Evergreen: trigger CI on autoloop PRs that have no checks

[Copilot]

Autoloop PRs frequently sit with zero check runs because pushes via GITHUB_TOKEN don't fire workflows, leaving them invisible to Evergreen's "no checks = healthy" selector. Evergreen now detects this and dispatches CI directly — but only for autoloop/* branches, never for outside-contributor PRs.

Changes

• .github/workflows/ci.yml — add workflow_dispatch: so the workflow can be dispatched via API.
• .github/workflows/evergreen.md (pre-flight Python script):
  • New is_autoloop_pr, get_commit_date, trigger_ci_workflow, post_pr_comment helpers.
  • pr_needs_attention flags missing_checks for autoloop PRs when HEAD has no check runs, or only queued/in-progress runs and is >15 min old.
  • For missing_checks-only autoloop PRs, the pre-flight handles them inline: POSTs to /actions/workflows/ci.yml/dispatches with GH_AW_CI_TRIGGER_TOKEN, comments on the PR, persists a per-SHA attempt counter (capped at 5), and skips agent invocation entirely.
  • Agent prompt updated to note that missing_checks is pre-flight–only.
• .github/workflows/evergreen.lock.yml — surgical patch (env var + embedded script) to avoid action/container version drift from a partial-version local gh aw.

Security

The autoloop/* branch-prefix gate is enforced in the detector itself, so the dispatch path is unreachable for external PRs. The privileged GH_AW_CI_TRIGGER_TOKEN is scoped to the pre-flight step and never exposed to the agent container.

Behavior

PR #123 (branch: autoloop/foo, HEAD has 0 check runs)
  → issues: ["missing_checks: no check runs on HEAD"]
  → pre-flight: POST workflow_dispatch ci.yml ref=autoloop/foo
  → comment posted, attempt counter bumped, agent NOT invoked

If missing_checks co-occurs with another fixable issue (merge_conflict, failing_checks, …), the PR is still routed to the agent for that other issue; the next scheduled run will re-trigger CI if checks are still missing.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/githubnext/gh-aw/releases/latest
  • Triggering command: /usr/bin/gh gh extension install githubnext/gh-aw --pin v0.71.4 (http block)
  • Triggering command: /usr/bin/gh gh extension install githubnext/gh-aw (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)