chore: add simple dependabot burner workflow

[mnkiefer]

• Removes more complex Dependabot Project Manager workflow.
• Significantly simplifies and restricts permissions and capabilities of the Dependabot Burner workflow.

[Copilot]

Pull request overview

This PR significantly simplifies the dependabot-burner workflow by removing project management capabilities and most configuration, while also completely removing the dependabot-project-manager workflow. It updates action pins to add v0.42.17 and v0.43.1 entries for github/gh-aw/actions/setup, and updates agent configuration references from "main" to "v0.42.17".

Changes:

• Removes dependabot-project-manager workflow entirely (.md and .lock.yml files)
• Drastically simplifies dependabot-burner workflow, removing projects integration, status updates, and most safe-output tools
• Adds new action pin entries for github/gh-aw/actions/setup versions v0.42.17 and v0.43.1
• Updates agent configuration to reference v0.42.17 instead of main branch
• Introduces pre_activation job with team membership check
• Changes from explicit tool allowlist to --allow-all-tools flag
• Reduces network domains and GitHub MCP toolsets

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
.github/workflows/dependabot-project-manager.md	Complete removal of complex project manager workflow
.github/workflows/dependabot-project-manager.lock.yml	Complete removal of compiled workflow
.github/workflows/dependabot-burner.md	Simplified to minimal configuration with only create-issue safe-output
.github/workflows/dependabot-burner.lock.yml	Compiled workflow with reduced capabilities, removed project tools, added membership gating
pkg/workflow/data/action_pins.json	Added v0.42.17 and v0.43.1 pins for github/gh-aw/actions/setup
.github/aw/actions-lock.json	Added v0.42.17 and v0.43.1 entries mirroring action_pins.json
.github/agents/agentic-workflows.agent.md	Updated documentation references from main to v0.42.17

Comments suppressed due to low confidence (2)

.github/workflows/dependabot-burner.lock.yml:164

• The network configuration has been changed from allowing "defaults" and "github" to only "defaults". In the agentic workflows system, network configurations control what external services the workflow can access. The "github" preset likely includes GitHub-related domains and services. Removing it while keeping only "defaults" may restrict access to necessary GitHub resources. Verify whether this aligns with the simplified workflow's requirements.

              allowed_domains: ["defaults"],

.github/workflows/dependabot-burner.md:8

• The GitHub toolsets configuration is missing. The original workflow specified "toolsets: [default, dependabot, projects]" but the new version only has "github:" without any toolsets specified. This is inconsistent with the workflow's purpose and will likely result in the agent not having access to the necessary GitHub API functionality. The toolsets should be explicitly configured to match the workflow's needs.

tools:
  github:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mnkiefer]

@copilot revert actions-lock.json and action_pins.json and recompile workflow.

[Copilot]

@mnkiefer I've opened a new pull request, #14835, to work on those changes. Once the pull request is ready, I'll request review from you.