[plan] Fix GH_AW_WORKFLOW_ID propagation to safe_outputs job

[github-actions]

Objective

Fix the missing GH_AW_WORKFLOW_ID environment variable in the safe_outputs job context, which is causing all create_pull_request operations to fail.

Context

The create_pull_request safe output job requires GH_AW_WORKFLOW_ID to generate unique branch names in the format ${workflowId}-${randomHex}. Currently, this variable is set in the agent job but not propagated to the safe_outputs job, resulting in 100% failure rate (2/2 attempts failed).

Error: Error: GH_AW_WORKFLOW_ID environment variable is required

Approach

1. Locate the workflow compilation code that generates the safe_outputs job definition
2. Identify where environment variables are passed to the safe_outputs job
3. Add GH_AW_WORKFLOW_ID to the environment variables propagated to this job
4. Ensure the variable is available in the agent job context (verify it exists)
5. Test with the security-fix-pr workflow or create a minimal test workflow

Files to Modify

• Workflow compiler code (likely in pkg/workflow/ directory)
• Look for code that generates GitHub Actions YAML for safe_outputs job
• May need to update environment variable mapping/propagation logic

Acceptance Criteria

• GH_AW_WORKFLOW_ID is available in safe_outputs job environment
• create_pull_request operations succeed in test workflows
• No regressions in other safe output job types
• Manual test of security-fix-pr workflow succeeds

Testing

# After fix, test with:
./gh-aw compile .github/workflows/security-fix-pr.md
# Verify GH_AW_WORKFLOW_ID is in safe_outputs job env section

Priority

High - Blocking all PR creation via safe outputs
Related to #7023

AI generated by Plan Command for discussion #7018