gh-aw v0.75.0 instead of v0.75.4:

• The setup-cli@v0.75.0 entry in actions-lock.json is now preserved (no longer dropped), so agentics-maintenance.yml stays consistent.
• All gh-aw-firewall/* and gh-aw-mcpg container images in the download/cache step are SHA-digest pinned again (v0.75.4 was a regression that omitted those pins; v0.75.0 still emits them).
• The DIFC_PROXY_IMAGE env var is set to ghcr.io/github/gh-aw-mcpg:v0.3.17 (tag-only) — this matches the pre-existing pattern used by gh-aw for the start_difc_proxy.sh env var on main and across the other workflows (only the download_docker_images.sh invocation receives the full image@digest form). Not introduced by this PR.

Note: main's lockfile already pins mcpg v0.3.17 (which is >= v0.3.12 with the /meta fix), so the gh-aw bump wasn't actually required — just reverting the .md to upstream is enough to validate the fix.