chore: upgrade gh-aw to v0.68.4 and recompile workflows

[lpcox]

Summary

Upgrades gh-aw from v0.68.1 to v0.68.4 and recompiles all agentic workflows.

Action updates

Action	From	To
github/gh-aw-actions/setup	v0.68.3	v0.68.4
github/gh-aw/actions/setup	v0.68.1	v0.68.4
actions/github-script	v8/v9	v9.0.0
softprops/action-gh-release	v2.6.1	v3.0.0

Container image pins refreshed (14 images)

All GHCR container images (agent, squid, api-proxy, cli-proxy, mcpg, github-mcp-server, playwright-mcp) and base images (alpine, node) re-pinned to latest digests.

Workflows recompiled

All 29 workflows recompiled and post-processed. Lock files updated with:

• New action versions and SHA pins
• Post-processing applied (local build, session-state-dir, cache-memory TTL, security policies)

Notes

• smoke-opencode.md failed to compile — opencode is not yet a supported engine in gh-aw v0.68.4. No changes to its lock file.
• No codemods were needed (✓ No fixes needed).

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.35%	85.43%	📈 +0.08%
Statements	85.24%	85.33%	📈 +0.09%
Functions	87.96%	87.96%	➡️ +0.00%
Branches	77.95%	78.00%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Upgrades the repository’s agentic workflow toolchain to gh-aw v0.68.4 and refreshes the compiled workflow lock files so CI runs with updated action pins, container image pins, and the newer gh-aw-generated workflow wiring.

Changes:

• Bumped gh-aw compiler metadata across lock files to v0.68.4, updating pinned action SHAs (notably github/gh-aw-actions/setup, actions/github-script, actions/upload-artifact, and actions/cache where used).
• Refreshed container references in workflow manifests/steps (including adding digest-pinned references for several images) and updated runtime/agent steps (Copilot error detection, MCP gateway startup via Node, prompt handling via --prompt-file, etc.).
• Updated repo-level pin registry in .github/aw/actions-lock.json and gh-aw agent documentation links to v0.68.4.

Show a summary per file

File	Description
.github/workflows/update-release-notes.lock.yml	Recompiled lock with v0.68.4, updated action pins, container list, Copilot error detection, and new base-branch agent-config save/restore steps.
.github/workflows/smoke-codex.lock.yml	Recompiled Codex smoke workflow with updated pins, MCP config path adjustments, and added cleanup step (see comment).
.github/workflows/security-review.lock.yml	Recompiled security review workflow with updated pins, Copilot error detection outputs, and container pin refresh.
.github/workflows/plan.lock.yml	Recompiled plan-command workflow with updated pins, Copilot error detection outputs, and container pin refresh.
.github/workflows/issue-monster.lock.yml	Recompiled issue triage workflow with updated pins and updated safe-outputs tooling metadata.
.github/workflows/firewall-issue-dispatcher.lock.yml	Recompiled dispatcher workflow with updated pins and refreshed mcpg image tag for CLI proxy (see comment).
.github/workflows/copilot-token-usage-analyzer.lock.yml	Recompiled analyzer workflow with updated pins, Copilot error detection outputs, and container pin refresh.
.github/workflows/copilot-token-optimizer.lock.yml	Recompiled optimizer workflow with updated pins, Copilot error detection outputs, and container pin refresh.
.github/workflows/cli-flag-consistency-checker.lock.yml	Recompiled checker workflow with updated pins, Copilot error detection outputs, and schedule scatter update.
.github/workflows/claude-token-usage-analyzer.lock.yml	Recompiled analyzer workflow with updated pins, Copilot error detection outputs, and container pin refresh.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Recompiled assessment workflow with updated pins and added digest pin for alpine:latest.
.github/aw/actions-lock.json	Updated central action pins (and added a container pin registry section).
.github/agents/agentic-workflows.agent.md	Updated gh-aw documentation links to reference v0.68.4.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 31/31 changed files
• Comments generated: 2

[Copilot]

The workflow deletes ${{ runner.temp }}/gh-aw/mcp-config/logs/ in the new "Clean up engine output files" step, but later still includes the same directory in the "Upload agent artifacts" paths. This makes the uploaded artifact miss the Codex engine logs. Either move this cleanup after the artifact upload, or remove the logs directory from the upload list (or clean up a different path).

Suggested change

	- name: Clean up engine output files
	run: |
	rm -fr ${{ runner.temp }}/gh-aw/mcp-config/logs/

[Copilot]

CLI_PROXY_IMAGE is still set to a mutable tag (ghcr.io/github/gh-aw-mcpg:v0.2.19) even though this workflow pins the same image by digest elsewhere (e.g., in the download step/manifest). For supply-chain safety and reproducibility, prefer passing the digest-pinned image reference here as well.

Suggested change

	CLI_PROXY_IMAGE: 'ghcr.io/github/gh-aw-mcpg:v0.2.19'
	CLI_PROXY_IMAGE: 'ghcr.io/github/gh-aw-mcpg:v0.2.19@sha256:44d4d8de7e6c37aaea484eba489940c52df6a0b54078ddcbc9327592d5b3c3dd'

[github-actions]

Smoke Test Results

✅ GitHub MCP — #2006 "fix: add explicit model for Copilot BYOK smoke test", #2003 "feat: add smoke test for Copilot CLI offline BYOK mode"
✅ Playwright — github.com title contains "GitHub"
✅ File write — /tmp/gh-aw/agent/smoke-test-claude-24492723038.txt created and verified
✅ Bash — file content confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Service	Check	Result
Redis host.docker.internal:6379	PING	✅ PONG
PostgreSQL host.docker.internal:5432	pg_isready	✅ accepting connections
PostgreSQL smoketest db	SELECT 1	✅ returned 1

Note: redis-cli was not available and sudo is restricted in this environment. Redis connectivity was verified via bash TCP (/dev/tcp).

🔌 Service connectivity validated by Smoke Services

[github-actions]

🤖 OpenCode Smoke Test — PASS

• ✅ GitHub MCP: reviewed last 2 merged PRs (fix: add explicit model for Copilot BYOK smoke test #2006 "fix: add explicit model for Copilot BYOK smoke test", feat: add smoke test for Copilot CLI offline BYOK mode #2003 "feat: add smoke test for Copilot CLI offline BYOK mode")
• ✅ File write: /tmp/gh-aw/agent/smoke-test-opencode-24492723052.txt created and verified
• ✅ Bash: file contents confirmed via cat
• ✅ Build: npm ci && npm run build succeeded

Overall: PASS

🌐 Transmitted by Smoke OpenCode

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2019 · ● 624.5K · ◷

[lpcox]

Closing — byok-copilot feature flag needs compiler fixes upstream (gh-aw#26565) before this can land cleanly.