fix(agentic): remove unsupported github-token field from reply-to-pull-request-review-comment safe output

[Copilot]

Summary

The reply-to-pull-request-review-comment safe output was silently failing because github-token is not a supported field for this output type. When gh-aw compiles a safe output with an unrecognized field, it omits that output from the MCP server's config.json — so the agent's tool call is rejected at the MCP layer and never queued for post-processing, even though the handler config already included it.

Changes:

• create-issue-command.md: Remove github-token: ${{ secrets.GH_AW_AGENT_TOKEN }} from reply-to-pull-request-review-comment. The workflow's pull-requests: write permission via GITHUB_TOKEN is sufficient; no token override is needed.
• create-issue-command.lock.yml — config.json: Add reply_to_pull_request_review_comment with max: 1 so the MCP server accepts agent calls to this tool.
• create-issue-command.lock.yml — validation.json: Add validation entry for reply_to_pull_request_review_comment (body + comment_id required, pull_request_number optional).

Before (.md frontmatter):

safe-outputs:
  reply-to-pull-request-review-comment:
    max: 1
    github-token: ${{ secrets.GH_AW_AGENT_TOKEN }}  # unsupported → drops output from config.json

After:

safe-outputs:
  reply-to-pull-request-review-comment:
    max: 1

Testing

• Not run (why?)
• uv run poe check
• Other: Workflow-only change; validated by inspecting the compiled config.json, validation.json, and handler config in the lock file against a known-good run where reply_to_pull_request_review_comment succeeded.

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

• The GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG (post-processing job) already contained reply_to_pull_request_review_comment correctly — the bug was exclusively in the MCP server config.json used during the agent execution phase.
• Lock file edited manually since gh aw compile is unavailable in this environment; both .md and .lock.yml are committed together to keep timestamps in sync for the check_workflow_timestamp_api step.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>create-issue-command: reply-to-pull-request-review-comment not working</issue_title>
<issue_description>## Problem

The reply-to-pull-request-review-comment safe output in the create-issue-command agentic workflow is not working. After creating an issue from a /create-issue command, the reply confirming the issue creation fails to post.

Current Configuration

safe-outputs:
  reply-to-pull-request-review-comment:
    max: 1
    github-token: ${{ secrets.GH_AW_AGENT_TOKEN }}

Investigation

• Check action run logs for the specific error message
• Verify GH_AW_AGENT_TOKEN has sufficient permissions for replying to review comments
• Confirm the safe output parameters (comment ID, body) are correct
• Check if the issue is related to the github-token field or the safe output itself
• Compare with resolve-pull-request-review-thread (also not working — tracked in create-issue-command: resolve-pull-request-review-thread not working #66)

Related

• create-issue-command: resolve-pull-request-review-thread not working #66 — resolve-pull-request-review-thread not working (same workflow, same token)
• PR feat: add agentic workflows and security posture #51 — feat: add agentic workflows and security posture</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes create-issue-command: reply-to-pull-request-review-comment not working #71

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.