* feat: convert remaining cli-proxy workflows to byok-copilot Convert firewall-issue-dispatcher, smoke-copilot, and smoke-services from features.cli-proxy to features.byok-copilot. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add cli-proxy/byok-copilot features to all workflows - Copilot engine workflows: byok-copilot: true - Non-copilot engine workflows (claude, codex, opencode): cli-proxy: true All 29 workflows now have explicit feature flags for proxy support. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: increase smoke-services timeout from 5 to 15 minutes The agent was timing out at 5 minutes with Redis + PostgreSQL services. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update .github/workflows/smoke-copilot.lock.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update .github/workflows/smoke-services.lock.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update .github/workflows/firewall-issue-dispatcher.lock.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Revert "Update .github/workflows/firewall-issue-dispatcher.lock.yml" This reverts commit cf1f942. * Revert "Update .github/workflows/smoke-services.lock.yml" This reverts commit 731e68d. * Revert "Update .github/workflows/smoke-copilot.lock.yml" This reverts commit e73a18b. * chore: bump mcpg to v0.2.23 in all lock files Update ghcr.io/github/gh-aw-mcpg from v0.2.22 to v0.2.23 across all 29 workflow lock files. This picks up the DIFC proxy fix for /api/graphql 404 errors on github.com repos. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add DIFC proxy CA trust env vars to build-test lock.yml Update build-test.lock.yml to mcpg v0.2.24 and export SSL trust environment variables (GIT_SSL_CAINFO, SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, CURL_CA_BUNDLE, REQUESTS_CA_BUNDLE) before the AWF command so that git/curl/node inside the container trust the DIFC proxy's TLS certificate. This fixes the 'SSL certificate problem: unable to get local issuer certificate' error that caused all 18 gh repo clone operations to fail in the Build Test Suite. Refs: gh-aw-mcpg#4041, gh-aw-mcpg#4042 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add GIT_SSL_CAINFO to cli-proxy sidecar for git clone SSL trust The cli-proxy entrypoint sets SSL_CERT_FILE (for Go's gh CLI) and NODE_EXTRA_CA_CERTS (for Node.js), but when `gh repo clone` shells out to `git`, it uses OpenSSL which reads GIT_SSL_CAINFO — not SSL_CERT_FILE. Changes: - Add GIT_SSL_CAINFO export pointing to the combined CA bundle in containers/cli-proxy/entrypoint.sh - Add GIT_SSL_CAINFO to PROTECTED_ENV_KEYS in server.js to prevent agent override of the TLS trust store - Remove unnecessary SSL env var exports from build-test.lock.yml (those were in the agent container, but git runs in the cli-proxy) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: increase Security Guard max-turns from 8 to 12 The agent was hitting the max turns limit and exiting with code 1 before completing its review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>