[plan] Add GitHub MCP server to Copilot workflows to eliminate API denials

[github-actions]

Objective

Configure GitHub MCP server in Copilot workflows that currently attempt direct api.github.com access, eliminating 29.7% firewall denial rate.

Context

Firewall denials are dominated by api.github.com/github.com blocks from Copilot workflows (e.g., research.md, daily-news.md). These workflows need GitHub MCP configuration instead of network allowlists.

Approach

1. Identify Copilot workflows with network.allowed containing api.github.com or github.com
2. Remove api.github.com from network.allowed sections
3. Add GitHub MCP configuration:

   tools:
     github:
       mode: remote
       toolsets: [default]

4. Recompile affected workflows with make recompile
5. Test a sample workflow to verify GitHub access works via MCP

Files to Modify

• .github/workflows/research.md
• .github/workflows/daily-news.md
• Any other Copilot workflows with GitHub API allowlists

Acceptance Criteria

• All Copilot workflows use tools.github instead of network allowlists
• No network.allowed entries for api.github.com or github.com in Copilot workflows
• Workflows compile successfully (make recompile)
• GitHub MCP provides repository/issue/PR access during runs
• Firewall denial rate drops significantly (target: <10%)
  Related to [plan] Improve agent health and reduce firewall denials #7658

AI generated by Plan Command for discussion #7638