chore: sync actions from gh-aw@v0.78.3

[github-actions]

Automated sync of actions from gh-aw at v0.78.3.

[Copilot]

Pull request overview

Syncs the setup/ runtime assets from github/gh-aw@v0.78.3, primarily expanding safe-outputs transport hardening and adding Copilot SDK session/permission plumbing and new operational templates around AI Credits, tool denials, and failure rollups.

Changes:

• Adds argument normalization for safe-outputs MCP tools and re-derives patch/bundle transport paths from validated branch values.
• Introduces Copilot SDK session runner + permission enforcement helpers (including tool-denials guardrail capture) and new failure-context templates.
• Updates cost/usage reporting to emphasize AI Credits (AIC) and adds “daily cap rollup” issue/comment templates.

Show a summary per file

File	Description
setup/sh/start_safe_outputs_server.sh	Adds new JS deps required by the safe-outputs server bootstrap.
setup/setup.sh	Syncs additional safe-outputs JS files into the install set.
setup/md/tool_denials_exceeded_context.md	New template for Copilot SDK tool-denials guardrail context.
setup/md/noop_comment.md	Removes effective-token suffix from noop comment footer.
setup/md/effective_tokens_rate_limit_error.md	Updates rate-limit guidance to AI Credits / max-ai-credits.
setup/md/detection_runs_comment.md	Removes effective-token suffix from detection runs footer.
setup/md/daily_cap_rollup_issue.md	New rollup issue body for daily per-category cap suppression.
setup/md/daily_cap_rollup_comment.md	New rollup comment template for suppressed failures.
setup/md/ai_credits_rate_limit_error.md	New AI Credits budget exceeded details block.
setup/md/agent_failure_issue.md	Adds AI Credits + tool-denials context placeholders in failure issue.
setup/md/agent_failure_comment.md	Adds AI Credits + tool-denials context placeholders in failure comment.
setup/js/safe_outputs_tools.json	Updates tool description to discourage nested args shape.
setup/js/safe_outputs_mcp_server.cjs	Wires tool-argument normalization into MCP server core.
setup/js/safe_outputs_mcp_server_http.cjs	Wires tool-argument normalization into HTTP MCP server.
setup/js/safe_outputs_mcp_arguments.cjs	New helper to unwrap mistakenly nested tool arguments.
setup/js/safe_outputs_handlers.cjs	Uses checkout manifest for base-branch resolution; stops emitting patch/bundle paths in entries.
setup/js/safe_output_type_validator.cjs	Removes stripping of infra-only fields from normalized items.
setup/js/route_slash_command.cjs	Improves dispatch ref resolution across payload types; makes it async.
setup/js/resolve_transport_paths.cjs	New helper to re-derive patch/bundle file paths from branch/repo.
setup/js/push_to_pull_request_branch.cjs	Uses derived transport paths; passes validation config to signed push helper.
setup/js/push_signed_commits.cjs	Adds synthesized payload validation (size/file policy) and rebase safety checks.
setup/js/permission_denied_helpers.cjs	Improves extraction of denied commands from logs.
setup/js/parse_token_usage.cjs	Writes token/AIC summary to step summary and exports ambient context.
setup/js/parse_mcp_gateway_log.cjs	Adjusts token usage summary to AI Credits-first reporting; exports ambient context.
setup/js/model_costs.cjs	Normalizes provider prefixes (github/copilot) and embedded provider IDs.
setup/js/messages_footer.cjs	Adds ambient-context metric and refines AIC suffix formatting.
setup/js/mcp_server_core.cjs	Adds optional per-server tool argument normalizer before validation.
setup/js/mcp_http_transport.cjs	Plumbs normalizeArguments option through HTTP transport wrapper.
setup/js/handle_noop_message.cjs	Stops computing effective-token suffix for noop comment rendering.
setup/js/handle_detection_runs.cjs	Stops computing effective-token suffix for detection runs rendering.
setup/js/handle_agent_failure.cjs	Adds AI Credits + tool-denials detection/context; adds daily-cap rollup handling; raises daily cap.
setup/js/git_patch_utils.cjs	Renames patch path helpers for clarity (getPatchPathForBranch*).
setup/js/git_helpers.cjs	Hardens execGitSync (non-interactive + timeout), adds ensureOriginRemoteTrackingRef, adds iterative deepen for bundles.
setup/js/generate_git_patch.cjs	Uses ensureOriginRemoteTrackingRef and renamed patch path helpers.
setup/js/generate_git_bundle.cjs	Uses ensureOriginRemoteTrackingRef and renamed bundle path helpers.
setup/js/fuzz_bash_command_parser_harness.cjs	Adds fuzz harness for bash pipeline parsing invariants.
setup/js/effective_tokens.cjs	Simplifies model alias formatting; renames details summary label.
setup/js/effective_tokens_context.cjs	Adds AI Credits budget detection and state resolution.
setup/js/create_pull_request.cjs	Uses derived transport paths; passes base branch into bundle deepening; passes validation config into signed push helper.
setup/js/copilot_sdk_session.cjs	New reusable Copilot SDK session runner with JSONL event serialization and tool-denials guardrail.
setup/js/copilot_sdk_permissions.cjs	New permission parsing/enforcement helpers for Copilot SDK driver.
setup/js/copilot_sdk_driver.cjs	Refactors entry point to delegate to session runner + permission parsing.
setup/js/collect_ndjson_output.cjs	Updates comment re: normalized item usage (no longer stripping infra fields).
setup/js/checkout_pr_branch.cjs	Adds trusted-runtime assertion (actor permission check) before checkout.
setup/js/checkout_manifest.cjs	Adds loader for checkout manifest used by safe-outputs handlers.
setup/js/bash_command_parser.cjs	New bash pipeline parser used by Copilot SDK permission enforcement fallback.
setup/js/bash_command_parser_spec_vectors.json	Adds conformance vectors for bash command parser.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 47/47 changed files
• Comments generated: 3