fix: rename and scope token analyzer to Copilot workflows

[lpcox]

Problem

The token-usage-analyzer workflow timed out at 15 minutes (run 23875151303) due to two issues:

1. Artifact downloads blocked — gh run download calls curl against productionresultssa3.blob.core.windows.net, which wasn't in allowed domains
2. Too broad scope — The agent tried to analyze all workflow engines (Copilot, Claude, Codex)

Changes

• Rename token-usage-analyzer → copilot-token-usage-analyzer to reflect Copilot-only scope
• Add *.blob.core.windows.net to network.allowed so gh run download works via bash
• Scope to Copilot-engine workflows only (smoke-copilot, build-test, ci-doctor, plan, etc.)
• Update title-prefix to 📊 Copilot Token Usage Report
• Add time budget + prefer-bash guidance to keep within 15-minute limit
• Recompile lock file

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.73%	85.83%	📈 +0.10%
Statements	85.62%	85.71%	📈 +0.09%
Functions	86.66%	86.66%	➡️ +0.00%
Branches	78.43%	78.48%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	85.5% → 86.0% (+0.41%)	85.1% → 85.5% (+0.39%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Updates the token-usage analyzer agentic workflow to avoid 15-minute timeouts by unblocking fast artifact downloads and narrowing analysis scope to Copilot-engine workflows.

Changes:

• Add Azure Blob Storage wildcard to the workflow’s network.allowed list to unblock gh run download artifact retrieval.
• Narrow run discovery/analysis instructions to Copilot-engine workflows and add explicit time-budget + “prefer bash” guidance.
• Recompile the generated workflow lockfile to reflect updated frontmatter and derived allowed domains.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/token-usage-analyzer.md	Adds blob domain to allowed network egress and tightens the analyzer’s instructions/scope to reduce runtime.
.github/workflows/token-usage-analyzer.lock.yml	Regenerated compiled workflow reflecting the updated network allowlist and prompt content.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Allowing *.blob.core.windows.net meaningfully broadens outbound access to essentially any Azure Blob Storage account. If the goal is only GitHub Actions artifact downloads, consider narrowing this to the specific artifact storage host(s) observed (e.g., productionresultssa*.blob.core.windows.net) or another more targeted pattern, to preserve least-privilege egress while still unblocking gh run download.

Suggested change

	- "*.blob.core.windows.net"
	- "productionresultssa*.blob.core.windows.net"

[github-actions]

Smoke Test Results

✅ GitHub MCP: #1586 fix: recompile token-usage-analyzer lock file, #1585 Feat/token usage analyzer workflow
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-23876202503.txt created
✅ Bash: File content verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1588

[github-actions]

Smoke Test Results

Test	Result
GitHub MCP (last 2 merged PRs: #1586 "fix: recompile token-usage-analyzer lock file", #1557 "feat: add daily token usage analyzer workflow")	✅
Playwright (github.com title contains "GitHub")	✅
File write (smoke-test-copilot-23876202475.txt)	✅
Bash verify (cat file)	✅

Overall: PASS — @lpcox (no assignees)

📰 BREAKING: Report filed by Smoke Copilot for issue #1588

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1588 · ◷

[Mossaka]

the workflow is named token-usage-analyzer so I think the original one working on multiple engines make more sense. If # of runs is the main concern we can set max 20 runs in the last 24 hours.

[lpcox]

@copilot rename the workflow to reflect that it only looks at copilot token usage

[github-actions]

Smoke Test Results

✅ GitHub MCP — Last 2 merged PRs: fix: recompile token-usage-analyzer lock file (#1586), feat: add esbuild single-file bundle as lightweight distribution (#1581)
✅ Playwright — github.com title contains "GitHub"
✅ File write — /tmp/gh-aw/agent/smoke-test-claude-23877180935.txt created and verified
✅ Bash — file contents confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1588

[github-actions]

Smoke Test Results (run #23877180941)

✅ GitHub MCP — Last merged PR: #1586 "fix: recompile token-usage-analyzer lock file" (@lpcox)
✅ Playwright — github.com title contains "GitHub"
✅ File write — /tmp/gh-aw/agent/smoke-test-copilot-23877180941.txt created
✅ Bash verify — file contents confirmed

Overall: PASS

PR author: @lpcox | No assignees

📰 BREAKING: Report filed by Smoke Copilot for issue #1588

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

Check	Result
Redis PING (host.docker.internal:6379)	✅ PONG
PostgreSQL pg_isready (host.docker.internal:5432)	✅ accepting connections
PostgreSQL SELECT 1 (db: smoketest, user: postgres)	✅ 1 row returned

All checks passed.

Note: redis-cli was not available; Redis was tested via raw TCP (nc).

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke test results:

1. GitHub MCP (last 2 merged PRs): ✅ feat: add esbuild single-file bundle as lightweight distribution; fix: recompile token-usage-analyzer lock file
2. safeinputs-gh PR query: ❌ tool unavailable in this runtime
3. Playwright (github.com title contains "GitHub"): ❌ MCP playwright EACCES on log file write
4. Tavily search: ❌ Tavily MCP tool unavailable
5. File write /tmp/gh-aw/agent/smoke-test-codex-23877180915.txt: ✅
6. Bash cat file verification: ✅
7. Discussion query + mystical comment: ❌ query tool unavailable (used URL scrape fallback; mystical comment posted to discussion [CI/CD Assessment] CI/CD Pipelines and Integration Tests Gap Assessment #1439)
8. npm ci && npm run build: ✅
   Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex