Add safe-inputs gh CLI testing to smoke workflows

[Copilot]

Adds safe-inputs validation to all smoke test workflows by testing GitHub CLI tool integration via the safeinputs-gh tool.

Changes

• All smoke workflows (smoke-copilot.md, smoke-claude.md, smoke-codex.md, smoke-opencode.md): Added test requirement to query 2 PRs using safeinputs-gh tool with gh pr list --repo ${{ github.repository }} --limit 2 --json number,title,author
• shared/gh.md: Removed network.allowed section containing api.github.com to eliminate network firewall requirements
• All smoke workflows import shared/gh.md and maintain strict: true mode
• All workflows now validate safe-inputs feature by exercising authenticated GitHub CLI access via GITHUB_TOKEN

Implementation Note

The shared/gh.md file provides the safeinputs-gh tool configuration without network restrictions, allowing it to work with all engine types including custom engines in strict mode.

Original prompt

Update smoke agentic workflows:

• import the gh.md shared agentic workflow
• test the "gh" tool works by querying 2 PRs

This is a test for safe inputs.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Add safe-inputs gh CLI testing to smoke workflows; updates shared/gh.md to remove the network.allowed restriction and validate GitHub CLI access using GITHUB_TOKEN.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

---

Changeset

• Type: patch
• Description: Add safe-inputs gh CLI testing to smoke workflows; updates shared/gh.md to remove the network.allowed restriction and validate GitHub CLI access using GITHUB_TOKEN.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot remove api.github.com in network.allowed in gh.md

Keep smoke workflows strict

[pelikhan]

@copilot remove api.github.com in network.allowed in gh.md

Keep smoke workflows strict

[Copilot]

@copilot remove api.github.com in network.allowed in gh.md

Keep smoke workflows strict

Done in commit 8b5b6b7. Removed network.allowed section from shared/gh.md and restored strict: true with shared/gh.md import for all smoke workflows including smoke-opencode.

[github-actions]

🌑 The shadows whisper... Smoke Codex was cancelled. The oracle requires further meditation...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

💫 TO BE CONTINUED... Smoke Claude was cancelled! Our hero faces unexpected challenges...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports was cancelled. Our correspondents are investigating the incident...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

GitHub MCP (merged PRs): ✅ Add --push flag to upgrade and init commands with reusable git helpers; Fix authentication failure in reaction step
safeinputs-gh PR list: ❌
Serena activate_project: ✅
Playwright github.com title: ✅
Tavily search: ✅
File write: ✅
Bash cat: ✅
Overall status: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test: Copilot - 21252861988

PRs Reviewed:

• Add --push flag to upgrade and init commands with reusable git helpers #11298: Add --push flag to upgrade and init commands with reusable git helpers
• Fix authentication failure in reaction step #11305: Fix authentication failure in reaction step

Results:
✅ GitHub MCP | ❌ Safe Inputs GH CLI (no GH_TOKEN) | ✅ Serena MCP | ✅ Playwright | ✅ File Writing | ✅ Bash

Overall Status: PASS (5/6 tests passed)

cc: @pelikhan

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results

PRs reviewed:

• Add --push flag to upgrade and init commands with reusable git helpers #11298 - Add --push flag to upgrade and init commands
• Fix authentication failure in reaction step #11305 - Fix authentication failure in reaction step

Tests:

• ✅ GitHub MCP
• ❌ Safe Inputs GH CLI (not in PATH)
• ✅ Serena MCP
• ✅ Playwright
• ✅ Tavily
• ✅ File Writing
• ✅ Bash Tool

Status: PARTIAL PASS (gh CLI tool missing)

AI generated by Smoke Claude

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

GitHub MCP (last 2 merged PR titles): ✅ Allow id-token: write permission in strict mode; Update action pin SHAs for anchore/sbom-action and actions/ai-inference
safeinputs-gh PR list: ✅
Serena activate_project: ✅
Playwright title contains GitHub: ✅
Tavily search results returned: ✅
File write + cat verification: ✅
Overall: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test Results

PRs Tested: #11307, #11314

Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ Tavily Search
• ✅ File Writing
• ✅ Bash Tool

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

PRs Tested:

• Allow id-token: write permission in strict mode #11307: Allow id-token: write permission in strict mode
• Update action pin SHAs for anchore/sbom-action and actions/ai-inference #11314: Update action pin SHAs for anchore/sbom-action and actions/ai-inference

Test Results:

• ✅ GitHub MCP Testing
• ✅ Safe Inputs GH CLI Testing
• ✅ Serena MCP Testing
• ✅ Playwright Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing

Overall Status: PASS

cc @pelikhan @Copilot

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤