feat: add secret-digger red team workflows

[Mossaka]

Summary

• Migrate secret-digger workflows (Copilot, Codex, Claude engines) from gh-aw-security
• These are hourly red team agents that search for secrets in the AWF agent container to validate sandbox security
• Adds shared components (secret-audit.md, version-reporting.md) and compiled lock files
• Registers the new lock files in the post-processing script

Workflows

Workflow	Engine	Schedule
secret-digger-copilot	GitHub Copilot	Every hour at :00
secret-digger-codex	OpenAI Codex	Every hour at :10
secret-digger-claude	Claude (Anthropic)	Every hour at :05

Test plan

• Verify workflows compile cleanly (done locally)
• Verify post-processing applied correctly (done locally)
• Trigger workflow_dispatch for each workflow after merge to validate they run

🤖 Generated with Claude Code

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.74%	82.90%	📈 +0.16%
Statements	82.78%	82.94%	📈 +0.16%
Functions	82.65%	82.65%	➡️ +0.00%
Branches	74.92%	75.02%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.3% → 84.0% (+0.68%)	82.8% → 83.4% (+0.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js test projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

✅ Smoke Test: PASS

Test Results:

• ✅ GitHub MCP: Retrieved last 2 merged PRs
  • fix(docker): hide credentials at direct home mount in chroot mode #700: fix(docker): hide credentials at direct home mount in chroot mode
  • refactor: remove --enable-chroot flag, make chroot mode always-on #714: refactor: remove --enable-chroot flag, make chroot mode always-on
• ✅ Playwright: Page title verified ("GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Writing: Test file created successfully
• ✅ Bash Tool: File contents verified

Status: All tests passed

AI generated by Smoke Claude

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• PR fix(docker): hide credentials at direct home mount in chroot mode #700: fix(docker): hide credentials at direct home mount in chroot mode
• PR fix: replace unanchored regex with string assertions in tests #767: fix: replace unanchored regex with string assertions in tests

Test Results:

• ✅ GitHub MCP: Retrieved recent merged PRs
• ✅ Playwright: Verified page title "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file contents

Status: PASS 🎉

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built successfully and all tests passed.

AI generated by Build Test Rust

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored, built, and ran with expected output.

AI generated by Build Test .NET

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects built and tested successfully.

AI generated by Build Test Go

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun build tests completed successfully.

AI generated by Build Test Bun

[github-actions]

☕ Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Java projects compiled and tested successfully through the AWF firewall with Maven proxy configuration.

AI generated by Build Test Java

[github-actions]

Smoke test results:
PR titles: fix(docker): hide credentials at direct home mount in chroot mode; fix: replace unanchored regex with string assertions in tests
GitHub MCP review last 2 merged PRs: ✅
Safeinputs GH CLI pr list: ✅
Playwright title check: ✅
Tavily search: ❌ (tool unavailable)
File write: ✅
Bash cat verify: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall status: FAIL

AI generated by Smoke Codex

[Copilot]

Pull request overview

Adds three hourly “secret-digger” red-team agent workflows (Copilot/Codex/Claude) to continuously probe the AWF agent container for secret exposure, plus shared prompt components and CI post-processing updates so the compiled .lock.yml workflows are handled consistently in this repo.

Changes:

• Added secret-digger-* workflow manifests (.md) and their compiled .lock.yml counterparts for Copilot, Codex, and Claude.
• Introduced shared workflow prompt components: shared/secret-audit.md and shared/version-reporting.md.
• Updated the CI post-processing script to include the new compiled workflow lock files.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scripts/ci/postprocess-smoke-workflows.ts	Registers the new secret-digger compiled lock workflows for the existing post-processing pipeline.
.github/workflows/shared/version-reporting.md	Adds a shared snippet instructing agents to include the compiled workflow cli_version in reports.
.github/workflows/shared/secret-audit.md	Adds the shared “secret audit” agent prompt, tool/network config, and safe-outputs constraints for issue filing.
.github/workflows/secret-digger-copilot.md	Defines the Copilot-engine secret digger workflow (schedule + imports).
.github/workflows/secret-digger-copilot.lock.yml	Compiled workflow executing the Copilot-based secret digger agent, including sandboxing and safe-outputs plumbing.
.github/workflows/secret-digger-codex.md	Defines the Codex-engine secret digger workflow (schedule + imports).
.github/workflows/secret-digger-codex.lock.yml	Compiled workflow executing the Codex-based secret digger agent, including sandboxing and safe-outputs plumbing.
.github/workflows/secret-digger-claude.md	Defines the Claude-engine secret digger workflow (schedule + imports).
.github/workflows/secret-digger-claude.lock.yml	Compiled workflow executing the Claude-based secret digger agent, including sandboxing and safe-outputs plumbing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.