feat(ci): add agentic workflow daily-repo-status

[YousefHadder]

Add agentic workflow daily-repo-status

[Copilot]

Pull request overview

Adds a GitHub Next “agentic workflow” that generates a daily repository status report as a GitHub issue, along with the compiled/locked GitHub Actions workflow artifact.

Changes:

• Add workflow source definition for “daily repo status” (.md frontmatter + prompt instructions).
• Add compiled workflow lockfile (.lock.yml) generated by gh-aw compile.
• Mark *.lock.yml workflow files as generated and resolve merge conflicts automatically via .gitattributes.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/daily-repo-status.md	Defines the agentic workflow prompt, schedule, tool access, and safe-outputs for creating a daily status issue.
.github/workflows/daily-repo-status.lock.yml	Generated GitHub Actions workflow that runs the agent, threat detection, and safe-outputs issue creation.
.gitattributes	Treats workflow lockfiles as generated and uses merge=ours to avoid merge conflicts.

Comments suppressed due to low confidence (2)

.github/workflows/daily-repo-status.lock.yml:1015

• runs-on: ubuntu-slim is not a standard GitHub-hosted runner label, so this job will fail to start unless a self-hosted runner with that label exists. Use a supported runner label (e.g., ubuntu-latest) or align this with your runner fleet naming.

    runs-on: ubuntu-slim

.github/workflows/daily-repo-status.lock.yml:49

• runs-on: ubuntu-slim is not a standard GitHub-hosted runner label, so this workflow will fail to start unless the repo has a self-hosted runner registered with that exact label. Use a supported runner (e.g., ubuntu-latest / ubuntu-22.04 / ubuntu-24.04) or document/enforce the required self-hosted runner label.

    runs-on: ubuntu-slim

[Copilot]

runs-on: ubuntu-slim is not a standard GitHub-hosted runner label, so this job will fail to start unless a self-hosted runner with that label exists. Switch to a supported ubuntu-* runner label or ensure the required runner label is available.

This issue also appears in the following locations of the same file:

• line 1015
• line 49

Suggested change

	runs-on: ubuntu-slim
	runs-on: ubuntu-latest

[Copilot]

This step runs the agent with --enable-host-access and Copilot CLI with --allow-all-tools/--allow-all-paths, which greatly expands the blast radius if the prompt or repo content is abused. If possible, restrict to an explicit tool/path allowlist and avoid host access unless strictly required for MCP/safe-outputs connectivity.

Suggested change

	sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \
	-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
	sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.20.2 --skip-pull --enable-api-proxy \
	-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log