Update token optimization workflows

[mnkiefer]

• Updates the Copilot token audit and optimizer workflows

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25436188676)

Generated by Smoke CI for issue #30613 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #30613 · ◷

[Copilot]

Pull request overview

This PR updates the Copilot token audit and optimizer workflows to a newer compiled workflow format and shifts reporting/publishing behavior (notably, the audit now publishes an issue instead of a discussion).

Changes:

• Add source: provenance metadata to the workflow .md specs.
• Regenerate the compiled .lock.yml workflows (new setup action usage, updated tool/config generation, adjusted schedule times, and other generated-step changes).
• Switch the token audit workflow’s safe output publishing from create_discussion to create_issue (including prompt text updates).

Show a summary per file

File	Description
.github/workflows/copilot-token-optimizer.md	Adds workflow source provenance metadata.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated compiled workflow; includes runner/setup and firewall/MCP orchestration changes.
.github/workflows/copilot-token-audit.md	Updates safe-outputs and instructions to publish an audit issue instead of a discussion; adds provenance metadata.
.github/workflows/copilot-token-audit.lock.yml	Regenerated compiled workflow reflecting the audit publishing change and updated orchestration/config steps.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (3)

.github/workflows/copilot-token-optimizer.lock.yml:823

• sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall removes the execute bit from directories, which can make the firewall logs/audit directories unreadable/traversable and break awf logs summary and/or artifact upload. Use a mode that preserves directory execute (e.g., a+rX or a+rx for directories/files as appropriate).

          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
          # AWF runs with sudo, creating files owned by root
          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
          # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
          if command -v awf &> /dev/null; then

.github/workflows/copilot-token-audit.lock.yml:764

• The MCP gateway config writes the OTEL endpoint using the GitHub Actions secret expression (${{ secrets.GH_AW_OTEL_ENDPOINT }}) directly into the generated JSON. Prefer referencing the already-exported env var (${OTEL_EXPORTER_OTLP_ENDPOINT}) so the secret isn’t expanded into the script/config payload (which could be surfaced on errors/logging).

              "apiKey": "${MCP_GATEWAY_API_KEY}",
              "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}",
              "opentelemetry": {
                "endpoint": "${{ secrets.GH_AW_OTEL_ENDPOINT }}",
                "headers": "${OTEL_EXPORTER_OTLP_HEADERS}",
                "traceId": "${GITHUB_AW_OTEL_TRACE_ID}",
                "spanId": "${GITHUB_AW_OTEL_PARENT_SPAN_ID}"

.github/workflows/copilot-token-audit.lock.yml:914

• sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall removes the execute bit from directories, which can prevent traversing/reading the firewall logs/audit tree and break log summarization or artifact upload. Use a mode that preserves directory execute (e.g., a+rX).

        run: |
          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
          # AWF runs with sudo, creating files owned by root
          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
          # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)

• Files reviewed: 4/4 changed files
• Comments generated: 2

[github-actions]

Skills-Based Review 🧠

Applied /zoom-out and /grill-with-docs based on the workflow configuration update and new upstream-provenance concept introduced here.

Key Themes

• New source: provenance field — Both workflows add a source: frontmatter key pointing to githubnext/agentic-ops. This is a new pattern in this repo. It's a good idea for traceability, but the semantics (is it informational only? does the compiler validate/reject drift?) aren't documented anywhere yet.

• Infrastructure version rollback in lock files — Container image versions are downgraded in both lock files (firewall from 0.25.41 → 0.25.28, mcpg from v0.3.6 → v0.3.0). This appears to be because the compiled files originate from an upstream commit that pins older versions. Worth confirming there's a plan to keep the two repos in sync.

• github-mcp-server:v1.0.2 unpinned digest — The new lock files reference this image by tag only, without a SHA digest. The previous v1.0.3 entries were digest-pinned. This is a supply-chain hygiene concern.

• Model default claude-sonnet-4.6 → auto — Both lock files change the fallback model. auto may be intentional (let the platform choose), but the behavioral implications for audit/optimizer quality aren't mentioned in the PR body.

• Cron reschedule — Both workflows get new cron times without explanation. Likely done to spread load, but a one-line comment in the PR description would help.

Positive Highlights

• ✅ Clean, consistent rename of discussion → issue throughout the audit workflow — no missed references found.
• ✅ Switching to the centralised github/gh-aw-actions/setup action instead of checking out the actions folder is a good simplification.
• ✅ Replacing the OTLP masking script with an inline add-mask command is simpler and removes an external dependency.
• ✅ New Check compile-agentic version step in both lock files is good observability hygiene.

Verdict

No blocking issues — the core functional change (discussions → issues) is correct and consistently applied. The questions above are worth capturing in the PR description or a follow-up issue for maintainability.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · ● 8.2M

[mnkiefer]

@copilot Compare runs from recent workflows https://github.com/github/gh-aw/actions/runs/25436510009, https://github.com/github/gh-aw/actions/runs/25436523645 with those of May 4th https://github.com/github/gh-aw/actions/runs/25327260846, https://github.com/github/gh-aw/actions/runs/25317735922 to check for equilance after our refactor.

[Copilot]

@copilot Compare runs from recent workflows https://github.com/github/gh-aw/actions/runs/25436510009, https://github.com/github/gh-aw/actions/runs/25436523645 with those of May 4th https://github.com/...

Compared the 4 runs. All jobs completed with ✅ success (or expected skipped) in both old and new runs.

Structural differences after refactoring:

	May 4th (old)	Recent (new)
Audit jobs	8 (incl. update_cache_memory)	7 (removed update_cache_memory)
Optimizer jobs	5	5 (same)
Setup	Checkout actions folder per job	Setup Scripts action (new)
gh-aw install	Build from Go source + Docker	Pre-built binary via Install AWF binary
Dev tooling	gopls, TypeScript LS, uv, npm deps	Removed
Cache-memory	Present in audit	Removed
New audit steps	—	Setup local chart workspace, Install Python chart dependencies
Telemetry	—	Mask OTLP telemetry headers added

The core pipeline is equivalent (activation → agent → upload_assets → detection → safe_outputs → push_repo_memory → conclusion), just with a leaner setup. Both new runs succeeded end-to-end.