feat: add smoke test for Copilot CLI offline BYOK mode (#2003)

Add a new smoke-copilot-byok workflow that validates the
COPILOT_OFFLINE code path through the AWF api-proxy sidecar.

- Sets COPILOT_API_KEY to a dummy value to trigger AWF's BYOK
  detection (COPILOT_OFFLINE=true, COPILOT_PROVIDER_BASE_URL)
- Sidecar authenticates to api.githubcopilot.com using the real
  COPILOT_GITHUB_TOKEN — no new secrets required
- Post-step verifies firewall logs show traffic to the expected
  Copilot API target
- Compiled with gh-aw v0.68.3 and post-processed for local builds

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

.github/aw/actions-lock.json

@@ -45,6 +45,11 @@
       "version": "v4.0.0",
       "sha": "4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd"
     },
+    "github/gh-aw-actions/setup@v0.68.3": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.68.3",
+      "sha": "ba90f2186d7ad780ec640f364005fa24e797b360"
+    },
     "github/gh-aw/actions/setup@v0.68.1": {
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.68.1",