chore: merge main into portable-gh-aw-home and recompile

[Copilot]

Brings the portable-gh-aw-home branch up to date with 5 new commits from main:

• Fix assign-to-agent failing with GitHub App tokens — auto-fallback to GH_AW_AGENT_TOKEN #19796 Fix assign-to-agent failing with GitHub App tokens (auto-fallback to GH_AW_AGENT_TOKEN)
• feat: add temporary ID support to add_comment tool #19737 Add temporary ID support to add_comment tool
• Fix: wire inputs.item_number fallback for label trigger shorthand workflows #19795 Wire inputs.item_number fallback for label trigger shorthand workflows
• [docs] Update documentation for features from 2026-03-06 #19805 Documentation updates for 2026-03-06 features
• chore(deps): bump dompurify from 3.3.0 to 3.3.2 in /docs in the npm_and_yarn group across 1 directory #19791 Bump dompurify

All 167 workflow lock files recompiled against the merged state.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha d -n 10 (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates portable-gh-aw-home by merging recent main changes and recompiling workflow lock files, bringing in fixes to token selection for assign-to-agent, add_comment temporary ID support, and label-trigger shorthand inputs.item_number fallbacks (plus docs and dependency updates).

Changes:

• Avoid GitHub App installation tokens for assign-to-agent and emit a compiler warning when configuration implies fallback behavior.
• Add/propagate workflow_dispatch.inputs.item_number detection and apply || inputs.item_number fallbacks to extracted expressions and concurrency keys.
• Extend Safe Outputs add_comment to support/return temporary_id, update schemas, tests, docs, and recompile workflow lock files.

Reviewed changes

Copilot reviewed 95 out of 96 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/schedule_preprocessing_test.go	Adds preprocessing tests for label-trigger shorthand expansion and error cases.
pkg/workflow/safe_outputs_env.go	Adjusts agent assignment token selection to avoid GitHub App tokens.
pkg/workflow/js/safe_outputs_tools.json	Updates tool schemas (temporary_id patterns, add_comment item_number accepts temp IDs).
pkg/workflow/expression_extraction_test.go	Adds tests for applying workflow_dispatch inputs.item_number fallbacks.
pkg/workflow/expression_extraction.go	Implements mapping fallback patching for entity number expressions.
pkg/workflow/concurrency_test.go	Adds tests ensuring concurrency keys include inputs.item_number fallback when present.
pkg/workflow/concurrency.go	Refactors entity concurrency key construction and inserts inputs.item_number when available.
pkg/workflow/compiler_yaml.go	Applies inputs.item_number fallbacks after expression mapping collection.
pkg/workflow/compiler_types.go	Adds WorkflowData.HasDispatchItemNumber field.
pkg/workflow/compiler_safe_outputs_job_test.go	Adds tests verifying assign-to-agent token behavior with GitHub App config.
pkg/workflow/compiler_orchestrator_workflow_test.go	Adds tests for detecting dispatch item_number from structured frontmatter.
pkg/workflow/compiler_orchestrator_workflow.go	Detects workflow_dispatch.inputs.item_number from in-memory frontmatter map.
pkg/workflow/compiler.go	Emits warning when assign-to-agent + GitHub App are configured without explicit token override.
docs/src/content/docs/reference/gh-aw-as-mcp-server.md	Documents Docker-image first-use download behavior for compile scanners.
docs/src/content/docs/reference/assign-to-copilot.mdx	Documents that GitHub App tokens are rejected for Copilot assignment and describes fallback chain.
docs/package-lock.json	Bumps dompurify to 3.3.2.
actions/setup/setup.sh	Ensures temporary_id.cjs is included in copied safe-outputs assets.
actions/setup/js/safe_outputs_tools.json	Mirrors safe-outputs schema updates (temporary IDs, add_comment changes).
actions/setup/js/safe_outputs_mcp_add_comment_constraints.test.cjs	Extends MCP constraint tests to assert temporary_id is recorded/returned.
actions/setup/js/safe_outputs_handlers.test.cjs	Adds unit tests for addCommentHandler temporary_id behavior and NDJSON recording.
actions/setup/js/safe_outputs_handlers.cjs	Adds temporary_id generation/validation + response payload for add_comment; refactors create_project temp ID handling.
.github/workflows/workflow-skill-extractor.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/workflow-normalizer.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/workflow-health-manager.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment temp IDs).
.github/workflows/video-analyzer.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/unbloat-docs.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/test-project-url-default.lock.yml	Recompiled lock file reflecting updated tool schemas (temp ID patterns).
.github/workflows/technical-doc-writer.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/super-linter.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/sub-issue-closer.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/step-name-alignment.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/stale-repo-identifier.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/smoke-workflow-call.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-test-tools.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-temporary-id.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-project.lock.yml	Recompiled lock file reflecting updated tool schemas (temp ID patterns + add_comment changes).
.github/workflows/smoke-opencode.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-multi-pr.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-gemini.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-copilot.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-copilot-arm.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-codex.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-claude.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/smoke-agent.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/semantic-function-refactor.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/security-compliance.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/security-alert-burndown.campaign.g.lock.yml	Recompiled lock file reflecting updated tool schemas (temp ID + add_comment changes).
.github/workflows/scout.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/refiner.lock.yml	Recompiled lock file reflecting inputs.item_number fallbacks + tool schema updates.
.github/workflows/q.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/pr-triage-agent.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/poem-bot.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/plan.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/pdf-summary.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/issue-triage-agent.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/issue-monster.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/issue-arborist.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/gpclean.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/go-pattern-detector.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/duplicate-code-detector.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/draft-pr-cleanup.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/discussion-task-miner.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/dev.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/dev-hawk.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/dependabot-go-checker.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/dependabot-burner.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/delight.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/deep-report.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-team-status.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-syntax-error-quality.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-security-red-team.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-safe-output-optimizer.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-file-diet.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-fact.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/daily-doc-healer.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-cli-tools-tester.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/daily-cli-performance.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/daily-assign-issue-to-user.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/daily-architecture-diagram.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/craft.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/contribution-check.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/cloclo.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/cli-version-checker.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/cli-consistency-checker.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/ci-doctor.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/breaking-change-checker.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/brave.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/bot-detection.lock.yml	Recompiled lock file reflecting updated tool schemas.
.github/workflows/archie.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).
.github/workflows/agent-performance-analyzer.lock.yml	Recompiled lock file reflecting updated tool schemas (incl. add_comment changes).

Files not reviewed (1)

• docs/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

This test uses slicesEqual(...), but that helper isn’t defined in this file (and slices isn’t imported either), so the package won’t compile. Consider either defining a local helper (as done in pkg/workflow/label_trigger_parser_test.go) or switching to slices.Equal and importing slices (Go 1.21+).

[Copilot]

The warning text says the token fallback chain (GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) will be used automatically when assign-to-agent.github-token isn’t set, but addSafeOutputAgentGitHubTokenForConfig actually prefers safe-outputs.github-token before that secret chain. Either broaden the condition/message to mention safe-outputs.github-token precedence, or only emit this warning when both assign-to-agent.github-token and safe-outputs.github-token are unset so the message is accurate.