Investigate agentic workflow cache-memory with custom IDs

[pmalarme]

Context

The security-review.md agentic workflow uses cache-memory to allow the agent to remember prior review context across PR synchronize events (new pushes to the same PR). We attempted to use named cache-memory IDs to scope memory per PR, but at runtime the memory feature did not work with custom IDs.

The workflow was reverted to cache-memory: true (default behavior) to restore functionality.

What was tried

tools:
  cache-memory:
    id: "security-review-pr-${{ github.event.pull_request.number }}"

This did not work — the agent did not retain memory across runs.

What works

tools:
  cache-memory: true

Tasks

• Investigate the cache-memory tool configuration options in the gh-aw documentation
• Determine how custom memory IDs work (supported syntax, variable interpolation, scoping)
• Determine whether ${{ github.event.pull_request.number }} expressions are supported in tool config values
• Test with a named ID to confirm it works end-to-end
• If custom IDs work, update security-review.md to use a PR-scoped memory ID so reviews can track resolved findings across pushes
• Consider whether other agentic workflows (copilot-review.md, pr-review-comment-handler.md) would also benefit from scoped memory

Related

• PR feat: add agentic workflows and security posture #51 — agentic workflow and security posture
• Issue [Feature] Apply principle of least privilege to secrets in workflow_call #49 — principle of least privilege for secrets in agentic workflows