Emit Copilot auth migration tip for copilot-requests workflows

[Copilot]

This change adds compiler guidance for Copilot-engine workflows to prefer GitHub Actions token-based inference (permissions.copilot-requests: write) over PAT-based auth. The tip is intentionally suppressed when users explicitly disable it with copilot-requests: none.

• What changed

  • Added a Copilot-specific compiler info tip in permission validation when:
    • engine is copilot, and
    • permissions.copilot-requests is not effectively write.
  • Added suppression logic so the tip does not appear when:
    • copilot-requests: write is already configured, or
    • copilot-requests: none is explicitly set.
  • Added integration coverage for:
    • Copilot engine without copilot-requests (tip emitted),
    • Copilot engine with write (no tip),
    • Copilot engine with none (no tip),
    • non-Copilot engine (no tip).

• Implementation detail

  • Introduced shouldEmitCopilotRequestsEnableTip(workflowData, workflowPermissions) to centralize tip gating, using explicit permission checks to distinguish intentional none from unset/default states.

if shouldEmitCopilotRequestsEnableTip(workflowData, workflowPermissions) {
    tipMsg := `Tip: set permissions.copilot-requests: write to use GitHub Actions token-based inference with the Copilot engine instead of a personal access token (COPILOT_GITHUB_TOKEN).`
    fmt.Fprintln(os.Stderr, formatCompilerMessage(markdownPath, "info", tipMsg))
}

[github-actions]

Hey @copilot-swe-agent 👋 — great work adding the copilot-requests permission tip to the compiler! The implementation in permissions_compiler_validator.go is clean, the suppression logic for none is correct, and the integration test coverage across all four cases is exactly right.

One thing to address before this moves out of draft:

• Unfocused diff — .github/workflows/test-quality-sentinel.lock.yml contains an unrelated emoji substitution (🧪 → ✅) in several runSuccess message strings, alongside the expected frontmatter_hash bump. The emoji change is not mentioned in the PR description and appears to be a separate concern bundled in accidentally. Either extract that change into its own PR, or document why it belongs here.

If you would like a hand cleaning this up, you can assign this prompt to your coding agent:

In the PR branch for gh-aw#39129, audit the changes to
`.github/workflows/test-quality-sentinel.lock.yml`.

The expected changes are:
- A `frontmatter_hash` bump on line 1 (auto-generated, keep it).

The unexpected changes are:
- Multiple hunks replacing the 🧪 emoji with ✅ in `runSuccess` message strings inside `GH_AW_SAFE_OUTPUT_MESSAGES`.

If those emoji replacements were not intentionally introduced by this PR's feature work
(adding the copilot-requests compiler tip), revert them so the diff only contains
the hash bump. If they were intentional, add a bullet point to the PR body explaining
why the runSuccess message icon was updated.

Generated by ✅ Contribution Check · 492.7 AIC · ⌖ 23.3 AIC · ⊞ 24.7K · ◷

[Copilot]

Pull request overview

Adds a compiler “info” tip for Copilot-engine workflows to encourage enabling permissions.copilot-requests: write (so Copilot auth can use the GitHub Actions token) while suppressing the tip when copilot-requests: none is explicitly set.

Changes:

• Emit an info compiler message when engine: copilot and permissions.copilot-requests is not effectively write, unless explicitly set to none.
• Introduce shouldEmitCopilotRequestsEnableTip(...) to centralize gating logic for the tip.
• Add an integration test covering tip emission/suppression scenarios.

Show a summary per file

File	Description
pkg/workflow/permissions_compiler_validator.go	Adds tip emission during permission validation and centralizes the gating logic.
pkg/workflow/copilot_requests_tip_test.go	Adds integration coverage validating when the tip appears/doesn’t appear.
.github/workflows/test-quality-sentinel.lock.yml	Regenerated lockfile with unrelated safe-output message changes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 5

[Copilot]

Fixed in the latest commit by replacing the manual pipe setup with testutil.CaptureStderr, which handles errors from os.Pipe, guarantees os.Stderr restoration via t.Cleanup, and properly closes all file descriptors.

[Copilot]

Intentional. The source test-quality-sentinel.md already defines run-success: "✅ ...", but the lock file was stale with the old 🧪 emoji. Running make recompile (required whenever a .md workflow changes) regenerated the lock to match the source — this is expected and correct drift cleanup.

[Copilot]

Same as above — this is the same make recompile re-sync of the stale lock file to match the source .md.

[Copilot]

Same as above — part of the same make recompile re-sync.

[Copilot]

Same as above — part of the same make recompile re-sync.

[pelikhan]

@copilot run pr-finisher skill

[github-actions]

@copilot review all comments and address unresolved review feedback. Then post a brief completion plan for any remaining blockers.

Generated by 👨‍🍳 PR Sous Chef · 143.8 AIC · ⌖ 1.04 AIC · ⊞ 17.4K · ◷