Allow releaseassets.githubusercontent.com in workflow firewall

[Copilot]

Toolchain installers (e.g. bun, rustup) fetch binaries from releaseassets.githubusercontent.com, which was not in the gh-aw sandbox firewall allowlist, causing setup failures inside agentic workflows.

Changes

• autoloop.md / evergreen.md: append releaseassets.githubusercontent.com to network.allowed.
• *.lock.yml: regenerated via gh aw compile; the domain now appears in the awf --allow-domains list and in GH_AW_INFO_ALLOWED_DOMAINS.

network:
  allowed:
  - defaults
  - node
  - releaseassets.githubusercontent.com

Notes

• sync-branches.md has no network block and does no toolchain install — left untouched.
• gh-aw emits a strict-mode hint suggesting the broader github ecosystem identifier; intentionally kept as the single explicit domain to match the issue scope and minimize the allowlist surface.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.68.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.68.3 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)